Nginx+tomcat整合安装配置
Virtual Host + Nginx + Tomcat
http://hosseinkaz.blogspot.tw/2012/06/setting-up-jdk-path-javahome-for.html
sudo apt-get install tomcat7
~$ sudo service tomcat7 start 出現以下錯誤訊息
Job for tomcat7.service failed. See 'systemctl status tomcat7.service' and 'journalctl -xn' for details.
-- Unit tomcat7.service has begun starting up.
依照指示執行
~$ systemctl status tomcat7.service
出現此訊息
~$ sudo systemctl status tomcat7.service
tomcat7.service - LSB: Start Tomcat.
Loaded: loaded (/etc/init.d/tomcat7)
Active: failed (Result: exit-code) since 四 2014-12-04 03:43:40 CST; 2min 36s ago
Process: 1494 ExecStart=/etc/init.d/tomcat7 start (code=exited, status=1/FAILURE)
12月 04 03:43:40 TAHITI systemd[1]: Starting LSB: Start Tomcat....
12月 04 03:43:40 TAHITI tomcat7[1494]: no JDK or JRE found - please set JAV...!
12月 04 03:43:40 TAHITI systemd[1]: tomcat7.service: control process exite...=1
12月 04 03:43:40 TAHITI systemd[1]: Failed to start LSB: Start Tomcat..
12月 04 03:43:40 TAHITI systemd[1]: Unit tomcat7.service entered failed state.
Hint: Some lines were ellipsized, use -l to show in full.
或~$ journalctl -xn'
-- Logs begin at 四 2014-12-04 03:38:33 CST, end at 四 2014-12-04 03:59:43 CST.
12月 04 03:53:10 TAHITI systemd[1]: Starting Cleanup of Temporary Directories...
-- Subject: Unit systemd-tmpfiles-clean.service has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
........
12月 04 03:59:43 TAHITI tomcat7[1640]: no JDK or JRE found - please set JAVA_HOME
12月 04 03:59:43 TAHITI systemd[1]: tomcat7.service: control process exited, cod
12月 04 03:59:43 TAHITI systemd[1]: Failed to start LSB: Start Tomcat..
-- Subject: Unit tomcat7.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
........
確定環境都有設定好
~$ javac -version
javac 1.8.0_25
~$ which javac
/usr/bin/javac
~$ which java
/usr/bin/java
~$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/lib/jvm/java-8-oracle/bin:/usr/lib/jvm/java-8-oracle/db/bin:/usr/lib/jvm/java-8-oracle/jre/bin
~$ echo $JAVA_HOME
/usr/lib/jvm/java-8-oracle
可是仍然出現沒設好JAVA_HOME訊息
no JDK or JRE found - please set JAVA_HOME
參考:Specify JDK for tomcat7
Setting up jdk path (JAVA_HOME) for Tomcat7 in ubuntu
這時要編輯tomcat設定檔
改為設定 sets the JAVA_HOME variable:JAVA_HOME=/usr/lib/jvm/java-8-oracle
重新restart~$ sudo service tomcat7 start
http://localhost:8080
~$ /usr/share/tomcat7/bin/startup.sh
Using CATALINA_BASE: /usr/share/tomcat7
Using CATALINA_HOME: /usr/share/tomcat7
Using CATALINA_TMPDIR: /usr/share/tomcat7/temp
Using JRE_HOME: /usr/lib/jvm/java-8-oracle
Using CLASSPATH: /usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar
touch: cannot touch ‘/usr/share/tomcat7/logs/catalina.out’: 沒有此一檔案或目錄
/usr/share/tomcat7/bin/catalina.sh: 385: /usr/share/tomcat7/bin/catalina.sh: cannot create /usr/share/tomcat7/logs/catalina.out: Directory nonexistent
echo $JAVA_HOME
echo $CATALINA_HOME
echo $CLASSPATH
(也有人說ubuntu下/etc/profile?加上export JAVA_HOME=/usr/local/java/jdk1.8.0_{xx})
/etc/default/tomcat7
改為設定 sets the JAVA_HOME variable:JAVA_HOME=/usr/lib/jvm/java-8-oracle
重新restart~$ sudo service tomcat7 start
http://localhost:8080
~$ /usr/share/tomcat7/bin/startup.sh
Using CATALINA_BASE: /usr/share/tomcat7
Using CATALINA_HOME: /usr/share/tomcat7
Using CATALINA_TMPDIR: /usr/share/tomcat7/temp
Using JRE_HOME: /usr/lib/jvm/java-8-oracle
Using CLASSPATH: /usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar
touch: cannot touch ‘/usr/share/tomcat7/logs/catalina.out’: 沒有此一檔案或目錄
/usr/share/tomcat7/bin/catalina.sh: 385: /usr/share/tomcat7/bin/catalina.sh: cannot create /usr/share/tomcat7/logs/catalina.out: Directory nonexistent
tomcat7's CATALINA_HOME in Debian/Ubuntu
It is under
/usr/share/tomcat7/.
