2

我正在使用 JDK 1.6、tomcat 7.0.32 和 Red Hat Linux。

我需要帮助在我的本地 tomcat 实例上设置 SSL。

看了tomcat 7官网的说明后:

[url=http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html]http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html[/url]

我按照这样的指示进行操作:

(1) cd $CATALINA_HOME/conf

(2) 创建证书并将其存储在新的密钥库中。

keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks

(3) 在 Tomcat 的 conf/server.xml 中取消注释 SSL 连接器配置,指定您的密钥存储文件和密码。

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" 
           keystoreFile="./conf/keystore.jks"
           keystorePass="mypassword"
/>

(4) 从密钥库中导出证书。

keytool -exportcert -alias tomcat -file tomcat.crt -keystore keystore.jks

当我尝试(这将是第 5 步)将证书导入信任库时。

keytool -importcert -alias tomcat -file tomcat.crt -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts

我收到以下提示输入我的密码(之后我输入“mypassword”):输入密钥库密码: 

keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

(顺便说一下,我忽略了这一步,因为我在 Google 上找到了它,但在官方的 Tomcat7-SSL-Howto 文档上没有找到它——如果有必要,请告诉我)。

我的完整 server.xml 文件(位于 $CATALINA_HOME/conf 下):

<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
    <Listener SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/>
    <Listener className="org.apache.catalina.core.JasperListener"/>
    <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
    <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
    <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
    <GlobalNamingResources>
        <Resource auth="Container" 
            description="User database that can be updated and saved" 
            factory="org.apache.catalina.users.MemoryUserDatabaseFactory" 
            name="UserDatabase" 
            pathname="conf/tomcat-users.xml" 
            type="org.apache.catalina.UserDatabase"/>
    </GlobalNamingResources>
    <Service name="Catalina">
    <Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
            maxThreads="150" scheme="https" secure="true"
            clientAuth="false" sslProtocol="TLS" 
            keystoreFile="./conf/keystore.jks"
            keystorePass="mypassword"
    />
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
    <Engine defaultHost="localhost" name="Catalina">
        <Realm className="org.apache.catalina.realm.LockOutRealm">
            <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
        </Realm>
        <Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">
            <Valve className="org.apache.catalina.valves.AccessLogValve" 
                    directory="logs" 
                    pattern="%h %l %u %t &quot;%r&quot; %s %b" 
                    prefix="localhost_access_log." 
                    suffix=".txt"/>
        </Host>
    </Engine>
    </Service>
</Server>

Tomcat的服务器输出:

INFO: Initializing ProtocolHandler ["http-bio-8080"]
Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8443"]
Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-bio-8009"]
Dec 17, 2012 5:43:08 PM org.apache.catalina.startup.Catalina start
Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8443"]
Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractP
INFO: Server startup in 9611 ms

当我转到我的 bash shell 并输入以下内容时:

curl -X GET https://localhost:8443

我得到以下错误输出:

curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

我在这里错过了一步吗?

我只想在 Tomcat 7 上启用 SSL 并使用 curl 对其进行测试。

如果有人能指出我正确的方向,将不胜感激。

4

1 回答 1

0

要导入证书,您应该尝试“changeit”,这是 cacerts 密钥库的默认密码

于 2013-04-18T06:34:39.487 回答