0x1 自签证书生成

使用java的命令：

keytool -genkey -alias webgis -keyalg RSA -keypass gisplatform -storepass gisplatform -keysize 2048 -keystore webgis.keystore -validity 7300
keytool -export -alias webgis -storepass gisplatform -file webgis.cer -keystore webgis.keystore
keytool -import -trustcacerts -alias webgis -storepass gisplatform -file webgis.cer -keystore cacerts

server.xml 配置证书

keystoreFile="D:\apache-tomcat-8.5.15\bin\webgis.keystore"
keystorePass="gisplatform"
truststoreFile="D:\apache-tomcat-8.5.15\bin\cacerts"

server.xml 配置tls版本以及加密套件，其中useServerCipherSuitesOrder="true"很重要，要优先使用服务端的顺序

<Connector port="8443"  protocol="user.Http11Protocol"
    SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.2"
    useServerCipherSuitesOrder="true"     
    ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
        TLS_RSA_WITH_AES_128_CBC_SHA256,
        TLS_RSA_WITH_AES_128_CBC_SHA,
        TLS_RSA_WITH_AES_128_GCM_SHA256,
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
    scheme="https" secure="true" clientAuth="false"
    connectionTimeout="20000"
    redirectPort="8443"
    URIEncoding="UTF-8"
    keystoreFile="keystore.jks"
    keystorePass="password" />

0x2 http跳转https

tomcat默认配置了https是会共存http的，所以需要修改配置，使得访问http的时候自动跳转到https页面，修改web.xml

<security-constraint>
<web-resource-collection>
<web-resource-name>SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>