One way to find the location is to look into the service startup script
/etc/init.d/tomcat7/. You will find these lines in it:NAME=tomcat7
...
CATALINA_HOME=/usr/share/$NAMEecho $JAVA_HOME
echo $CATALINA_HOME
echo $CLASSPATH
How to set JAVA_HOME or CATALINA_HOME if I have more than 1 version used for Projects?
Inside the tomcat startup script
/bin/catalina.sh, the following environmental variables are used:JAVA_HOMEis the path of JDK that used to run the tomcat and web applicationsCATALINA_HOMEis the path of the tomcat binaries filesCATALINA_BASEis the path the tomcat configuration files
So , how about this approach? For example :
Install JDK 5.0 to :
Install JDK 6.0 to :
Install tomcat 6.0 to :
Install tomcat 7.0 to :
/opt/jdk5Install JDK 6.0 to :
/opt/jdk6Install tomcat 6.0 to :
/opt/tomcat6Install tomcat 7.0 to :
/opt/tomcat7
Each of your web application has their own folder to hold their own tomcat 's configuration. For example :
/home/web1 for the web application 1/home/web2 for the web application 2
其他錯誤解決方法
[tomcat7] systemd service starting problems
One of user suggest to increase "-wait" parameter in "/usr/lib/systemd/system/tomcat7.service".
~$ $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -validity 365 -keystore mykeystore.jks
產生一個叫mykeystore.jks檔
輸入金鑰儲存庫密碼: yourpassword你的密碼
重新輸入新密碼: yourpassword你的密碼
您的名字與姓氏為何?
[Unknown]: coco liu
您的組織單位名稱為何?
[Unknown]: internet
您的組織名稱為何?
[Unknown]: internet
您所在的城市或地區名稱為何?
[Unknown]: taichung
您所在的州及省份名稱為何?
[Unknown]: taiwan
此單位的兩個字母國別代碼為何?
[Unknown]: tw
CN=coco liu, OU=internet, O=internet, L=taichung, ST=taiwan, C=tw 正確嗎?
[否]: y
輸入 的金鑰密碼 yourpassword你的密碼
(RETURN 如果和金鑰儲存庫密碼相同):
重新輸入新密碼:yourpassword你的密碼
根據這個jks檔產生一個csr檔,輸入命令:
keytool -certreq -alias tomcat -keystore server.jks -file server.csr
輸入金鑰儲存庫密碼: yourpassword你的密碼
別名名稱: tomcat
根據產生的keystore 修改tomcat設定檔sever.xml(沒有APR的Tomcat)
為伺服器加入自己產生的憑證
拿掉下列Connector標籤註解
加入 keystoreFile="conf/mykeystore.jks"產生的鑰匙位置
和 keystorePass="yourpassword你的密碼" 輸入的密碼
改為
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/mykeystore" keystorePass="yourpassword你的密碼" />
瀏覽https://localhost:8443/
就會出現有些網站用https瀏覽時瀏覽器跳出憑證不安全的提示(因為是自己產生的憑證)
tomcat SSL Configuration HOW-TO
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
How To Configure Tomcat To Support SSL Or HttpsConfigure Tomcat Server
接下來有關Linux上tomcat 配置
有四個主要xml設定檔server.xml- Set the TCP Port Numberweb.xml- Enabling Directory Listingcontext.xml- Enabling Automatic Reload- tomcat-users.xml.
Tomcat設定SSL憑證
if your web wants to provide HTTPS that needs SSL support ,which is, data being sent is encrypted by one side, transmitted, then decrypted by the other side before processing
certification(self-signed SSL certification or public certificaton)
請參考SSL your Tomcat 7+Tomcat - SSL操作大全
The
OpenSSL implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS) protocols.
用keytool產生鑰匙.keystore 檔(Keytool 是一個JAVA環境下的安全鑰匙與憑證的管理工具)
certification(self-signed SSL certification or public certificaton)
請參考SSL your Tomcat 7+Tomcat - SSL操作大全
JKS, PKCS11 or PKCS12 format keystoresThe
JKS format is Java's standard "Java KeyStore" format, and is the format created by the keytool command-line utility. This tool is included in the JDK. The PKCS12 format is an internet standard, and can be manipulated via (among other things) OpenSSL and Microsoft's Key-Manager.OpenSSL implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS) protocols.
