使用的是JDK 1.6,tomcat 7.0.32和Red Hat Linux。
我需要帮助在我的本地tomcat实例上设置SSL。
查看官方tomcat 7网站上的说明后:
[URL = HTTP://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html] http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html [ / URL]
我按照这样的指示:
(1)cd $ CATALINA_HOME / conf
(2)创建证书并将其存储在新的密钥库中。
keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks
(3)在Tomcat的conf / server.xml中取消注释SSL连接器配置,指定密钥存储文件和密码。
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="./conf/keystore.jks"
keystorePass="mypassword"
/>
(4)从密钥库导出证书。
keytool -exportcert -alias tomcat -file tomcat.crt -keystore keystore.jks
当我尝试(可能是步骤#5)时,将证书导入信任库。
keytool -importcert -alias tomcat -file tomcat.crt -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts
我收到以下提示输入密码(之后我输入“mypassword”): 输入密钥库密码:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
(顺便说一句,我忽略了这一步,因为我在Google上找到了这一步,但没有在官方的Tomcat7-SSL-Howto文档中找到 - 请告诉我是否有必要)。
我的完整server.xml文件(位于$ CATALINA_HOME / conf下):
<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/>
<Listener className="org.apache.catalina.core.JasperListener"/>
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
<GlobalNamingResources>
<Resource auth="Container"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
name="UserDatabase"
pathname="conf/tomcat-users.xml"
type="org.apache.catalina.UserDatabase"/>
</GlobalNamingResources>
<Service name="Catalina">
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="./conf/keystore.jks"
keystorePass="mypassword"
/>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
<Engine defaultHost="localhost" name="Catalina">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
</Realm>
<Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
pattern="%h %l %u %t "%r" %s %b"
prefix="localhost_access_log."
suffix=".txt"/>
</Host>
</Engine>
</Service>
</Server>
Tomcat的服务器输出:
INFO: Initializing ProtocolHandler ["http-bio-8080"]
Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8443"]
Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-bio-8009"]
Dec 17, 2012 5:43:08 PM org.apache.catalina.startup.Catalina start
Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8443"]
Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractP
INFO: Server startup in 9611 ms
当我转到我的bash shell并输入:
curl -X GET https://localhost:8443
我收到以下错误输出:
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
我在这里错过了一步吗?
我只想在Tomcat 7上启用SSL并使用curl进行测试。
如果有人能指出我正确的方向,我将不胜感激。
答案 0 :(得分:0)
要导入证书,您应该尝试“更改它”,这是cacerts密钥库的默认密码