Loiane Groner, Brazilian, works as a Java/ Sencha evangelist. She has 7+ years of experience in web development. She is the ESJUG (Espirito Santo Java Users Group) and CampinasJUG (Campinas Java Users Group) leader and coordinator. Loiane is passionate about technology and programming. Also author of ExtJS 4 First Look book. Loiane is a DZone MVB and is not an employee of DZone and has posted 42 posts at DZone. You can read more from them at their website. View Full User Profile

Setting Up SSL on Tomcat in 5 minutes

07.01.2011
| 56374 views |
  • submit to reddit

This tutorial will walk you through how to configure SSL (https://localhost:8443 access) on Tomcat in 5 minutes.

For this tutorial you will need:

  • Java SDK (used version 6 for this tutorial)
  • Tomcat (used version 7 for this tutorial)

The set up consists in 3 basic steps:

  1. Create a keystore file using Java
  2. Configure Tomcat to use the keystore
  3. Test it
  4. (Bonus ) Configure your app to work with SSL (access through https://localhost:8443/yourApp)

1 – Creating a Keystore file using Java

Fisrt, open the terminal on your computer and type:

Windows:

cd %JAVA_HOME%/bin

Linux or Mac OS:

cd $JAVA_HOME/bin

The $JAVA_HOME on Mac is located on “/System/Library/Frameworks/JavaVM.framework/Versions/{your java version}/Home/

You will change the current directory to the directory Java is installed on your computer. Inside the Java Home directory, cd to the bin folder. Inside the bin folder there is a file named keytool. This guy is responsible for generating the keystore file for us.

Next, type on the terminal:

keytool -genkey -alias tomcat -keyalg RSA

When you type the command above, it will ask you some questions. First, it will ask you to create a password (My password is “password“):

loiane:bin loiane$ keytool -genkey -alias tomcat -keyalg RSA
Enter keystore password:  password
Re-enter new password: password
What is your first and last name?
  [Unknown]:  Loiane Groner
What is the name of your organizational unit?
  [Unknown]:  home
What is the name of your organization?
  [Unknown]:  home
What is the name of your City or Locality?
  [Unknown]:  Sao Paulo
What is the name of your State or Province?
  [Unknown]:  SP
What is the two-letter country code for this unit?
  [Unknown]:  BR
Is CN=Loiane Groner, OU=home, O=home, L=Sao Paulo, ST=SP, C=BR correct?
  [no]:  yes
 
Enter key password for
    (RETURN if same as keystore password):  password
Re-enter new password: password

It will create a .keystore file on your user home directory. On Windows, it will be on: C:Documents and Settings[username]; on Mac it will be on /Users/[username] and on Linux will be on /home/[username].

2 – Configuring Tomcat for using the keystore file – SSL config

Open your Tomcat installation directory and open the conf folder. Inside this folder, you will find the server.xml file. Open it.

Find the following declaration:

<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS" />
-->

Uncomment it and modify it to look like the following:

Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
    disableUploadTimeout="true" enableLookups="false" maxThreads="25"
    port="8443" keystoreFile="/Users/loiane/.keystore" keystorePass="password"
    protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
    secure="true" sslProtocol="TLS" />

Note we add the keystoreFile, keystorePass and changed the protocol declarations.

3 – Let’s test it!

Start tomcat service and try to access https://localhost:8443. You will see Tomcat’s local home page.

Note if you try to access the default 8080 port it will be working too: http://localhost:8080

4 – BONUS - Configuring your app to work with SSL (access through https://localhost:8443/yourApp)

To force your web application to work with SSL, you simply need to add the following code to your web.xml file (before web-app tag ends):

	
<security-constraint>
    <web-resource-collection>
        <web-resource-name>securedapp</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

The url pattern is set to /* so any page/resource from your application is secure (it can be only accessed with https). The transport-guarantee tag is set to CONFIDENTIAL to make sure your app will work on SSL.

If you want to turn off the SSL, you don’t need to delete the code above from web.xml, simply change CONFIDENTIAL to NONE.

Referencehttp://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html (this tutorial is a little confusing, that is why I decided to write another one my own).

Happy Coding!


From http://loianegroner.com/2011/06/setting-up-ssl-on-tomcat-in-5-minutes-httpslocalhost8443/

Published at DZone with permission of Loiane Groner, author and DZone MVB.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)

Comments

Nicolas Frankel replied on Fri, 2011/07/01 - 3:05am

You just destroyed my next article :-/

Mihai Dinca - P... replied on Fri, 2011/07/01 - 3:53am

 You can add another bonus : Configure a desktop application to work with a SSL server

Gnu Skool replied on Fri, 2011/07/01 - 6:31am

Great post and thank you Mihai, as a student I'd say that's a great idea to extend this..

Manuel Jordan replied on Fri, 2011/07/01 - 11:24am in response to: Nicolas Frankel

Hello Nicolas

Perhaps the next tutorial would be the best practices about configuration the Memory pools and Thread Stack size

Carla Brian replied on Wed, 2012/06/20 - 6:07pm

This is great. Good thing I saw your post. I don't know how to install this one. - Instant Tax Solutions Scam

Michał Niwiński replied on Wed, 2013/05/22 - 6:03am

Great job! Thanks for this article!:)

Saurabh Shah replied on Mon, 2013/07/08 - 12:19pm

Hi,

I have completed till step-2, and restarted tomcat service. However, I am still unable to hit https://servername:8443 successfully.  The page is not opening(page not found error).  FYI - http://servername:8080 is working fine.

I have confirmed that -

1).keystore is generated

2) Updated server.xml properly with exact path in keyfile section, all case are proper

3) There are no errors in catalina.out.

Kindly let me know, what should be done to have https://servername:8443 working?

Regards,

Saurabh Shah

Ravi Naik replied on Thu, 2013/10/24 - 8:36pm

Hi, 

I did all the steps, my application is getting redirected to HTTPS, but I am not able to connect to the database. Is there anything I need to do for Database specific applications. 



Thanks. 

Palak Raval replied on Mon, 2014/04/14 - 4:21am

 After following 3 steps, my application is only be accessible through https.

But bonus point is not working for me, If I add any of the below in web.xml.

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

         or

<transport-guarantee>NONE</transport-guarantee>

My application only be accessible through https, even with none option.

Is there any pre requirement to follow above step.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.