- 浏览: 735022 次
- 性别:
- 来自: 嘉兴
文章分类
- 全部博客 (386)
- Struts1.1 (2)
- Database (18)
- Core Java (15)
- Log4j (4)
- SSH (0)
- Dao (1)
- Architecture Design (1)
- References (2)
- Eclipse&MyEclipse (10)
- Hibernate (7)
- Spring (8)
- JavaMail (1)
- Data Structure And Algorithm (48)
- Struts 2 (2)
- SSI (1)
- SSL (2)
- JSTL (1)
- EJB3 (2)
- NET (2)
- XML (2)
- Components (2)
- Ant (3)
- Multi Thread (1)
- Performance Monitoring (1)
- Web Server (17)
- Oracle (1)
- jQuery (8)
- Regular Expression (1)
- Weblogic (1)
- Exception (1)
- Security (2)
- File Manipulation (1)
- JavaScript (12)
- JVM (2)
- HTML&DIV&CSS (4)
- Android (10)
- Beyond GFW (0)
- Business (0)
- SVN (6)
- 虚拟主机 (1)
- Virtual Host (3)
- My mentality (5)
- OS (15)
- ISPMP (3)
- Magento (5)
- Jsoup&HttpClient (7)
- LINUX (9)
- Database Design (0)
- Power Designer (1)
- TaobaoOpenPlatform (2)
- C/C++ (3)
- Maven (11)
- Quartz (1)
- Load Balance (1)
- Zabbix (4)
- Product&Business (1)
- Pay Interface (1)
- Tomcat (2)
- Redis (1)
- 集群 (1)
- Session (1)
- 共享Session (1)
- Jedis (1)
- jenkins (1)
- 持续集成 (1)
- Web前端 (1)
最新评论
-
aqq331325797:
特意注册账号上来说一句。牛逼!
swagger2.2.2 与 spring cloud feign冲突 -
KitGavinx:
跨顶级域名怎么保持sessionid一致?
Tomcat7集群共享Session 基于redis进行统一管理 -
jaychang:
dujianqiao 写道HI ,能否给一个完整的demo 啊 ...
淘宝订单同步方案 - 丢单终结者 -
GGGGeek:
找了一会儿,感觉mybatis应该没有这种操作,直到发现博主的 ...
mybatis collection list string -
dujianqiao:
HI ,能否给一个完整的demo 啊 ?
淘宝订单同步方案 - 丢单终结者
Reference from http://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS#RunningJIRAoverSSLorHTTPS-ImportCertificateIntoTheTruststore
Running JIRA over SSL or HTTPS
- Page restrictions apply
- Attachments: 1
- Added by Jeff Turner , last edited by Andrew Lui [Atlassian Technical Writer] on May 16, 2010 (view change )
- show comment hide comment
When web applications are being accessed across the internet, there is always the possibility of usernames and passwords being intercepted by intermediaries between your computer and the ISP/company. It is often a good idea to enable access via HTTPS (HTTP over SSL) and make this a requirement for pages where passwords are sent. Note, however, that using HTTPS may result in slower performance. In some cases where issue data is sensitive, all pages should be accessed via HTTPS.
Please note that Atlassian Support will refer SSL support to the institution that issues the Certificate. We provide this documentation for reference. |
The process of enabling SSL access is specific to each application server, but the process for specifying which pages require protection is generic.
This procedure is a general guide for the way to configure Tomcat with HTTPS and only covers the common installation types of JIRA. It is by no means a definitive or comprehensive guide to configuring HTTPS and may not be applicable to your specific integration. |
For
JIRA Windows Standalone installations
|
On this page:
Running JIRA over HTTPS
The following flowchart shows the process involved in configuring HTTPS on Tomcat. Click the links below this chart to go to the instructions for that step.
- Configure HTTPS in Tomcat
- Generate Self-Signed Certificate
- Obtain CA Certificate
- Import Certificate into the Trust-store
- Requiring HTTPS for certain pages (Redirecting certain pages to HTTPS)
Configure HTTPS in Tomcat
Edit conf/server.xml , and at the bottom before the </Service> tag, add this section (or uncomment it where you find it) in Tomcat 6:
1.
<
Connector
port
=
"8443"
maxHttpHeaderSize
=
"8192"
SSLEnabled
=
"true"
2.
maxThreads
=
"150"
minSpareThreads
=
"25"
maxSpareThreads
=
"75"
3.
enableLookups
=
"false"
disableUploadTimeout
=
"true"
useBodyEncodingForURI
=
"true"
4.
acceptCount
=
"100"
scheme
=
"https"
secure
=
"true"
5.
clientAuth
=
"false"
sslProtocol
=
"TLS"
/>
This enables SSL access on port 8443 (the default for HTTPS is 443, but just as Tomcat uses 8080 instead of 80 to avoid conflicts, 8443 is used instead of 443 here).
