A Step-By-Step Guide to Securing a Tomcat Server With LetsEncrypt or Any SSL Certificate

Secure Socket Layer (SSL) is a protocol that provides security for communications between client and server by implementing encrypted data and certificate-based authentication.

If you’re using Apache Tomcat as a Server for your web-application , chances are that at least some of the data you’re handling is sensitive, and SSL is an easy way to offer your users security. But the configuration process and SSL itself can be a little confusing for first-time users.

There are many CA from which you can get a certificate, but almost all of them will cost you money. But, with Let’s Encrypt you can get a valid SSL certificate for your domain at no cost.

This guide will break down the messy process of installing a SSL certificate (that you got from letsencrypt or any other CA )- for tomcat server into easily understandable pieces:

Step 1 — Prerequisites

Before starting work on this task, I assume you already have:

• Running Centos system with sudo privileges shell access.
• A domain name registered and pointed to your server’s public IP address. For this tutorial, we use example.com and www.example.com, which is pointed to our server.
• Recent version of JAVA installed.
• Recent version of tomcat server installed in your .
• Have port 80 and 8443 open in your firewall.
• Have Openssl installed.

Step 2— Install Certbot(O)

The certbot package is provided by EPEL. If the EPEL repository is not installed on your system, you can install it using the following command:

sudo yum install epel-release

Once the EPEL repository is enabled, install the certbot package by typing:

sudo yum install certbot

If you have an active firewall, e.g firewalld, open https port on the firewall.

# firewall-cmd --add-service https --permanent
# firewall-cmd --reload

If you are not using letsencrypt then you can skip this step.

Step 3—Generate keypair and get certificate against the domain using Certbot

Once the LetsEncrypt (CA) verifies the authenticity of your domain, SSL certificate will be issued. For generating keypair and getting a SSL certificate against that keypair for your domain we need to type the following command:

sudo certbot certonly --standalone -d www.example.com

If everything goes fine. A new ssl will be issued at below location. Navigate to below directory and view files.

cd /etc/letsencrypt/live/example.com
ls

Files List:

  cert.pem
  chain.pem
  fullchain.pem
  privkey.pem

If you are not using letsencrypt, you will have to create the keypair and then get the certificate from a CA manually.
To generate a pair of private key and public Certificate Signing Request (CSR) for a webserver, “server”, use the following command :

openssl req -nodes -newkey rsa:2048 -keyout domain.name.key -out domain.name.csr

After you send the csr to CA and CA verifies your domain- they will provide you with a certificate/ certificate chain. So you should have a .crt certificate file with you

Step 4 — Convert keypair + certificate to Java Keystore

At first create a PKCS12 that contains both your full chain and the private key. You need to have openssl installed for that.

openssl pkcs12 -export -out /tmp/example.com_fullchain_and_key.p12 \
    -in /etc/letsencrypt/live/example.com/fullchain.pem \
    -inkey /etc/letsencrypt/live/example.com/privkey.pem \
    -name tomcat

Then convert that PKCS12 to a JKS, using java`s keytool

keytool -importkeystore \
    -deststorepass samplePassword -destkeypass samplePassword -destkeystore /tmp/example.com.jks \
    -srckeystore /tmp/example.com_fullchain_and_key.p12  -srcstoretype PKCS12 -srcstorepass samplePassword \
    -alias tomcat

Replace samplePassword with your password.

In case, you are not using certbot and letsencrypt. You will need to create the keypair yourself and you will apply for an ssl certificate from any of the recognized CAs. Then you will have a privatekey file with .key extension and .cert certificate file that you got from the CA. You will have to create a pfx file first and then convert the pfx file to jks file. Here is how to merge a private key and a certificate to generate pfx file(the following command will require you to set a password for the pfx):

openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt

And once you have the pfx file, here is how to convert it to JKS(the following command will require password of the pfx file and ):

keytool -importkeystore -srckeystore www_domain.name.pfx -srcstoretype pkcs12 -destkeystore domain.name.jks -deststoretype JKS

Step 5— Configure Tomcat with the Java Keystore

Now go to your tomcat application and open your server.xml file

# vim /etc/tomcat/conf/server.xml

Ensure the following section is commented out

<!---
    <Connector port="8080" protocol="HTTP/1.1"
            connectionTimeout="20000"
            redirectPort="8443" />
    -->

Configure connector to use a shared thread pool

<Connector executor="tomcatThreadPool"
            port="8080" protocol="HTTP/1.1"
            connectionTimeout="20000"
            redirectPort="8443" />

Next is to define SSL HTTP/1.1 Connector on port 8443

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
            maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
            keystoreFile="/tmp/example.com.jks"
            keystorePass="samplePassword"
            clientAuth="false" sslProtocol="TLS" />

With above configuration, http to https redirect will be done automatically for the application.

Now just Stop and Start Apache Tomcat and you are done.

Your tomcat server along with all the application that runs on it is ssl secured.

Mahdi Mashrur Matin(CISSP) is a seasoned professional in cryptography and information security.He is a consultant to BGD-e-GOV-CIRT ,BCC, ICT Division Bangladesh & leads their Certificate Authority tech team.