用keytool產生鑰匙.keystore 檔(Keytool 是一個JAVA環境下的安全鑰匙與憑證的管理工具)
uses “
keytool” command to create a self-signed certificate$JAVA_HOME/bin/keytool -genkey -aliastomcat-keyalgRSA\ -keystore/path/to/my/keystore
$tomcat7\bin>keytool -genkey -alias tomcat -keyalg RSA -validity 365 -keystore Mykeystore
~$ $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -validity 365 -keystore mykeystore.jks
產生一個叫mykeystore.jks檔
輸入金鑰儲存庫密碼: yourpassword你的密碼
重新輸入新密碼: yourpassword你的密碼
您的名字與姓氏為何?
[Unknown]: coco liu
您的組織單位名稱為何?
[Unknown]: internet
您的組織名稱為何?
[Unknown]: internet
您所在的城市或地區名稱為何?
[Unknown]: taichung
您所在的州及省份名稱為何?
[Unknown]: taiwan
此單位的兩個字母國別代碼為何?
[Unknown]: tw
CN=coco liu, OU=internet, O=internet, L=taichung, ST=taiwan, C=tw 正確嗎?
[否]: y
輸入
(RETURN 如果和金鑰儲存庫密碼相同):
重新輸入新密碼:yourpassword你的密碼
根據這個jks檔產生一個csr檔,輸入命令:
keytool -certreq -alias tomcat -keystore server.jks -file server.csr
顯示keystore的資訊.
/etc/tomcat7/conf$ keytool -list -v -keystore mykeystore.jks輸入金鑰儲存庫密碼: yourpassword你的密碼
金鑰儲存庫類型: JKS
金鑰儲存庫提供者: SUN
您的金鑰儲存庫包含 1 項目
建立日期: 2014/12/4
項目類型: PrivateKeyEntry
憑證鏈長度: 1
憑證 [1]:
擁有者: CN=coco liu, OU=internet, O=internet, L=taichung, ST=taiwan, C=tw
發出者: CN=coco liu, OU=internet, O=internet, L=taichung, ST=taiwan, C=tw
序號: 4507a287
有效期自: Thu Dec 04 21:57:29 CST 2014 到: Fri Dec 04 21:57:29 CST 2015
憑證指紋:
MD5: 4A:DE:B1:B5:79:D0:C5:E7:E5:BC:E5:92:E0:5B:84:25
SHA1: 6A:AB:96:4F:79:77:52:27:31:23:C2:74:5C:F4:4A:9B:DA:B5:6A:3F
SHA256: 54:63:32:7E:34:76:A5:38:15:77:50:7B:15:C6:BB:CB:68:B2:DC:0D:42:C0:E7:39:60:0E:4A:87:0C:E2:A6:BB
簽章演算法名稱: SHA256withRSA
版本: 3
擴充套件:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0D 77 41 E6 8E 29 CC DC E7 6F A3 0F 05 45 E5 4C .wA..)...o...E.L
0010: 7E DF D0 D7 ....
]
]
*******************************************
*******************************************
Keytool命令行參數說明:
| 參數 | 說明 |
| -genkey | 在用戶主目錄中建立一個預設檔".keystore",還會產生一個mykey的別名,mykey中包含用戶的公鑰、私鑰和憑證 |
| -alias | 別名 |
| -keystore | 指定密鑰庫的名稱(產生的各類資訊將不在.keystore文件中 |
| -keyalg | 指定密鑰的演算法 |
| -validity | 指定建立的憑證有效期多少天 |
| -keysize | 指定密鑰長度 |
| -storepass | 指定密鑰庫的密碼 |
| -keypass | 指定別名條目的密碼 |
| -dname | 指定憑證擁有者資訊 例如: "CN=sagely,OU=atr,O=szu,L=sz,ST=gd,C=cn" |
| -list | 顯示密鑰庫中的憑證詳細資訊 |
| -export | 將別名指定的憑證導出到文件 keytool -export -alias caroot -file caroot.crt |
| -file | 參數指定導出到檔的檔案名 |
| -delete | 刪除密鑰庫中某條目 |
| -keypasswd | 修改密鑰庫中指定條目口令 keytool -keypasswd -alias sage -keypass .... -new .... -storepass ... -keystore sage |
| -import | 將已簽名數位憑證導入密鑰庫 keytool -import -alias sage -keystore sagely -file sagely.crt 導入已簽名數位憑證用keytool -list -v 以後可以明顯發現多了認證鏈長度,並且把整個CA鏈全部列印出來 |
根據產生的keystore 修改tomcat設定檔sever.xml(沒有APR的Tomcat)
為伺服器加入自己產生的憑證
拿掉下列Connector標籤註解
加入 keystoreFile="conf/mykeystore.jks"產生的鑰匙位置
和 keystorePass="yourpassword你的密碼" 輸入的密碼
改為
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/mykeystore" keystorePass="yourpassword你的密碼" />
瀏覽https://localhost:8443/
就會出現有些網站用https瀏覽時瀏覽器跳出憑證不安全的提示(因為是自己產生的憑證)
Tomcat can use two different implementations of SSL:
- the JSSE implementation provided as part of the Java runtime (since 1.4)
- the APR implementation, which uses the OpenSSL engine by default.
