Additional menu

How to Implement SSL in Apache Tomcat?

How to Implement SSL in Apache Tomcat?

A step-by-step guide to setup SSL/TLS certificate in Tomcat server.

One of the essential tasks for securing Tomcat is to configure SSL certificate, so web application is accessible over HTTPS.

There are many ways to achieve this.

  • You can terminate SSL at load balancer
  • Implement SSL at CDN level
  • Use web servers like Apache, Nginx, etc. in front and implement SSL there

However, if you are not using any of the above or using this as a front-end or need to deploy SSL directly in Tomcat, then the following will help you.

In this article, we will do as below.

  • Generate CSR (Certificate signing request)
  • Import certificate in a keystore file
  • Enable SSL in Tomcat
  • Configure TLS protocol
  • Change Tomcat to listen on 443 port
  • Test Tomcat for SSL vulnerability

Let’s start…

Preparing for SSL/TLS Certificate

The first step would be to generate a CSR and get that signed by the certificate authority. We will use keytool utility to manage the certificates.

  • Login to the Tomcat server
  • Go to the tomcat installation path
  • Create a folder called ssl
  • Execute command to create a keystore
keytool -genkey -alias domainname -keyalg RSA -keysize 2048 -keystore filename.jks

There is two variable in above commands which you may want to change.

  1. Alias – better to keep it meaningful so in future you can quickly recognize. I prefer to keep it as a domain name.
  2. Filename – again, it’s good to keep the domain name.

Ex:

[[email protected] ssl]# keytool -genkey -alias bloggerflare -keyalg RSA -keysize 2048 -keystore bloggerflare.jks
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: bloggerflare.com
What is the name of your organizational unit?
[Unknown]: Blogging
What is the name of your organization?
[Unknown]: Geek Flare
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=bloggerflare.com, OU=Blogging, O=Geek Flare, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes

Enter key password for <bloggerflare>
(RETURN if same as keystore password):

[[email protected] ssl]#

Pay attention to first and last name question. This is a bit of misleading I think. It’s not your name but the domain name which you want to secure.

Once you provide all the information, it will create a keystore file on a present working directory.

Next would be to generate a new CSR with the newly created keystore with below command.

keytool -certreq -alias bloggerflare -keyalg RSA -file bloggerflare.csr -keystore bloggerflare.jks

This will create a CSR which you need to send to the certificate authority to get it signed. If you are playing around, then you may consider using FREE certificate provider else go for premium one.

I got the certificate signed and will proceed to import into keystore with below command.

  • Import root certificate is given by the provider
keytool -importcert -alias root -file root -keystore bloggerflare.jks 
  • Import intermediate certificate
keytool -importcert -alias intermediate -file intermediate -keystore bloggerflare.jks

Note: without importing root & intermediate, you won’t be able to import domain certificate into keystore. If you have more than one intermediate, then you got to import them all.

  • Import domain certificate
keytool -importcert -file bloggerflare.cer -keystore bloggerflare.jks -alias bloggerflare

and, you will get a confirmation that it was installed.

Certificate reply was installed in keystore

Great, so certificate keystore is ready now. Let’s move to next step.

If you are new to SSL and interested to know more then enroll in this online course – SSL/TLS Operations.

Enable SSL in Tomcat

Assuming you are still logged into Tomcat server, go to conf folder

  • Take a backup of the server.xml file
  • Go to <Connector port="8080" protocol="HTTP/1.1" section and add line
SSLEnabled="true" scheme="https" keystoreFile="ssl/bloggerflare.jks" keystorePass="chandan" clientAuth="false" sslProtocol="TLS"
  • Don’t forget to change the keystore file name and password with yours
  • Restart tomcat and you should see Tomcat is accessible over HTTPS

Sweet!

Standard HTTPS Port

Why?

Well, if you look at above screenshot, I am accessing Tomcat over 8080 with https which is not standard and some more reasons.

  • You don’t want to ask users to use custom port
  • Browser will give warning as certificate is issued on domain name without the port

So idea is to make Tomcat listen on 443 port so it’s accessible just over https:// without the port number.

To do so, edit server.xml with your favorite editor

  • Go to <Connector port="8080"
  • Change port from 8080 to 443
  • It should look like this
<Connector port="443" protocol="HTTP/1.1"
connectionTimeout="20000"
SSLEnabled="true" scheme="https" keystoreFile="ssl/bloggerflare.jks" keystorePass="chandan" clientAuth="false" sslProtocol="TLS"
redirectPort="8443" />
  • Restart Tomcat and access your application with https without any port number

Impressive, it’s success!

SSL/TLS Vulnerability Test

Finally, we will perform a test to ensure it’s not vulnerable to online threats.

There are many online tools which I discussed here, and here I will use SSL Labs.

  • Go to SSL Labs and enter the URL to begin the test

And it’s GREEN – A rating.

However, its always good idea to scroll down the report and see if you find any vulnerability and fix it.

So that was all for today.

I hope this helps you to know the procedure of securing Tomcat with SSL/TLS certificate. If you are interested in learning more then I would highly recommend this course.

Reader Interactions

Chandan Kumar
About Chandan
Chandan Kumar is the founder and editor of Geek Flare. Learn more here and connect with him on Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *