SSL/TLS is an important requirement for every website and application in order to be able to protect all data transferred in & out of it. If you are using Apache Tomcat server for your website or application, then you need to do this too. Otherwise, all the request data sent to your Tomcat server and all the response data sent back by your server will be completely exposed on the internet. So almost every website administrator is required to setup SSL/TLS on their web server. But it can be tedious to implement SSL/TLS in Apache Tomcat. Nevertheless, in this article, we will learn how to do this step by step.
How to Implement SSL/TLS in Apache Tomcat
Here are the steps to implement SSL/TLS in Apache Tomcat.
1. Create Keystore
The first step is to create a keystore file that stores all the key files required to setup SSL/TLS on your server. You can do this by creating a new keystore using keystore utility, or by exporting your existing key files to it.
In our example, we will create a new keystore using the utility that comes with JAVA. For this purpose, open terminal and run the following command to generate a keystore. Replace tomcat and \path\to\keystore with the alias and keystore location of your choice.
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA -keystore \path\to\keystore
When you run the above command, you will see a series of prompts asking for certain details such as password, organization name, etc. related to SSL/TLS creation. Ensure that you are using a strong password when asked and enter domain name for first and last name.
Enter keystore password:strong_password Re-enter new password:strong_password What is your first and last name? [Unknown]: yourdomain.com What is the name of your organizational unit? [Unknown]: Blogging What is the name of your organization? [Unknown]: Blog What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit? [Unknown]: Is CN=yourdomain.com, OU=Blogging, O=Blog, L=Unknown, ST=Unknown, C=Unknown correct? [no]: yes Enter key password for <yourdomain> (RETURN if same as keystore password):
This will create keystore at the following location depending on your system.
Windows: C:\Documents and settings\[username] Mac: /users/ [username] Linux : /home/ [username]
2. Create CSR
Next you need to create certificate signing request (CSR) which will be used by third-party certificate authority (CA) to generate SSL/TLS certificates. You can use the same Java keystore tool for this purpose also.
$JAVA_HOME/bin/keytool -certreq -keylag RSA -alias -file.csr -keystroke [path/to/keystore]
The above command will generate a CSR file with .csr extension. Submit it to any of the popular third-party certificate authorities (CA) such as RapidSSL, Comodo, etc. to get the SSL/TLS certificates.
3. Install SSL/TLS certificate
You can download the certificates from CA website or you may receive it via email, as per your requirement. Generally, it contains root certificate, intermediate certificate and domain certificate. You need to save them to your keystore created in step #1.
You can use the following command to import certificates to your keystore. In it, replace [path/to/keystore] with the path to your keystore, and [path/to/root_certificate] with the path to your root certificate.
"%JAVA_HOME%\bin\keytool" -import -alias root -keystore [path/to/keystore] -trustcacerts -file [path/to/root_certificate]
Similarly, here is the command to import intermediate certificate to keystore. In this case, you need to use the path to intermediate certificate.
"%JAVA_HOME%\bin\keytool" -import -alias intermediate -keystore [path/to/keystore] -file [path/to/intermediate_certificate]
and here is the command to import domain certificate to keystore. In this case, you need to use the path to domain certificate.
"%JAVA_HOME%\bin\keytool" -import -keystore [path/to/keystore] -file [path/to/domain_certificate]
4. Setup Tomcat to Use SSL Certificate
Navigate to Tomcat directory and open server.xml file.
$ sudo vi /conf/server.xml
Look for the following line.
<!– <Connector port=”8443″… /> –>
Remove <!- and -> to uncomment it. It will run the Tomcat Server on port 8443.
Tomcat supports two types of SSL configuration JSSE and APR (Apache Portable Runtime). JSSE is the default configuration. Replace KeystorePassword and path/to/keystore with keystore password (created in step 1) and the path to keystore respectively.
<connector port="8443" maxthreads="150" scheme="https" secure="true" SSLEnabled="true" keystoreFile="path/to/keystore" keystorePass="KeystorePassword" ClientAuth="false" keyAlias="yourAlias" sslProtocol="TLS"/>
If you want to use APR configuration, use the following code.
<connector port="8443" scheme="https" secure="true" SSLEnabled="true" SSLCertificateFile+'/path/to/certificate.crt" SSLCertificateKeyFile="/path/to/keyfile" SSLPassword="KeystorePassword" SSLCertificateChainFile="path/to/your/root/certificate" KeyaAlias="yourAlias" SSLProtocoal="TLSv1"/>
The main difference between JSSE and APR approaches is that SSLCertificateFile and SSLCertificateKeyFile replace keystoreFile attribute.
Restart Apache Tomcat to apply changes. Open web browser and go to https://localhost:8443 or https://localhost. Now your web pages will be served via SSL/TLS.
In this article, we have learnt how to setup SSL/TLS configuration in Apache Tomcat. You can also use these steps as per your requirement.
Also read:
How to Solve NPM Error ‘npm ERR! code ELIFECYCLE’
How to Get Value of Text Input in JavaScript
How to Add Property to JavaScript Object Using Variable
How to Set/Unset Cookie in jQuery
How to Add Days to Date in JavaScript
Related posts:
Sreeram Sreenivasan loves coding & writing tech articles. He has helped many Fortune 500 companies in the areas of BI & software development. He has more than 10 years of experience in web development, Python, Linux, SQL and database programming.