Tomcat配置SSL

1.创建服务器端密钥

keytool -genkey -v -alias serverKey -dname "CN=b2b.cbhb.com" -keyalg RSA -keypass 111111 -keystore server.ks -storepass 111111

2.创建客户端密钥

keytool -genkey -v -alias clientKey -dname "CN=Test" -keyalg RSA -keypass 111111 -keystore client.p12 -storepass 111111 -storetype PKCS12

3.将客户端密钥导出客户端证书

keytool -export -alias clientKey -file clientKey.cer -keystore client.p12 -storepass 111111 -storetype PKCS12

4.将上述客户端密钥文件导入服务器证书库,并设置为信任证书

keytool -import -v -alias clientKey -file clientKey.cer -keystore server.ks -storepass 111111

修改Tomcat/conf/server.xml

打开443端口,配置证书

    <!-- A "Connector" represents an endpoint by which requests are received
         and responses are returned. Documentation at :
         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
         Java AJP  Connector: /docs/config/ajp.html
         APR (HTTP/AJP) Connector: /docs/apr.html
         Define a non-SSL HTTP/1.1 Connector on port 8080
    -->


    <Connector connectionTimeout="20000" port="80" protocol="HTTP/1.1" redirectPort="443"/>


    <!-- A "Connector" using the shared thread pool-->
    <!--
    <Connector executor="tomcatThreadPool"
               port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    -->
    <!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the BIO implementation that requires the JSSE
         style configuration. When using the APR/native implementation, the
         OpenSSL style configuration is required as described in the APR/native
         documentation -->

    <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" keystoreFile="key/server.ks" keystorePass="111111" />


    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="443"/>

修改web.xml

<!-- SpringMVC 增加此配置 -->
<security-constraint>
    <web-resource-collection>
        <web-resource-name>ccb-new</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>