Thursday, June 21, 2012

Quick Tomcat SSL Setup

Setting up SSL in Tomcat is not that tough using JDK and Tomcat alone.But for production environment  OpenSSL is recomended. In the following section we will see how we can setup SSL in tomcat, so that the client can establish HTTPS connection with the Tomcat Server Instance.
Mainly we have to follow the following steps,

  1. Generating Keystore using JDK keytool utility
  2. Configuring the Tomcat Instance to use the Keystore.

Lets see now these steps in details,

1) Generating Keystore using JDK keytool Utility
Here we will be generating a keystore with certificate, which we can use in next step to configure the Tomcat Instance.

It is assumed that you have have JDK 5 or higher installed in your box along with Tomcat 5 or higher. Now go to the command prompt and run the following keytool command.

keytool -genkey -alias tomcatkeys -keystore siddtomcat5.keystore


where the alias name is tomcatkeyskeystore  and keystore name is siddtomcat5.keystore.
It will ask you some questionnaire, which you need to feel up, so that the utility can generate the keystore.


Enter keystore password:  password123

What is your first and last name?

  [Unknown]:  sidd bhatt

What is the name of your organizational unit?

  [Unknown]:  life365

What is the name of your organization?

  [Unknown]:  life365

What is the name of your City or Locality?

  [Unknown]:  Foster City

What is the name of your State or Province?

  [Unknown]:  California

What is the two-letter country code for this unit?

  [Unknown]:  US

Is CN=sidd bhatt, OU=life365, O=life365, L=Foster City, ST=California, C=US corr

ect?
  [no]:  yes

Once that is done, we have a keystore with a certificate. Now we need to configure Tomcat SSL with this keystore.
For more more information about keystore or keytool you can see this blog post Keytool for importing certificates to keystore


2) Tomcat Configuration
Now open the server.xml file which is under TOMCAT_HOME /conf folder. open it and paste the following lines,



<Connector port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="siddtomcat5.keystore" keystorePass="sonali123"
           clientAuth="false" sslProtocol="SSL"/>


The keystoreFile takes relative path, so I have kept th keystore in the TOMCAT_HOME Directory.

Now you should be able to access All the Application in this Tomcat instance using both HTTP and HTTPS protocols

Client when tries to connect to this secured HTTPS enabled application on this Tomcat instance, would
need to trust the same certificate.


First time you want to connect to any application deployed on this tomcat instance using HTTPS
from browser, browser will prompt for importing the above created certificate to browser's trust certificate.

Similarly if you want to connect to the web application from Java client using HTTPS you have to import the certificate to Java cacerts keystore.

Java uses a certificate store, which usually consists of a cacerts file, located in the jre/lib/security directory of your Java installation

No comments :

Post a Comment