Linux系统下Tomcat6.0配置SSL加密传输

以下操作配置参考Tomcat的官方网站: [url]http://tomcat.apache.org[/url]
Tomcat6.0安装简介:
1、下载最新版本的JDK SE
[url]http://java.sun.com/j2se[/url]
如果你的系统有JDK就不需要安装了,不过Tomcat6.0需要jre5.0版本以上来支持运行。
我下载的是Linux平台二进制版本 jdk-6u12-linux-i586.bin
# chmod +x jdk-6u12-linux-i586.bin
# ./jdk-6u12-linux-i586.bin
下面根据提示回答yes解压,然后将jdk移动到/usr/local
# mv jdk1.6.0_12 /usr/local/
# cd /usr/local
# ln -s jdk1.6.0_12 jdk
2、下载Tomcat当前最新的版本,安装到 /usr/local/tomcat:
# wget [url]http://apache.mirror.phpchina.com/tomcat/tomcat-6/v6.0.18/bin/apache-tomcat-6.0.18.tar.gz[/url]
# tar zxf apache-tomcat-6.0.18.tar.gz -C /usr/local
# cd /usr/local
# ln -s apache-tomcat-6.0.18 tomcat
设置JAVA_HOME环境变量,修改 tomcat/bin/startup.sh, tomcat/bin/shutdown.sh 在前面部分添加以下两行:
JAVA_HOME="/usr/local/jdk"
export JAVA_HOME
(或者修改 /etc/profile 在里面添加上述两行)
启动tomcat测试是否成功:
# cd /usr/local/tomcat
# ./bin/startup.sh
[root@pps tomcat]# ./bin/startup.sh
Using CATALINA_BASE:   /usr/local/tomcat
Using CATALINA_HOME:   /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME:       /usr/local/jdk
在浏览器输入: [url]http://localhost:8080/[/url] 看看那只“猫”是否出来了。
如果Linux没有安装或没启用X界面的话,可以在局域网的机器输入 [url]http://ip:8080[/url] 访问。
3、配置SSL加密传输
【概念理解】keystore 是一个密码保护的文件,用来存储密钥和证书
(1)生成一个keystore文件(包含证书),文件位置/usr/local/tomcat/conf/.keystore
# cd /usr/local/jdk/bin/
# ./keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/local/tomcat/conf/.keystore
输入密码、提供你的信息即可。如果不是用来“玩”的话,请如实的填写自己以及单位的信息吧。
【注意】它会在前后问你两次密码,第二次直接回车就行了,如果两个密码不一样,将会出现java.io.IOException错误。详情请见: [url]http://issues.apache.org/bugzilla/show_bug.cgi?id=38217[/url]
(2)修改 tomcat/conf/server.xml
启用这一段:
   <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
              maxThreads="150" scheme="https" secure="true"
              clientAuth="false" sslProtocol="TLS" />

并修改为:
   <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
              maxThreads="150" scheme="https" secure="true"
keystoreFile="/usr/local/tomcat/conf/.keystore"
              keystorePass="snailwarrior"

              clientAuth="false" sslProtocol="TLS" />
(3)重启Tomcat
# /usr/local/tomcat/bin/shutdown.sh
# /usr/local/tomcat/bin/startup.sh
(4)防火墙开启8443端口
浏览器输入: [url]https://192.168.32.50:8443/[/url]
嘿嘿,安全的看到那只“猫”了!
【温馨提示】开启SSL消耗CPU资源
【注意】虚拟机使用SSL有可能出问题,以下是官方网站的信息:
Finally, using name-based virtual hosts a secured connection can be problematic. This is a design limitation of the SSL protocol itself. The SSL handshake, where the client browser accepts the server certificate, must occur before the HTTP request is accessed. As a result, the request information containing the virtual host name cannot be determined prior to authentication, and it is therefore not possible to assign multiple certificates to a single IP address. If all virtual hosts a single IP address need to authenticate against the same certificate, the addition of multiple virtual hosts should not interfere with normal SSL operations the server. Be aware, however, that most client browsers will compare the server's domain name against the domain name listed in the certificate, if any (applicable primarily to official, CA-signed certificates). If the domain names do not match, these browsers will display a warning to the client user. In general, ly address-based virtual hosts are commonly used with SSL in a production environment.
------------------------------------------------------------------------------------------
赵小蜗牛
QQ: 755721501
在不断奉献中谋求生存发展、打造自己的优秀品质,用人性最本质最动人的一面“营销”自己!


你可能感兴趣的:(Linux系统下Tomcat6.0配置SSL加密传输)