Pages

2017年3月7日 星期二

Tomcat 9 多域名SSL設定

By  3月 07, 2017   No comments
在Tomcat 9.0的環境下,可以支援多個域名的設定,首先要先在Connector上先設一個預設的域名與SSL的檔案設定後,再到SSLHostConfig標籤下添加其他域名。

註:JKS檔案可以經由KSE的軟體,將PFX的憑證檔案轉換成JSK的檔案。 


 <Connector port="8443"
   protocol="org.apache.coyote.http11.Http11Nio2Protocol"
   maxThreads="150" SSLEnabled="true"
   scheme="https" secure="true"  
   clientAuth="false" sslProtocol="TLS"
   sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" URIEncoding="UTF-8"
   keystoreFile="conf/aaa.jks"
   keystorePass="changeit"  
   defaultSSLHostConfigName="*.aaa.com" >
  <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
  <SSLHostConfig hostName="*.aaa.com" honorCipherOrder="false"
   ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                   TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
                   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                   TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
                   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
                   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
                   TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
                   TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
                   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                   TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
                   TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
       TLS_RSA_WITH_AES_128_CBC_SHA"
   >
    <Certificate certificateKeystoreFile="conf/aaa.jks"
    certificateKeystorePassword="changeit" 
    certificateKeystoreType="RSA"/>
        </SSLHostConfig>
  <SSLHostConfig hostName="*.bbb.com" honorCipherOrder="false"
   ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                   TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
                   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                   TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
                   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
                   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
                   TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
                   TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
                   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                   TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
                   TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
       TLS_RSA_WITH_AES_128_CBC_SHA"
   >
    <Certificate certificateKeystoreFile="conf/bbb.pfx"
    certificateKeystorePassword="changeit" 
    certificateKeystoreType="PKCS12"/>
        </SSLHostConfig>
    </Connector>
Read More