I have enabled SSL in tomcat many times however initially I struggled to get it in running condition. So I thought to share a simple approach I am following now days.
Run tool “Keytool“ provided by the JRE to create a “keystore file”.
The command to run tool is:
keytool -genkey -alias tomcat -keyalg RSA -keystore D:/.keyStore
Where “D:/.keystore” is the path where file should be created.
Instead of alias “tomcat” any other name can be used.
After running above command, you will be asked many questions, so answer them correctly as shown in below image:
Remember the password provided, as it will be needed in next step.
Now, in next step go to “conf” folder of tomcat, and open file “server.xml”.
There you will find lines of code something like:
<-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <!-- <Connector port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true"; clientAuth="false" sslProtocol="TLS"/> -->
So, to enable the SSL, uncomment above code and tweek like below:
<Connector protocol="org.apache.coyote.http11.Http11Protocol" port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="F:eclipseFrameworksapache-tomcat-5.5.31 - SSL Configured.keyStore" keystorePass="YOURpwd"/>
As you can see, I have added few more attributes like:
Protocol : If the APR (Apache Portable Runtime) is enabled in tomcat (maximum time it is enabled by default), then this approach will not work. so configure tomcat that we want to use Java (JSSE) connector, regardless of whether the APR library is loaded or not.
keystoreFile : Full path of the keystore file creates in step 1.
keystorePass: Password used while creating file in step1.
After these changes, save Server.xml and navigate to: https://localhost:8443/ , As you can see in below image, SSL is enabled.
Now, as you can see, although we have created SSL certificate for local server, browser is showing that it is not secured.
SSL verifies the authenticity of a site’s certificate by using something called a “chain of trust,” which basically means that during the handshake, SSL initiates an additional handshake with the Certificate Authority (CA) specified in your site’s certificate, to verify that you haven’t simply made up your own CA (Which actually we have done in our case 🙂 ).
If you want to remove error, you have to get certificate from some Certificate Authority so that during handshake, accuracy of your certificate can be validated.
If you have valid certificates then please read this article.
Leave a Reply