tomcat jmx ssl 配置
测试tomcat版本 9.0.62
先生成服务端keystore和证书
keytool -genkeypair -keystore serverkeystore -alias serverkey -validity 180 -storepass serverpass -keypass serverpass
keytool -exportcert -keystore serverkeystore -alias serverkey -storepass serverpass -file server.cer
生成客户端keystore和证书
keytool -genkeypair -keystore clientkeystore -alias clientkey -validity 180 -storepass clientpass -keypass clientpass
keytool -exportcert -keystore clientkeystore -alias clientkey -storepass clientpass -file client.cer
将客户端证书导入到服务端truststore
keytool -importcert -file client.cer -keystore servertruststore -storepass servertrustpass
将服务端证书导入到客户端truststore
keytool -importcert -file server.cer -keystore clienttruststore -storepass clienttrustpass
keystore和证书生成之后,需要修改bin\service.bat
在jvmOptions中添加如下:
-Djava.rmi.server.hostname=;-Dcom.sun.management.jmxremote.port=;-Dcom.sun.management.jmxremote.authenticate=false;-Dcom.sun.management.jmxremote.ssl=true;-Dcom.sun.management.jmxremote.ssl.need.client.auth=true;-Dcom.sun.management.jmxremote.registry.ssl=true;-Djavax.net.ssl.keyStore=%CATALINA_BASE%\conf\jmx-ssl\serverkeystore;-Djavax.net.ssl.keyStorePassword=serverpass;-Djavax.net.ssl.trustStore=%CATALINA_BASE%\conf\jmx-ssl\servertruststore;-Djavax.net.ssl.trustStorePassword=servertrustpass;
service.bat修改之后,需要重新安装tomcat服务
jconsole ssl连接方式:
jconsole -J-Djavax.net.ssl.keyStore=
-J-Djavax.net.ssl.keyStorePassword=clientpass
-J-Djavax.net.ssl.trustStore=
-J-Djavax.net.ssl.trustStorePassword=clienttrustpass
