Tomcat
1 前言
一个问题,一篇文章,一出故事。
笔者需要在Tomcat生产环境启用Tomcat的HTTPS访问,因此整理本章。
由于Tomcat的Native库允许Tomcat使用OpenSSL作为JSSE的替代品来支持TLS连接,因此本章与区别于传统的Tomcat HTTPS配置。
2 实操部分
2.1 Tomcat环境部署
需要注意的是,测试的实际环境为,
– openjdk-18.0.1.1
– apache-tomcat-9.0.5
2.2 配置Tomcat HTTPS
cp /usr/tomcat/apache-tomcat-9.0.5/conf/server.xml /usr/tomcat/apache-tomcat-9.0.5/conf/server.xml.default vim /usr/tomcat/apache-tomcat-9.0.5/conf/server.xml
启用或添加如下配置,
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig> <Certificate certificateKeyFile="conf/wildcard.cmdschool.org.key" certificateFile="conf/wildcard.cmdschool.org.crt" certificateChainFile="conf/root_bundle.crt" type="RSA" /> </SSLHostConfig> </Connector>
证书请自行准备,笔者建议你申请权威的腾讯云证书,使用申请Apache的格式证书即可,
https://cloud.tencent.com/product/ssl
证书申请成功后,你需要使用如下命令提前将证书部署到目录,
cp wildcard.cmdschool.org.key /usr/tomcat/apache-tomcat-9.0.5/conf/ cp wildcard.cmdschool.org.crt /usr/tomcat/apache-tomcat-9.0.5/conf/ cp root_bundle.crt /usr/tomcat/apache-tomcat-9.0.5/conf/
2.3 配置Tomcat HTTPS
systemctl restart tomcat
重启服务后,你可以使用如下命令查看日志,
less /var/log/tomcat/catalina.out
如果遇到如下提示信息,
06-Mar-2024 15:52:01.333 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[org.apache.coyote.http11.Http11AprProtocol-8443]] org.apache.catalina.LifecycleException: The configured protocol [org.apache.coyote.http11.Http11AprProtocol] requires the APR/native library which is not available at org.apache.catalina.connector.Connector.initInternal(Connector.java:917) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:530) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.startup.Catalina.load(Catalina.java:633) at org.apache.catalina.startup.Catalina.load(Catalina.java:656) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104) at java.base/java.lang.reflect.Method.invoke(Method.java:577) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
你需要参阅如下章节编译并安装依赖的软件包,
解决依赖关系之后,你可以使用如下命令确认https端口启动,
ss -antp | grep :8443
可见如下输出,
LISTEN 0 100 *:8443 *:* users:(("java",pid=25708,fd=40))
2.4 开放防火墙端口
firewall-cmd --permanent --add-port 8443/tcp firewall-cmd --reload firewall-cmd --list-all
2.5 测试https的Tomcat
https://10.168.0.105:8443
参阅文档
====================
https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
没有评论