How to secure Tomcat 7 with SSL / TLS

Intro


The following article shows how to secure Tomcat 7 servlet container with SSL / TLS. Although there might me numerous different solutions (e.g. proxying from Apache server) the one that I present bases on Tomcat only and utilizes its default configuration files. 

The following assumptions have been made for the rest of the article:
  • OS: Ubuntu 12.04 Server x64
  • Tomcat: tomcat7 installed from official Ubuntu repositories (apt-get install tomcat7)
  • Tomcat user: tomcat7
  • Tomcat home directory: /etc/tomcat7
  • SSL / TLS port: TCP port 8443
  • Keystore location: /etc/tomcat7/keystore.jks
  • Keystore password: keystore
The following section describes a detailed steps required for securing Tomcat 7 with SSL / TLS. All the commands have been run as a tomcat7 user.

Configuration


1) Generate the keystore file that will store the certificates trusted by the Tomcat server. Depending on your needs this step may require invoking different commands. A general HowTo regarding the keytool tool usage can be found here.

In my case the keystore file was already delivered to me by my CA when requesting the certificate. However having both the CA and the CA-signed certificate you can easily create the keystore file by running the following commands:

keytool -import -trustcacerts -alias root
-file [CA cert path] -keystore /etc/tomcat7/keystore.jks

keytool -import -trustcacerts -alias tomcat
-file [CA-signed cert path] -keystore /etc/tomcat7/keystore.jks

Or to generate the self-signed certificate:

keytool -genkey -keyalg RSA -alias tomcat
-keystore /etc/tomcat7/keystore.jks -storepass keystore
-validity 360 -keysize 2048

2) Update /etc/tomcat7/server.xml configuration file and change the following part of its configuration:

<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" />
 -->

to what's shown below:

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" SSLEnabled="true" maxThreads="200"
           scheme="https" secure="true"
           keystoreFile="/etc/tomcat7/keystore.jks"
           keystorePass="keystore" clientAuth="false"
           sslProtocol="TLS" />

3) As a root user restart Tomcat by running the following command:

/etc/init.d/tomcat7 restart

You're done! The Tomcat is now secured with SSL / TLS on port 8443.

Related topics:


http://tkurek.blogspot.com/2013/07/tomcat-7-http-to-https-redirect.html

14 comments:

  1. keytool -genkey -keyalg RSA -alias tomcat
    -keystore /etc/tomat7/keystore.jks -storepass keystore
    -validity 360 -keysize 2048

    you missed a 'c' in tomcat7 which causes errors... might want to edit that.

    ReplyDelete
    Replies
    1. @Anonymous: Thank you very much for that note.

      Delete
  2. Thanks for the post Kurek. How can I force port 8080 to redirect to https without affecting port 80?

    ReplyDelete
    Replies
    1. @Anonymous:

      Have you had a look on the "Related topics"? Please, check that link: http://tkurek.blogspot.com/2013/07/tomcat-7-http-to-https-redirect.html and let me know whether it's what you're looking for.

      Delete
    2. Very nice and quick reply. Done with your help. Have fun!

      Delete
  3. Thank you for the help, but I don't have hte file "keytool" in my tomcat 7.0 server
    How do I do?

    ReplyDelete
    Replies
    1. @Anonymous: Do you have your JAVA_HOME environmental variable set?

      Delete
  4. I have followed the above steps.I am getting the following error on firefox.
    An error occurred during a connection to localhost:8443. Peer reports it experienced an internal error. (Error code: ssl_error_internal_error_alert)
    How to solve this?

    ReplyDelete
    Replies
    1. Have you checked the log files?

      Delete
    2. I checked the tomcat logs inside folder location .metadata\.plugins\org.eclipse.wst.server.core\tmp0\logs. Found following log entry "127.0.0.1 - - [12/Oct/2014:16:54:27 +0530] "GET /SamlDemo/ HTTP/1.1" 302 -"
      cataline.out" is not present there.Only above access_log files are present there

      Delete
    3. Where's your catalina.out log file? Could you please execute the following command: "find / -name catalina.out"?

      Delete
  5. Very helpful article ! I was always curious about all these complex algorithms that are being used in these ssl encryptions.

    ReplyDelete
  6. NOTE:The KeyStore password and The Key password should be the same

    ReplyDelete
  7. Thank you for sharing this information. This article is very interesting and useful. Keep up the good work!


    ReplyDelete