LoginSignup
13
16

More than 5 years have passed since last update.

@stoshiya(Toshiya SAITOH)

AWS EC2でSSL対応のTomcat7を443番ポートで動かす

Last updated at Posted at 2013-12-04

Amazon Linux AMIで,SSL対応のTomcat7を443番ポートで動くよう設定したときの備忘録.

インストール

$ sudo yum install tomcat7

自己署名の鍵を作成.CN値はPublic DNSなどを設定する.

$ sudo keytool -genkey -alias tomcat -keyalg RSA
$ sudo mv /root/.keystore /etc/tomcat7/keystore

設定ファイルを修正.

$ sudo cp -p /etc/tomcat7/server.xml /etc/tomcat7/server.xml.orig
$ sudo vim /etc/tomcat7/server.xml

$ diff -u /etc/tomcat7/server.xml.orig /etc/tomcat7/server.xml
--- /usr/share/tomcat7/conf/server.xml.orig 2013-09-18 09:28:48.000000000 +0900
+++ /usr/share/tomcat7/conf/server.xml  2013-12-03 16:42:44.133504498 +0900
@@ -81,11 +81,10 @@
          This connector uses the JSSE configuration, when using APR, the
          connector should be using the OpenSSL style configuration
          described in the APR documentation -->
-    <!--
     <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                maxThreads="150" scheme="https" secure="true"
+               keystoreFile="/etc/tomcat7/keystore" keystorePass="changeit" keyAlias="tomcat"
                clientAuth="false" sslProtocol="TLS" />
-    -->

     <!-- Define an AJP 1.3 Connector on port 8009 -->
     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

サービス起動

$ sudo service tomcat7 start

簡単な動作確認.

$ curl -X GET https://localhost:8443
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

システム起動時にTomcatも起動

$ sudo chkconfig tomcat7 on

443番ポートへの通信を8443番ポートへ転送するように設定し,設定ファイルを出力.

$ sudo /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 443 --to-ports 8443
$ sudo service iptables save
13
16
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
13
16