How to configure Tomcat to support SSL or https

A guide to show you how to configure Tomcat 6.0 to support SSL or https connection.

1. Generate Keystore

First, uses “keytool” command to create a self-signed certificate. During the keystore creation process, you need to assign a password and fill in the certificate’s detail.

$Tomcat\bin>keytool -genkey -alias mystore -keyalg RSA -keystore c:\mykeystore

Enter keystore password:

Re-enter new password:

What is your first and last name?

[Unknown]: <your name>

What is the name of your organizational unit?

IT

[no]: yes

Enter key password for <mystore>

(RETURN if same as keystore password):

Re-enter new password:

$Tomcat\bin>

Here, you just created a certificate named “mykeystore“, which locate at “c:\“.

Certificate Details : You can use same “keytool” command to list the existing certificate’s detail

$Tomcat\bin>keytool -list -keystore c:\mykeystore

Enter keystore password:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

–, 14 Disember 2010, PrivateKeyEntry,

Certificate fingerprint (MD5): C8:DD:A1:AF:9F:55:A0:7F:6E:98:10:DE:8C:63:1B:A5

$Tomcat\bin>

2. Connector in server.xml

Next, locate your Tomcat’s server configuration file at $Tomcat\conf\server.xml, modify it by adding a connector element to support for SSL or https connection.

File : $Tomcat\conf\server.xml

<!— Define a SSL HTTP/1.1 Connector on port 8443

This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation —>

<Connector port=“8443”
protocol=“HTTP/1.1”
SSLEnabled=“true”

maxThreads=“150”
scheme=“https”
secure=“true”

clientAuth=“false”
sslProtocol=“TLS”

keystoreFile=“c:\mykeystore”

keystorePass=“password”
/>


Note : keystorePass=”password” is the password you assigned to your keystore via “keytool” command.

3. Done

Saved it and restart Tomcat, access to https://localhost:8443/


In this example, we are using Google Chrome to access the Tomcat configured SSL site, and you may notice a crossed icon appear before the https protocol :), this is caused by the self-signed certificate and Google chrome just do not trust it.

In production environment, you should consider buy a signed certificate from trusted SSL service provider like verisign or sign it with your own CA server

One thought on “How to configure Tomcat to support SSL or https

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s