Tomcat8容器下SSL证书布置及强制https

获取并安装服务器证书

公司是上线项目所以在CA机构申请了SSL证书，一次申请会有多个环境证书，apache,nginx,tomcat,IIS等。公司使用的是tomcat8做项目布置

导入证书

通过工具将证书上传到服务器目录, 存放目录为 /www/server/tomcat/conf

修改配置文件server.xml

1. 找到以下代码将访问端口修改成80 把redirectPort修改成443

<Connector port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />

2. 再找到下面代码将注释去掉把证书路径添加上去

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                     type="RSA" />
    </SSLHostConfig>
</Connector>

修改为

 <Connector port="443"
    protocol="org.apache.coyote.http11.Http11Nio2Protocol" maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="domain.net">
 <SSLHostConfig hostName="domain.net">
            <Certificate certificateKeystoreFile="conf/domain_net.jks"
                certificateKeystorePassword="a75wRsB7T837r7R7"
                type="RSA" />
        </SSLHostConfig>
</Connector>

保存退出重启tomcat即可
查看日志及端口看启动情况

netstat -ntlp

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      4060/java           
tcp        0      0 127.0.0.1:8005          0.0.0.0:*               LISTEN      4060/java           
tcp        0      0 0.0.0.0:8009            0.0.0.0:*               LISTEN      4060/java           
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      4060/java           
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      1246/pure-ftpd (SER 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2080/sshd           
tcp        0      0 0.0.0.0:8888            0.0.0.0:*               LISTEN      1722/python         
tcp6       0      0 :::33060                :::*                    LISTEN      1907/mysqld         
tcp6       0      0 :::3306                 :::*                    LISTEN      1907/mysqld         
tcp6       0      0 :::21                   :::*                    LISTEN      1246/pure-ftpd (SER 

防火墙开放443 端口

firewall-cmd --list-all
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --reload

强制用户访问时为https,用户使用http时可以自动跳转为https

修改conf/web.xml文件，到文件最后

<welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
</welcome-file-list>

在下面添加如下代码

<welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<login-config>
    <auth-method>CLIENT-CERT</auth-method> 
    <realm-name>Client Cert Users-only Area</realm-name> 
</login-config> 
<security-constraint> 
    <web-resource-collection > 
        <web-resource-name >SSL</web-resource-name> 
        <url-pattern>/*</url-pattern> 
    </web-resource-collection> 
    <user-data-constraint> 
        <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
    </user-data-constraint> 
</security-constraint>

到此所有的配置完成，这样就可以使用证书访问并强制使用HTTPS了