Tomcat
1 前言
一个问题,一篇文章,一出故事。
笔者需要在Tomcat生产环境启用Tomcat的HTTPS访问,因此整理本章。
由于Tomcat的JSSE的配置TLS最简单,因此本章使用该方法实现Tomcat HTTPS配置。
2 实操部分
2.1 Tomcat环境部署
需要注意的是,测试的实际环境为,
– openjdk-18.0.1.1
– apache-tomcat-9.0.5
2.2 配置Tomcat HTTPS
cp /usr/tomcat/apache-tomcat-9.0.5/conf/server.xml /usr/tomcat/apache-tomcat-9.0.5/conf/server.xml.default vim /usr/tomcat/apache-tomcat-9.0.5/conf/server.xml
启用或添加如下配置,
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/wildcard.cmdschool.org.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
证书请自行准备,笔者建议你申请权威的腾讯云证书,使用申请Tomca JKS格式证书即可,
https://cloud.tencent.com/product/ssl
证书申请成功后,你需要使用如下命令提前将证书部署到目录,
cp wildcard.cmdschool.org.jks /usr/tomcat/apache-tomcat-9.0.5/conf/
2.3 配置Tomcat HTTPS
systemctl restart tomcat
重启服务后,你可以使用如下命令查看日志,
less /var/log/tomcat/catalina.out
如果遇到如下提示信息,
12-Mar-2024 16:04:08.759 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-84
43]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:935)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:530)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:633)
at org.apache.catalina.startup.Catalina.load(Catalina.java:656)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
at java.base/java.lang.reflect.Method.invoke(Method.java:577)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: java.lang.IllegalArgumentException: Keystore was tampered with, or password was incorrect
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:216)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1043)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
... 11 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:813)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:226)
at java.base/java.security.KeyStore.load(KeyStore.java:1503)
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:139)
at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:204)
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:184)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:79)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
... 17 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:811)
... 24 more
你需要增加“certificateKeystorePassword”属性向Tomcat提供证书的密码,详细的配置修改如下,
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/wildcard.cmdschool.org.jks"
certificateKeystorePassword="jksPassword"
type="RSA" />
</SSLHostConfig>
</Connector>
解决以上错误提示之后,你可以使用如下命令确认https端口启动,
ss -antp | grep :8443
可见如下输出,
LISTEN 0 100 *:8443 *:* users:(("java",pid=29233,fd=40))
2.4 开放防火墙端口
firewall-cmd --permanent --add-port 8443/tcp firewall-cmd --reload firewall-cmd --list-all
2.5 测试https的Tomcat
https://10.168.0.105:8443
参阅文档
====================
https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
没有评论