1.配置的是Tomcat 7 的JSSE Connector
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" keystoreFile="server.jks" keystorePass="123456" sslProtocol="TLS" />
2.配置的是Tomcat 7 的arp Connector
org.apache.catalina.core.AprLifecycleListener init 信息: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path:* APR library
所需软件包:http://apr.apache.org/download.cgi
-- apr-1.5.1.tar.gz
-- apr-util-1.5.3.tar.gz
-- apr-iconv-1.2.1.tar.gz
-- tomcat-native.tar.gz //tomcat/bin 自带
(1)安装apr
# tar zxvf apr-1.5.1.tar.gz # cd apr-1.5.1 # ./configure --prefix=/usr/java/apr # make # make install*apr 默认安装在 /usr/local/apr
# tar -zxvf apr-iconv-1.2.1.tar.gz # cd apr-iconv-1.2.1 # ./configure --prefix=/usr/java/apr-iconv --with-apr=/usr/java/apr # make # make install(3)安装apr-util
# tar zxvf apr-util-1.5.3.tar.gz # cd apr-util-1.5.3 # ./configure --prefix=/usr/java/apr-util --with-apr=/usr/java/apr --with-apr-iconv=/usr/java/apr-iconv/bin/apriconv # make # make install(4)安装tomcat-native
# tar zxvf tomcat-native.tar.gz # cd tomcat-native/jni/native # ./configure --with-apr=/usr/java/apr --with-java-home=/usr/java/jdk1.6.0_45 # make # make install(5)设置 apr 的环境变量
# vi /etc/profile #后面添加以下内容 export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/apr/lib #. /etc/profile* OpenSSL libraries openssl 可以用 yum install openssl-devel
Connector attribute SSLCertificateFile must be defined when using SSL with APR
tomcat6.0默认使用JSSE实现,而7.0默认使用APR实现,修改如下
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" keystoreFile="server.jks" keystorePass="123456" sslProtocol="TLS" />启动 tomcat 后, 看日志,有如下:
Sep 4, 2014 3:19:36 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.1. Sep 4, 2014 3:19:36 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Sep 4, 2014 3:19:36 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e-fips 11 Feb 2013) Sep 4, 2014 3:19:36 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-80"] Sep 4, 2014 3:19:36 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-bio-443"] Sep 4, 2014 3:19:37 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["ajp-apr-8009"] Sep 4, 2014 3:19:37 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 1139 ms将上述port="8443"配置改为port="443",可以通过https://localhost/直接访问
应用程序HTTP自动跳转到HTTPS,在应用程序中web.xml中加入:
<login-config> <!-- Authorization setting for SSL --> <auth-method>CLIENT-CERT</auth-method> <realm-name>Client Cert Users-only Area</realm-name> </login-config> <security-constraint> <web-resource-collection > <web-resource-name >SSL</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>