The following solutions use self-signed certificates. You can see more details about self-signed steps at http://xiaohuafyle.iteye.com/blog/1538719.
Certificate: self-signed (need Java keytool to generate certificates)
System: Linux
System: Linux
==== 1 Generate a Self-signed CA ====
Open a terminal and generate a self-signed CA by following:
1. CATALINA_HOME/conf/sslCertificate> keytool -genkey -v -alias tomcat -keyalg RSA -validity 365 -keystore tomcat.keystore
where 365 means the CA will be valid for 365 days, and the tomcat.keystore will be stored in the current directory. After pressing "Enter", you are required to input name, ..., password, ... Note that the name is domain name (e.g. www.siemens.com, more recommended) or IP address (e.g. 139.24.236.50). You have to rememebr the keystore password and tomcat password you set at this step, which will be needed later.
where 365 means the CA will be valid for 365 days, and the tomcat.keystore will be stored in the current directory. After pressing "Enter", you are required to input name, ..., password, ... Note that the name is domain name (e.g. www.siemens.com, more recommended) or IP address (e.g. 139.24.236.50). You have to rememebr the keystore password and tomcat password you set at this step, which will be needed later.
2. CATALINA_HOME/conf/sslCertificate> keytool -export -alias tomcat -keystore tomcat.keystore -file tomcat.cer
Enter the keystore password when required.
Enter the keystore password when required.
==== 2 Tomcat configuration ====
1. Make sure that the keystore file (i.e. tomcat.keystore) is under tomcat/conf/sslCertificate/
2. Open CATALINA_HOME/conf/server.xml and modify the corresponding connectors to:
<Connector port="8888" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
<Connector port="8888" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
/>
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/sslCertificate/tomcat13.keystore" keystorePass="cas24MEGA"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/sslCertificate/tomcat13.keystore" keystorePass="cas24MEGA"
/>
Note:
(1) redirectPort is set because HTTP uses port 8888 and HTTPS uses port 8443.
(2) Remember to set keystoreFile and keystorePass
(3) When you set path for keystoreFile, be carefull it is "conf/..." NOT "/conf/...". The difference is "/". This is important.
(1) redirectPort is set because HTTP uses port 8888 and HTTPS uses port 8443.
(2) Remember to set keystoreFile and keystorePass
(3) When you set path for keystoreFile, be carefull it is "conf/..." NOT "/conf/...". The difference is "/". This is important.
3. Open CATALINA_HOME/conf/web.xml, and add the following lines after <welcome-file-list>...</welcome-file-list>
<login-config>
<!-- Authorization setting for SSL: set authentication method -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL: force HTTPS transmission -->
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Authorization setting for SSL: set authentication method -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL: force HTTPS transmission -->
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
You can see more details at tomcat设置http自动跳转为https访问. Also, I recommend you to search more information about "CLIENT-CERT" to see the differences among different authentication methods.
4. Finally, restart tomcat service and test the page.
e.g. http://xxx.xxx.xxx.xxx:portNumber/webApp
e.g. http://xxx.xxx.xxx.xxx:portNumber/webApp