Tomcat還有一個特殊的模組:APR(Apache Portable Runtime)是為了提高Tomcat處理靜態內容性能,提供的元件,其實就是以Apache2.0為核心的一個http服務。在HTTPS方面,APR和Apache一樣採用Openssl,在憑證安裝部分,會簡要說明一下。
Tomcat支援Jave Keystore檔格式作為SSL憑證存儲用途。Java Keystore文件的常見副檔名有.jks和.key。要製作JKS檔,有2種主要方式:
- 用JRE自帶的Keytool工具。先產生一個新的jks檔,並到處一個csr檔,然後將csr發給CA簽名,並將簽名後的文件導入jks文件。
- 用openssl工具,製作key和csr文件,將csr發給CA簽名得到cer檔,然後將key和cer合併成一個jks檔。
產生certificate
/etc/tomcat7/conf$ sudo keytool -certreq -alias tomcat -keystore /etc/tomcat7/conf/mykeystore.jks -file mycertificate.csr
[sudo] password for user:
輸入金鑰儲存庫密碼:yourpassword你的密碼
將保存好的.cer檔和製作CSR時候生成的.key一起複製到伺服器上。
然後將CA簽好的憑證文件cert.txt導入jks文件:
keytool -import -keystore mykeystore.jks -alias tomcat -file cert.txt
P7B檔案是主要與PKCS #7 Certificate相關的Web Files。
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
WIS 匯智
WIS 匯智 SSL 數位憑證Keytool工具介紹
Tomcat 設定技巧 - Top 10
~$ systemctl status tomcat7.service
Failed to get D-Bus connection: Failed to connect to socket /var/run/dbus/system_bus_socket: 沒有此一檔案或目錄
~$ journalctl -xn
$ sudo service tomcat7 restart
Job for tomcat7.service failed. See 'systemctl status tomcat7.service' and 'journalctl -xn' for details.
$ systemctl status tomcat7.service
Failed to get D-Bus connection: Failed to connect to socket /var/run/dbus/system_bus_socket:
$ journalctl -xn
-- Logs begin at 五 2014-12-05 04:36:41 CST, end at 五 2014-12-05 05:53:44 CST. --
12月 05 05:53:39 TAHITI sudo[2304]: ayu : TTY=pts/0 ; PWD=/etc/tomcat7 ; USER=root ; COMMAND=/u
12月 05 05:53:39 TAHITI sudo[2304]: pam_unix(sudo:session): session opened for user root by ayu
12月 05 05:53:39 TAHITI systemd[1]: Stopping LSB: Start Tomcat....
-- Subject: Unit tomcat7.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit tomcat7.service has begun shutting down.
12月 05 05:53:39 TAHITI tomcat7[2309]: Stopping Tomcat servlet engine: tomcat7.
12月 05 05:53:39 TAHITI systemd[1]: Starting LSB: Start Tomcat....
-- Subject: Unit tomcat7.service has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit tomcat7.service has begun starting up.
12月 05 05:53:44 TAHITI tomcat7[2320]: Starting Tomcat servlet engine: tomcat7 failed!
12月 05 05:53:44 TAHITI systemd[1]: tomcat7.service: control process exited, code=exited status
12月 05 05:53:44 TAHITI systemd[1]: Failed to start LSB: Start Tomcat..
-- Subject: Unit tomcat7.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit tomcat7.service has failed.
--
-- The result is failed.
12月 05 05:53:44 TAHITI systemd[1]: Unit tomcat7.service entered failed state.
12月 05 05:53:44 TAHITI sudo[2304]: pam_unix(sudo:session): session closed for user root
沒有留言:
張貼留言