- The jetty server version is confirmed. It is recommended that you use jetty 9.2.22 and later.
- Download the Tomcat certificate from Ali cloud. A non-system generated CSR requires the pfx certificate key pair file to be generated, and the conversion command is as follows.
openssl pkcs12 -export -out 214362464370691.pfx -inkey 214362464370691.key -in 214362464370691.pem
- The certificate key pair file for converting pfx is in jks format, and the conversion command is as follows:
Note Note that the windows Windows environment is executed in the % java'home %/JDK/bin directory.
Enter the jks format password set twice after entering, and then enter the pfx certificate password once. You must enter the password logged in the pfx-password.txt file. The jks password is the same as the pfx certificate password, or it may cause the jetty server to fail to start.Keytool-importkeystore-srckeystore key pair file. pfx-DESTIN keystore Certificate Name. jks-srcstoretype glasjks
- Configure SSL for jetty.
- Make sure that jetty's HTTP page is properly accessed.
- Copy the certificate. Enter etc under the jetty server directory, and create a new
directory that holds the jks format certificate, and copy the jks format certificate to the current directory.
# pwd /opt/jetty9222/etc # mkdir cert # cd cert/ # cp .. /.. /../keys/jetty.jks . # ls jetty.jks
- Edit the jetty-ssl.xml under etc in the jetty server directory, and set the certificate related parameters (the password
settings are the passwords recorded by pfx-password.txt).
<? xml version="1.0"? > <! DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd"> <! -- ============================================================= --> <! -- Configure a TLS (SSL) Context Factory --> <! -- This configuration must be used in conjunction with jetty.xml --> <! -- and either jetty-https.xml or jetty-spdy.xml (but not both) --> <! -- ============================================================= --> <Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory"> <Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.keystore" default="etc/cert/jetty.jks"/></Set> <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="214362464370691"/></Set> <? xml version="1.0"? > <! DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd"> <! -- ============================================================= --> <! -- Configure a TLS (SSL) Context Factory --> <! -- This configuration must be used in conjunction with jetty.xml --> <! -- and either jetty-https.xml or jetty-spdy.xml (but not both) --> <! -- ============================================================= --> <Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory"> <Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.keystore" default="etc/cert/jetty.jks"/></Set> <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="214362464370691"/></Set> <Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="214362464370691"/></Set> <Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.truststore" default="etc/cert/jetty.jks"/></Set> <Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="214362464370691"/></Set> <Set name="EndpointIdentificationAlgorithm"></Set> <Set name="NeedClientAuth"><Property name="jetty.ssl.needClientAuth" default="false"/></Set> <Set name="WantClientAuth"><Property name="jetty.ssl.wantClientAuth" default="false"/></Set> <Set name="ExcludeCipherSuites"> <Array type="String"> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item> </Array> </Set> <! -- =========================================================== --> <! -- Create a TLS specific HttpConfiguration based on the --> <! -- common HttpConfiguration defined in jetty.xml --> <! -- Add a SecureRequestCustomizer to extract certificate and --> <! -- session information --> <! -- =========================================================== --> <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration"> <Arg><Ref refid="httpConfig"/></Arg> <Call name="addCustomizer"> <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg> </Call> </New> </Configure>
- Edit the jetty-https.xml under etc in the jetty server directory and configure the port used by HTTPS to be
443.
<? xml version="1.0"? > <! DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd"> <! -- ============================================================= --> <! -- Configure a HTTPS connector. --> <! -- This configuration must be used in conjunction with jetty.xml --> <! -- and jetty-ssl.xml. --> <! -- ============================================================= --> <Configure id="Server" class="org.eclipse.jetty.server.Server"> <! -- =========================================================== --> <! -- Add a HTTPS Connector. --> <! -- Configure an o.e.j.server.ServerConnector with connection --> <! -- factories for TLS (aka SSL) and HTTP to provide HTTPS. --> <! -- All accepted TLS connections are wired to a HTTP connection. --> <! -- --> <! -- Consult the javadoc of o.e.j.server.ServerConnector, --> <! -- o.e.j.server.SslConnectionFactory and --> <! -- o.e.j.server.HttpConnectionFactory for all configuration --> <! -- that may be set here. --> <! -- =========================================================== --> <Call id="httpsConnector" name="addConnector"> <Arg> <New class="org.eclipse.jetty.server.ServerConnector"> <Arg name="server"><Ref refid="Server" /></Arg> <Arg name="acceptors" type="int"><Property name="ssl.acceptors" default="-1"/></Arg> <Arg name="selectors" type="int"><Property name="ssl.selectors" default="-1"/></Arg> <Arg name="factories"> <Array type="org.eclipse.jetty.server.ConnectionFactory"> <Item> <New class="org.eclipse.jetty.server.SslConnectionFactory"> <Arg name="next">http/1.1</Arg> <Arg name="sslContextFactory"><Ref refid="sslContextFactory"/></Arg> </New> </Item> <Item> <New class="org.eclipse.jetty.server.HttpConnectionFactory"> <Arg name="config"><Ref refid="sslHttpConfig"/></Arg> </New> </Item> </Array> </Arg> <Set name="host"><Property name="jetty.host" /></Set> <Set name="port"><Property name="https.port" default="443" /></Set> <Set name="idleTimeout"><Property name="https.timeout" default="30000"/></Set> <Set name="soLingerTime"><Property name="https.soLingerTime" default="-1"/></Set> <Set name="acceptorPriorityDelta"><Property name="ssl.acceptorPriorityDelta" default="0"/></Set> <Set name="selectorPriorityDelta"><Property name="ssl.selectorPriorityDelta" default="0"/></Set> <Set name="acceptQueueSize"><Property name="https.acceptQueueSize" default="0"/></Set> </New> </Arg> </Call> </Configure>
- Edit the start.ini file in the jetty server directory, change the port number as required, and set the
startup to load jetty-https.xml and jetty-ssl.xml.
jetty.port=80 jetty.dump.stop= etc/jetty-ssl.xml etc/jetty-https.xml
- Restart the jetty server and verify that the HTTPS access is normal.
- Make sure that jetty's HTTP page is properly accessed.
References:
- Install SSL certificates in Tomcat servers
- Install SSL certificates in Apache servers
- Deploy SSL certificate on Ubuntu Apache2
- How do I deploy the issued certificate in Apache server
- Install SSL certificates in Nginx/Tengine servers
- Install SSL certificates in IIS servers
- Deploy SSL certificates on Tomcat 8.5 or Tomcat 9.0 running CentOS