A Step-By-Step Guide to Apache Tomcat with SSL Configuration
A Quick Guide
Before going into the guide, let’s understand what is SSL and it’s background. Some of you may have a clear understanding about SSL. We will have a quick introduction on SSL.
What does SSL stands for? Secure Socket Layer. It is a protocol that makes the secure communication between server and the client. How does it make the communication secure?. The security is ensured by data encryption and certification-based Authentication. SSL is a popular mechanism that is supported by many browsers.
If you are Apache Tomcat user, there are instances where you may deal with sensitive data, SSL is the efficient option that offers security. Tomcat can fully support the SSL. Our task is to configure the tomcat with SSL. Don’t worry!. The following guide will help you to complete your configuration.
But before that, lets have a quick overview about the protocol. We acquire the SSL functionality via HTTPS. Is it actually a protocol? No, it’s a combination of HTTP and SSL. Consider that we are passing a message via HTTPS, the underneath truth is that the message is first encrypted by SSL protocol and then transmitted via HTTP. Finally, it could be decrypted with SSL by the receiver. Now, you may have a clear understand about why we have to configure Tomcat with SSL.
Using SSL With Tomcat
The first time you configure Tomcat to use SSL connections, it can be a little difficult, but if you follow this step-by-step guide, you should be up and running in no time. There are mainly two steps: creating a keystore file and configuring the tomcat server.
Step 1 — Creating the Keystore
What is ketstore? — Keystore is pssword protected file that stores keys that are required for SSL transaction by Tomcat. Before creating the keystore file, we have to ebable SSL inour machine. This file can be created in two ways.
- Importing an existing key to keystore
- Creating a new keystore
We can use keytool to create new key store. What is keytool? — It is a program that is included in our JDK that helps to create the keystore. We can use the following commands to create the keystore file in our machine.
There are many keystore formats available. But only some of them are supported by tomcat. Eg: JKS , PKCS11 or PKCS12 formats. JKS stands for “KeyStore”. This can be created by the keytool commnd-line functionality. This is embedded in JDK.
In order to create a entirely new keystore that containes a single self-signed certificate, we can use the following commands from our terminal.
- Create a new keystore file that contains the private key and the self-signed certificate:
Windows:"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA
Unix:$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
2. Enter the required values
After completing the above mentioned steps, a keystore file will be created in the home directory. If we need to store in a different location, we have to add the parameter -keystore , followed by the path where we need to store the file. We need to add this in server.xml file as well.
A sample is given as follows:
Windows:"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA
-keystore \completePathUnix:$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
-keystore /completePath
Also, we can import an exisitng file that is signed by our own CA using OpenSSL:
openssl pkcs12 -export -in mycert.crt -inkey mykey.key
-out mycert.p12 -name tomcat -CAfile myCA.crt
-caname root -chainStep 2 — Configuring Tomcat Server
After completing the part 1, we have to configure the tomcat server which is a simple step. Here we only need to open the server.xmlfile from <TOMCAT_HOME>/conf/server.xml . Then, enable the https connector on port:8443 port.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
keystoreFile="path to keystore.jks"
keystorePass="*******" />You can add your keystore path and password to keystoreFile and keystorePass .
Here, we are using port number 8443. This is the TCP/IP port that Tomcat will use to listen for secure connections. But, we can change this port number as we like. The default port that is used by the https for secure communication is 8443).
Warning!!!
If we are planning to change the port number, we also need to change this value in the
redirect portfor non-SSL connectors as well. This will help to redirect the users automatically when they try to access an app with a constraint for security like SSL is required.
You have completed all the required steps. Now, you can restart Tomcat server and then, you can access your application via SSL.
Try:
and you can see the Tomcat splash page.
Happy Learning!!!
