Tomcat 配置 SSL

证书申请

  • 生成keystore文件
1
$ keytool -genkey -alias [alias name] -keyalg RSA -keysize 2048 -keystore [keystore file name]

按提示设置密码及信息即可

  • 生成CSR(Certificate Signing Request)文件
1
2
3
4
5
6
7
8
9
10
11
$ keytool -certreq -alias [alias name] -sigalg SHA256withRSA -file certreq.csr -keystore [keystore file name]
$ less certreq.csr
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC2jCCAcICAQAwZTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB2JlaWppbmcxEDAO
BgNVBAcTB2JlaWppbmcxDTALBgNVBAoTBHl1YW4xDTALBgNVBAsTBHl1YW4xFDAS
BgNVBAMTC3lhbmd5dWFuLm1lMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAmDjabzi0VQrzweXlU4Qeh9NoTIjXsQpKU+XldL9ci4RwA5a6EXO6Q1TLG0Ds
XfN68qp8Rwk5IPA5jnPFpBbgmDk46q25Vkd3cu0Udna0UCFtWN2T+GTaqc0w+UIp
......
-----END NEW CERTIFICATE REQUEST-----

拷贝certreq.csr文件中的内容,用其向证书提供商提交申请,等待下发证书。

证书下发后,查看服务商提供的网站证书(cer, crt, etc.)

certification

将根证书书和中级证书保存至本地

  • 导入证书
  • 将根证书导入cacerts(通常位于$JAVA_HOME/jre/lib/security)
1
$ keytool -importcert -alias root -file [root certificate] -keystore cacerts
  • 导入根证书
1
$ keytool -importcert -alias root -file [root certificate] -keystore [keystore file name]
  • 导入中级证书 (可省略)
1
$ keytool -importcert -alias intermediate -file [intermediate certificate] -keystore [key store file name]
  • 导入网站证书
1
$ keytool -trustcacerts -importcert -alias [alias name] -file [site certificate] -keystore [keystore file name]

Tomcat 配置

  • tomcat 使用https 设置

在server.xml中ssl配置部分作如下修改

1
2
3
4
5
6
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="[keystore file path]"
           keystorePass="[keystore password]"
/>
  • 强制使用Https

在web.xml中<welcome-file-lis>后添加下面内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<login-config>    
    <!-- Authorization setting for SSL -->    
    <auth-method>CLIENT-CERT</auth-method>    
    <realm-name>Client Cert Users-only Area</realm-name>    
</login-config>    
<security-constraint>    
    <!-- Authorization setting for SSL -->    
    <web-resource-collection >    
        <web-resource-name >SSL</web-resource-name>    
        <url-pattern>/*</url-pattern>    
    </web-resource-collection>    
    <user-data-constraint>    
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>    
    </user-data-constraint>    
</security-constraint>

重启Tomcat,大功告成!

Reference

Writing a Java Program with Native Methods

environment: Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-31-generic x86_64), JDK 1.8.0_101
  • Hello.java
1
2
3
4
5
6
7
8
9
10
11
public class Hello {
    public static native int add(int x, int y);
    static{
        System.loadLibrary("hello");
    }
    public static void main(String[] args){
        System.out.println(Hello.add(233, 344));
    }
}
1
2
$ javac Hello.java
$ javah -jni Hello
  • Hello.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
/* DO NOT EDIT THIS FILE - it is machine generated */
#include <jni.h>
/* Header for class Hello */
#ifndef _Included_Hello
#define _Included_Hello
#ifdef __cplusplus
extern "C" {
#endif
/*
 * Class:     Hello
 * Method:    add
 * Signature: (II)I
 */
JNIEXPORT jint JNICALL Java_Hello_add
  (JNIEnv *, jclass, jint, jint);
#ifdef __cplusplus
}
#endif
#endif
  • HelloImpl.c
1
2
3
4
5
6
7
8
#include <stdio.h>
#include <jni.h>
#include "Hello.h"
JNIEXPORT jint JNICALL Java_Hello_add
(JNIEnv *env, jclass clazz, jint x, jint y) {
    return x + y;
}
1
2
3
$ gcc -shared -I/$JAVA_HOME/include -I/$JAVA_HOME/include/linux -fPIC HelloImpl.c -o libhello.so
$ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:`pwd`
$ java Hello