Tomcat
1 前言
一个问题,一篇文章,一出故事。
笔者需要在Tomcat生产环境启用Tomcat的HTTPS访问,因此整理本章。
由于Tomcat的JSSE的配置TLS最简单,因此本章使用该方法实现Tomcat HTTPS配置。
2 实操部分
2.1 Tomcat环境部署
需要注意的是,测试的实际环境为,
– openjdk-18.0.1.1
– apache-tomcat-9.0.5
2.2 配置Tomcat HTTPS
cp /usr/tomcat/apache-tomcat-9.0.5/conf/server.xml /usr/tomcat/apache-tomcat-9.0.5/conf/server.xml.default vim /usr/tomcat/apache-tomcat-9.0.5/conf/server.xml
启用或添加如下配置,
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreFile="conf/wildcard.cmdschool.org.jks" type="RSA" /> </SSLHostConfig> </Connector>
证书请自行准备,笔者建议你申请权威的腾讯云证书,使用申请Tomca JKS格式证书即可,
https://cloud.tencent.com/product/ssl
证书申请成功后,你需要使用如下命令提前将证书部署到目录,
cp wildcard.cmdschool.org.jks /usr/tomcat/apache-tomcat-9.0.5/conf/
2.3 配置Tomcat HTTPS
systemctl restart tomcat
重启服务后,你可以使用如下命令查看日志,
less /var/log/tomcat/catalina.out
如果遇到如下提示信息,
12-Mar-2024 16:04:08.759 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-84 43]] org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:935) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:530) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.startup.Catalina.load(Catalina.java:633) at org.apache.catalina.startup.Catalina.load(Catalina.java:656) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104) at java.base/java.lang.reflect.Method.invoke(Method.java:577) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492) Caused by: java.lang.IllegalArgumentException: Keystore was tampered with, or password was incorrect at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:216) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1043) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74) at org.apache.catalina.connector.Connector.initInternal(Connector.java:932) ... 11 more Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:813) at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:226) at java.base/java.security.KeyStore.load(KeyStore.java:1503) at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:139) at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:204) at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:184) at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:79) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112) ... 17 more Caused by: java.security.UnrecoverableKeyException: Password verification failed at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:811) ... 24 more
你需要增加“certificateKeystorePassword”属性向Tomcat提供证书的密码,详细的配置修改如下,
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreFile="conf/wildcard.cmdschool.org.jks" certificateKeystorePassword="jksPassword" type="RSA" /> </SSLHostConfig> </Connector>
解决以上错误提示之后,你可以使用如下命令确认https端口启动,
ss -antp | grep :8443
可见如下输出,
LISTEN 0 100 *:8443 *:* users:(("java",pid=29233,fd=40))
2.4 开放防火墙端口
firewall-cmd --permanent --add-port 8443/tcp firewall-cmd --reload firewall-cmd --list-all
2.5 测试https的Tomcat
https://10.168.0.105:8443
参阅文档
====================
https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
没有评论