A step-by-step guide to set up SSL/TLS certificate in Tomcat server.
One of the essential tasks for securing Tomcat is to configure SSL certificate, so web application is accessible over HTTPS.
There are many ways to achieve this.
- You can terminate SSL at a load balancer
- Implement SSL at CDN level
- Use web servers like Apache, Nginx, etc. in front and implement SSL there
However, if you are not using any of the above or using this as a front-end or need to deploy SSL directly in Tomcat, then the following will help you.
In this article, we will do as below.
- Generate CSR (Certificate signing request)
- Import certificate in a keystore file
- Enable SSL in Tomcat
- Configure TLS protocol
- Change Tomcat to listen on 443 port
- Test Tomcat for SSL vulnerability
Let’s start…
Preparing for SSL/TLS Certificate
The first step would be to generate a CSR and get that signed by the certificate authority. We will use keytool
utility to manage the certificates.
- Login to the Tomcat server
- Go to the tomcat installation path
- Create a folder called ssl
- Execute command to create a keystore
keytool -genkey -alias domainname -keyalg RSA -keysize 2048 -keystore filename.jks
There is two variable in above commands which you may want to change.
- Alias – better to keep it meaningful so in future you can quickly recognize. I prefer to keep it as a domain name.
- Filename – again, it’s good to keep the domain name.
Ex:
[root@geekflare ssl]# keytool -genkey -alias bloggerflare -keyalg RSA -keysize 2048 -keystore bloggerflare.jks
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: bloggerflare.com
What is the name of your organizational unit?
[Unknown]: Blogging
What is the name of your organization?
[Unknown]: Geek Flare
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=bloggerflare.com, OU=Blogging, O=Geek Flare, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
Enter key password for <bloggerflare>
(RETURN if same as keystore password):
[root@geekflare ssl]#
Pay attention to the first and last name question. This is a bit of misleading I think. It’s not your name but the domain name which you want to secure.
Once you provide all the information, it will create a keystore file on a present working directory.
Next would be to generate a new CSR with the newly created keystore with below command.
keytool -certreq -alias bloggerflare -keyalg RSA -file bloggerflare.csr -keystore bloggerflare.jks
This will create a CSR which you need to send to the certificate authority to get it signed. If you are playing around, then you may consider using a FREE certificate provider else go for a premium one.
I got the certificate signed and will proceed to import into keystore with below command.
- Import root certificate is given by the provider
keytool -importcert -alias root -file root -keystore bloggerflare.jks
- Import intermediate certificate
keytool -importcert -alias intermediate -file intermediate -keystore bloggerflare.jks
Note: without importing root & intermediate, you won’t be able to import domain certificate into keystore. If you have more than one intermediate, then you got to import them all.
- Import domain certificate
keytool -importcert -file bloggerflare.cer -keystore bloggerflare.jks -alias bloggerflare
and, you will get a confirmation that it was installed.
Certificate reply was installed in keystore
Great, so certificate keystore is ready now. Let’s move to the next step.
If you are new to SSL and interested to know more then enroll in this online course – SSL/TLS Operations.
Enable SSL in Tomcat
Assuming you are still logged into Tomcat server, go to conf folder
- Take a backup of the server.xml file
- Go to
<Connector port="8080" protocol="HTTP/1.1"
section and add a line
SSLEnabled="true" scheme="https" keystoreFile="ssl/bloggerflare.jks" keystorePass="chandan" clientAuth="false" sslProtocol="TLS"
- Don’t forget to change the keystore file name and password with yours
- Restart tomcat and you should see Tomcat is accessible over HTTPS
Sweet!
Standard HTTPS Port
Why?
Well, if you look at above screenshot, I am accessing Tomcat over 8080 with https which is not standard and some more reasons.
- You don’t want to ask users to use custom port
- Browser will give warning as certificate is issued on domain name without the port
So idea is to make Tomcat listen on 443 port so it’s accessible just over https:// without the port number.
To do so, edit server.xml with your favorite editor
- Go to
<Connector port="8080"
- Change port from 8080 to 443
- It should look like this
<Connector port="443" protocol="HTTP/1.1"
connectionTimeout="20000"
SSLEnabled="true" scheme="https" keystoreFile="ssl/bloggerflare.jks" keystorePass="chandan" clientAuth="false" sslProtocol="TLS"
redirectPort="8443" />
- Restart Tomcat and access your application with https without any port number
Impressive, it’s a success!
SSL/TLS Vulnerability Test
Finally, we will perform a test to ensure it’s not vulnerable to online threats.
There are many online tools which I discussed here, and here I will use SSL Labs.
- Go to SSL Labs and enter the URL to begin the test
And it’s GREEN – A rating.
However, its always a good idea to scroll down the report and see if you find any vulnerability and fix it.
So that was all for today.
I hope this helps you to know the procedure of securing Tomcat with SSL/TLS certificate. If you are interested in learning more then I would highly recommend this course.