JIRA 4.1 Standalone comes with Tomcat 6 which requires SSLEnabled="true" to be added to the Connector tag above. We will include this by default soon- http://jira.atlassian.com/browse/JRA-20963 |
Generate Self-Signed Certificate
Self-signed
certificates are useful in cases where you require encryption but do
not need to verify the website identity. They are commonly used for testing and on internal corporate networks (intranets). Due to the certificate not being signed by a Certification Authority (CA), users may get prompted that the site is untrusted and may have to perform several steps to "accept" the certificate before they can access the site. This usually will only occur the first time they access the site. |
The following approach to create the certificate uses Java's keytool
, and has been
formatted for use with Java 1.6.
There are other tools for generating certificates such as openSSL
which are not discussed in this procedure.
When
running the following keytool command you will be prompted with:
What is your first and last name? Instead of entering your first and last name as specified, you must
enter the fully qualified hostname of the server running JIRA. This is
the same as the name you would type in your web browser after the
http:// section to access your JIRA installation. When the client web
browser examines the certificate, it checks this field, and makes sure
that it matches the hostname. If it doesn't, it may prevent access to
the site, and at the very least will generate pop-up messages saying
that there is a mismatch. An example of a qualified hostname is:
support.atlassian.com
|
Windows Standalone
"<install_dir>\jre\bin\keytool" -genkey -alias tomcat -keyalg RSA
Windows WAR/EAR
"%JAVA_HOME\bin\keytool" -genkey -alias tomcat -keyalg RSA
Unix/Linux
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
This will create (if it doesn't already exist) a new .keystore file located in the home directory of the user you used to run the keytool command.
You will now need to export the certificate to make it ready for importing into the Trust-store with the following command:
Windows Standalone
"<install_dir>\jre\bin\keytool" -export -alias tomcat -file file.cer
Windows WAR/EAR
"%JAVA_HOME\bin\keytool" -export -alias tomcat -file file.cer
Unix/Linux
$JAVA_HOME/bin/keytool -export -alias tomcat -file file.cer
Next, import the certificate into the Trust-store .
Obtain CA Certificate
Digital Certificate that are issued by trusted 3rd party CAs (Certification Authority) provide verification that your Website does indeed represent your company, thereby verifying your company's identity. Many CAs simply verify the domain name and issue the certificate, whereas other such as VeriSign verifies the existence of your business, the ownership of your domain name, and your authority to apply for the certificate, providing a higher standard of authentication.
A list of CA's can be found here
.
Some of the most well known CAs are:
Next, import the certificate into the Trust-store .
Import Certificate into the Trust-store
Your SSL Vendor may have different instructions, please refer to them for proper certificate installation. Examples include GoDaddy and VeriSign |
Assuming your certificate is called "file.cer" whether obtained by a CA or self-generated, the following command will add this certificate to the Trust-store:
Windows Standalone
"<install_dir>\jre\bin\keytool" -import -alias tomcat -file file.cer -keystore "<install_dir>\jre\lib\security\cacerts"
Windows WAR/EAR
"%JAVA_HOME\bin\keytool" -import -alias tomcat -file file.cer -keystore "%JAVA_HOME%\jre\lib\security\cacerts"
Unix/Linux
This step must be performed as the root user, or with the use of sudo |
$JAVA_HOME/bin/keytool -import -alias tomcat -file file.cer -keystore $JAVA_HOME/jre/lib/security/cacerts
Next, proceed to the step on redirecting certain pages to HTTPS .
Redirecting certain pages to HTTPS
Although HTTPS is now activated and available, the old HTTP URLs (http://localhost:8080 ) are still available. In most situations one wants these URLs to continue working, but for some to redirect to their https equivalent. This is done by editing WEB-INF/web.xml , and adding the following section at the end of the file, before the closing </web-app> :
01.
<
security-constraint
>
02.
<
web-resource-collection
>
03.
<
web-resource-name
>all-except-attachments</
web-resource-name
>
04.
<
url-pattern
>*.js</
url-pattern
>
05.
<
url-pattern
>*.jsp</
url-pattern
>
06.
<
url-pattern
>*.jspa</
url-pattern
>
07.
<
url-pattern
>*.css</
url-pattern
>
08.
<
url-pattern
>/browse/*</
url-pattern
>
09.
</
web-resource-collection
>
10.
<
user-data-constraint
>
11.
<
transport-guarantee
>CONFIDENTIAL</
transport-guarantee
>
12.
</
user-data-constraint
>
13.
</
security-constraint
>
This means that all URLs except attachments are redirected from HTTP to HTTPS. IE has a bug which prevents attachments like .doc files being viewed via HTTPS if SSL protection is forced in web.xml .
Once this change is made, restart JIRA and access http://localhost:8080 . You should be redirected to https://localhost:8443/secure/Dashboard.jspa . The port it redirects to is determined by the redirectPort value you specify in the server.xml file in the HTTP Connector stanza.
There does not seem to be an easy way to make subsequent pages revert to HTTP after logging in via HTTPS - see JRA-7250
Troubleshooting
Here are some troubleshooting tips if you are using a self-signed key created by keytool, as described above.
