配置tomcat6.0的HTTPS(单向)

利用JDK自带的产生证书的工具 生成证书

 

建立一个脚本文件，内容如下：

set SERVER_DN="CN=Server, OU=share, O=share, L=sz, S=gd, C=CN"
set CLIENT_DN="CN=Client, OU=share, O=share, L=sz, S=gd, C=CN"
set KS_PASS=-storepass changeit
set KEYINFO=-keyalg RSA

keytool -genkey -alias Server -dname %SERVER_DN% %KS_PASS% -keystore server.keystore %KEYINFO% -keypass changeit
keytool -export -alias Server -file test.cer %KS_PASS% -keystore server.keystore
keytool -import -file test.cer %KS_PASS% -keystore client.truststore -alias serverkey -noprompt

keytool -genkey -alias Client -dname %CLIENT_DN% %KS_PASS% -keystore client.keystore %KEYINFO% -keypass changeit
keytool -export -alias Client -file test.cer %KS_PASS% -keystore client.keystore
keytool -import -file test.cer %KS_PASS% -keystore server.truststore -alias clientkey -noprompt
pause

 

运行后生成下面的文件

server.keystore

server.truststore

client.truststore

client.keystore

test.cer

 

然后配置tomcat

打开server.xml

添加

 

<Connector port="8443"  className="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="true" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
      SSLEnabled="true" clientAuth="false"
               keystoreFile="c:/server.keystore" keystorePass="changeit"
      truststoreFile="c:/server.truststore" truststorePass="changeit"

               sslProtocol="TLS" />

 

这样就可以通过 ​​https://localhost:8443/​​  访问了

 

如果想让应用程序HTTP自动跳转到HTTPS，在应用程序的web.xml中加入：

<login-config>
  <!-- Authorization setting for SSL -->
  <auth-method>CLIENT-CERT</auth-method>
  <realm-name>Client Cert Users-only Area</realm-name>
 </login-config>
 <security-constraint>
  <!-- Authorization setting for SSL  -->
  <web-resource-collection>
   <web-resource-name>SSL</web-resource-name>
   <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
 </security-constraint>

 

如果要通过程序代码访问https的WebService 那么需要添加JVM参数

-Djavax.net.ssl.keyStore=C:/client/client.keystore
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.trustStore=C:/client/client.truststore