Apache Tomcat and SSL configuration

Today, I’m gonna talk about the configuration steps required to get SSL enabled on Apache Tomcat using a self generated certificate.

1. Create Certificate Keystore
If you are running a 1.3 JVM, download JSSE 1.0.3 (or higher) from http://java.sun.com/products/jsse/ and either make it an installed extension on the system, or else set an environment variable JSSE_HOME that points at the directory into which you installed JSSE.
please use the following command to create a certificate keystore:
keytool - genkey - alias tomcat -keyalg RSA - keysize 2048 - keystore /user/local/apache-tomcat/keystore/keystore
The standard output should be:
Enter keystore password: (use ‘changeit’ here if you don’t need extra security)
What is your first and last name?
What is the name of your organizational unit?
What is the name of your organization?
What is the name of your City or Locality?
What is the name of your State or Province?
What is the two-letter country code for the unit?
Enter key passport for <tomcat> (RETURN if same as keystore passport):
Once finished, a new certificate keystore file should be saved in /usr/local/apache-tomcat/keystore.

2. Check Certificate Keystore
Please use the following command to display the whole list of the certificates stored in the SSL keystore:
keytool -list -keystore keystore
The standard output should be:
Enter keystore password: changeit (if you didn’t change the default password)
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Tomcat, Mar 26, 2007, keyEntry,
Certificate fingerprint (MD5): the fingerprint may vary.
Please use the following command to display the specific tomcat certificate that we created:
keytool -list -alias tomcat -keystore keystore
The standard output should be:
Enter keystore password: changeit (if you didn’t change the default password)
tomcat, Mar 26, 2007, keyEntry,
Certificate fingerprint (MD5): the fingerprint may vary.

3. Export Certificate from Keystore
The keystore we created above will not be trusted by JVM, as the certificate is not imported into JVM’s trusted certificate keystore.
Please use the following command to export the SSL certificate:
keytool -export -alias tomcat -keystore keystore -file tomcat.cer
The standard output should be:
Enter keystore password: changeit (if you didn’t change the default password)
Certificate stored in file <tomcat.cer>

4. Check Exported Certificate
Please use the following command to display the details of the tomcat SSL certificate we created:
keytool -printcert -file tomcat.cer
The standard output should be:
Owner: the information you input in step one.
Issuer: the information you input in step one.
Serial number: this may vary
Valid from: this may vary
Certificate fingerprints: this may vary
MD5: this may vary
SHA1: this may vary

5. Import Certificate into JVM’s Trusted Keystore
A self-signed certificate is one of which the issuer (signer) is the same as the subject (the entity whose public key is being authenticated by the certificate). Whenever the -genkey command is called to generate a new public/private key pair, it also wraps the public key into a self-signed certificate.
When importing a new trusted certificate, alias must not yet exist in the keystore. Before adding the certificate to the keystore, keytool tries to verify it by attempting to construct a chain of trust from that certificate to a self-signed certificate (belonging to a root CA), using trusted certificates that are already available in the keystore.
If the -trustcacerts option has been specified, additional certificates are considered for the chain of trust, namely the certificate in the file named “cacerts”.
A certificates file named “cacerts” resides in the security properties directory, java.home\lib\security, where java.home is the runtime environment’s directory (the jre directory in the JDK or the top-level directory of the Java 2 Runtime Environment).
The “cacerts” file represents a system-wide keystore with CA certificates. System administrators can configure and manage that file using keytool, specifying “jks” as the keystore type.
Please use the following command to import the tomcat certificate into JVM’s global trusted keystore:
keytool -import -trustcacerts -keystore /usr/local/jdk/jdk5/jre/lib/security/cacerts -alias tomcat -file /usr/local/apache-tomcat/keystore/tomcat.cer

6. Check Imported Certificate
Please use the following command to check whether the tomcat certificate has been successfuly imported to JVM’s trusted keystore:
keytool -list -alias tomcat -keystore /usr/local/jdk/jdk5/jre/lib/security/cacerts

7. Modify server.xml in /usr/local/apache-tomcat/conf/
Uncomment the section which defines a SSL HTTP/1.1 Connector on port 8443. The standard configuration should look like:
<Connector port=”8443″ maxHttpHeaderSize=”8192″ maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″ enableLookups=”false” disableUploadTimeout=”true” acceptCount=”100″ scheme=”https” secure=”true” clientAuth=”false” sslProtocol=”TLS” keystore=”/usr/local/apache-tomcat/keystore/keystore”/>

8. Modify web.xml in /usr/local/apache-tomcat/conf/
Please add the following section just before the ending </web-app> tag:
<security-constraint>
<web-resource-collection>
<web-resource-name>Automatic SSL Forwarding</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>