When you enter "https://localhost:8443" in your browser, if you get a message such as "Cannot establish a connection to the server at localhost:8443", look for error messages in your logs/catalina.out log file. Here are some possible errors with explanations:
SSL + Apache + IE problems
Some people have reported errors when uploading attachments over SSL using IE. This is due to an IE bug, and can be fixed in Apache by setting:
1.
BrowserMatch
".MSIE."
\
2.
nokeepalive
ssl-unclean-shutdown \
3.
downgrade-
1.0
force-response-
1.0
Google has plenty more on this.
Can't find the keystore
java.io.FileNotFoundException: /home/user/.keystore (No such file or directory)
This indicates that Tomcat cannot find the keystore. The keytool utility creates the keystore as a file called .keystore in the current user's home directory. For Unix/Linux the home directory is likely to be /home/<username> . For Windows it is likely to be C:\Documents And Settings\<UserName> .
Make sure you are running JIRA as the same user who created the keystore. If this is not the case, or if you are running JIRA on Windows as a service, you will need to specify where the keystore file is in conf/server.xml . Add the following attribute to the connector tag you uncommented:
keystoreFile="<location of keystore file>"
Incorrect password
java.io.IOException: Keystore was tampered with, or password was incorrect
You used a different password than "changeit". You must either use "changeit" for both the keystore password and for the key password for Tomcat, or if you want to use a different password, you must specify it using the keystorePass attribute of the Connector tag, as described above.
Passwords don't match
java.io.IOException: Cannot recover key
You specified a different value for the keystore password and the key password for Tomcat. Both passwords must be the same.
Wrong certificate
javax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled.
If the Keystore has more than one certificate, Tomcat will use the first returned unless otherwise specified in the SSL Connector in conf/server.xml .
Add the keyAlias attribute to the Connector tag you uncommented, with the relevant alias, for example:
<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" useBodyEncodingForURI="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/opt/local/.keystore" keystorePass="removed" keyAlias="tomcat"/>
相关推荐
2. 选择“Run > Run on Server”选项。 3. 在弹出的服务器选择界面中,选择“Manually define a server”单选按钮。 4. 选择服务器类型为“Tomcat v5.0 Server”,如果希望将其设置为默认服务器,可以勾选底部的相应...
本手册旨在指导用户在 Linux 环境中安装和配置 Tomcat 服务器, step-by-stepguiding users through the process of installing and configuring Tomcat on a Linux environment. 知识点一:下载和安装 Tomcat 在...
You will find details for using Tomcat on all major platforms, including Windows, Linux, OS X, Solaris, and FreeBSD, along with specifics on Tomcat configuration files, and step-by-step advice for ...
available by visiting: <br> http://localhost:8080/<br><br>(3.3) Further information about configuring and running Tomcat can be found in the documentation included here, as well as on the ...
- **Installing the Alfresco Tomcat bundle on Linux**:对于 Linux 平台,同样提供了仅安装 Alfresco 和 Tomcat 的捆绑包的方法。 - **Installing Alfresco on Mac (full installation)**:Mac 用户的完整安装指南...
- Configuring JProfiler to work with popular application servers like Tomcat, WebLogic, and WebSphere. - Setting up remote profiling sessions for applications deployed on application servers. - ...
Tomcat HTTPS connectors 165 Jetty HTTPS connectors 166 JAAS login modules 166 Login modules for authentication 166 PropertiesFile login module 167 SQL login module 168 LDAP login module 169 ...
Paperback: 170 pages ... Finally, you'll explore the automated deployment of an application in Tomcat, along with details on managing and configuring Jenkins based on your requirements by using plugins.
Configuring HSTS 286 Ensuring Hostname Coverage 287 Cookie Security 288 Attack Vectors 289 Robust Deployment Checklist 290 Browser Support 291 Privacy Implications 293 ix Content Security Policy 293 ...
2 Installing and Configuring JDK 3 Compiling and Running Java from the Command Window 4 Java Coding Style Guidelines 5 Creating Desktop Shortcuts for Java Applications on Windows 6 Using Packages...
3. **配置`web.xml`**:按照CAS官方文档(https://wiki.jasig.org/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml)指导修改`web.xml`,添加CAS客户端所需的过滤器和监听器。特别是`...
For WAR/Webapp, you'll need to deploy the JIRA .war file on your chosen application server (e.g., Tomcat, WebSphere) and configure the database connection. 2.3. Setting up an External Database If ...
- **Servlet Configuration**: Configuring servlets in a deployment descriptor (web.xml) is covered in detail, including setting up servlet mappings and initializing parameters. - **Servlet Filters**:...
5.5 Configuring the Documents and Media portlet . . . . . . . . . . . . . . 124 5.6 Automatic Previews and metadata . . . . . . . . . . . . . . . . . . . . . 125 5.7 Liferay Sync . . . . . . . . . . ....
51.3. Configuring Management-specific SSL 51.4. Customizing the Management Server Address 51.5. Disabling HTTP Endpoints 52. Monitoring and Management over JMX 52.1. Customizing MBean Names 52.2. ...