以下操作配置参考Tomcat的官方网站:http://tomcat.apache.org

Tomcat6.0安装简介:

1、下载最新版本的JDK SE
http://java.sun.com/j2se

如果你的系统有JDK就不需要安装了,不过Tomcat6.0需要jre5.0版本以上来支持运行。

我下载的是Linux平台二进制版本 jdk-6u12-linux-i586.bin

# chmod +x jdk-6u12-linux-i586.bin
# ./jdk-6u12-linux-i586.bin

下面根据提示回答yes解压,然后将jdk移动到/usr/local

# mv jdk1.6.0_12 /usr/local/
# cd /usr/local
# ln -s jdk1.6.0_12 jdk

2、下载Tomcat当前最新的版本,安装到 /usr/local/tomcat:

# wget http://apache.mirror.phpchina.com/tomcat/tomcat-6/v6.0.18/bin/apache-tomcat-6.0.18.tar.gz
# tar zxf apache-tomcat-6.0.18.tar.gz -C /usr/local
# cd /usr/local
# ln -s apache-tomcat-6.0.18 tomcat

设置JAVA_HOME环境变量,修改 tomcat/bin/startup.sh, tomcat/bin/shutdown.sh 在前面部分添加以下两行:

JAVA_HOME="/usr/local/jdk"
export JAVA_HOME

(或者修改 /etc/profile 在里面添加上述两行)

启动tomcat测试是否成功:

# cd /usr/local/tomcat
# ./bin/startup.sh
[root@pps tomcat]# ./bin/startup.sh
Using CATALINA_BASE:   /usr/local/tomcat
Using CATALINA_HOME:   /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME:       /usr/local/jdk

在浏览器输入:http://localhost:8080/ 看看那只“猫”是否出来了。
如果Linux没有安装或没启用X界面的话,可以在局域网的机器输入 http://ip:8080访问。

3、配置SSL加密传输

【概念理解】keystore 是一个密码保护的文件,用来存储密钥和证书

(1)生成一个keystore文件(包含证书),文件位置/usr/local/tomcat/conf/.keystore

# cd /usr/local/jdk/bin/
# ./keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/local/tomcat/conf/.keystore

输入密码、提供你的信息即可。如果不是用来“玩”的话,请如实的填写自己以及单位的信息吧。

【注意】它会在前后问你两次密码,第二次直接回车就行了,如果两个密码不一样,将会出现java.io.IOException错误。详情请见:http://issues.apache.org/bugzilla/show_bug.cgi?id=38217

(2)修改 tomcat/conf/server.xml
启用这一段:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
并修改为:   

<Connector className="org.apache.coyote.tomcat6.CoyoteConnector"
                         port="8443" minProcessors="5"
                         maxProcessors="75" enableLookups="true"
                         acceptCount="100"
                         protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="true" sslProtocol="TLS"
               keystoreFile="/usr/local/tomcat/conf/.keystore"
               keystorePass="snailwarrior" />

(3)重启Tomcat

# /usr/local/tomcat/bin/shutdown.sh
# /usr/local/tomcat/bin/startup.sh

(4)防火墙开启8443端口
浏览器输入:https://192.168.32.50:8443/

嘿嘿,安全的看到那只“猫”了!

 

【温馨提示】开启SSL消耗CPU资源

【注意】虚拟机使用SSL有可能出问题,以下是官方网站的信息:

Finally, using name-based virtual hosts a secured connection can be problematic. This is a design limitation of the SSL protocol itself. The SSL handshake, where the client browser accepts the server certificate, must occur before the HTTP request is accessed. As a result, the request information containing the virtual host name cannot be determined prior to authentication, and it is therefore not possible to assign multiple certificates to a single IP address. If all virtual hosts a single IP address need to authenticate against the same certificate, the addition of multiple virtual hosts should not interfere with normal SSL operations the server. Be aware, however, that most client browsers will compare the server’s domain name against the domain name listed in the certificate, if any (applicable primarily to official, CA-signed certificates). If the domain names do not match, these browsers will display a warning to the client user. In general, ly address-based virtual hosts are commonly used with SSL in a production environment.

发表评论

电子邮件地址不会被公开。 必填项已用*标注