FreeKB - Encrypt inbound requests to Tomcat (SSL / TLS / keystore)
Encrypt inbound requests to Tomcat (SSL / TLS / keystore)

Home > Search


First and foremost, before you even starting working through configuring Tomcat to use SSL, you should ask yourself it it makes sense to configure Tomcat to use SSL. For example, let's say Tomcat is going to sit behind a web server. In this situation, the web server certainly would be configured to use SSL. In this situation, it may not make sense to configure Tomcat to use SSL, since the web server is already configured with SSL. And you don't just configure SSL for fun. SSL adds latency and increased burden on CPU and memory, as well as actually money as you need to pay for a trusted certificate. Read on if you still want to configure Tomcat to use SSL.

 

It's important to recongize that there will be both inbound and outbound requests. Typically, an inbound request is when a remote system makes a request for an app deployed to Tomcat. Typically, and outbound request is when an app deployed to Tomcat needs to go out, such as when making a query to a remote SQL database. This article only deals with securing inbound requests. Refer to this article to secure outbound requests.

 

Inbound requests use a keystore to secure the requests. Outbound requests use a truststore to secure the request. So, when you see keystore, think "inbound" and when you see truststore think "outbound".

 

First you will create a keystore, and then you will configure Tomcat. The keystore contains the public certificate and private key that will be used to secure the inbound connection to Tomcat. If you have not yet created a keystore, refer to this article.

 


By default, your $CATALINA_HOME/conf/server.xml file should have the SSL configuration commented out with the <!-- and --> tags. Remove the <!-- and --> tags.

<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" >
  <SSLHostConfig>
    <Certificate certificateKeystoreFile="conf/localhost-rsa.jks" type="RSA" />
  </SSLHostConfig>
</Connector>
-->

 

Revise the Connector to have the following. Notice keystoreFile is ssl/my_keystore.p12. This assumes you have a keystore named my_keystore.p12 in the $CATALINA_HOME/ssl/ directory.

<Connector 
  port="8443" 
  protocol="HTTP/1.1" 
  SSLEnabled="true" 
  maxThreads="150" 
  scheme="https" 
  secure="true"
  clientAuth="false"
  sslProtocol="TLS" 
  keystoreFile="ssl/my_keystore.p12" 
  keystorePass="myPassword" 
  ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_ECDHE_RSA_WITH_RC4_128_SHA,
    TLS_RSA_WITH_AES_128_CBC_SHA256,
    TLS_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_256_CBC_SHA256,
    TLS_RSA_WITH_AES_256_CBC_SHA,
    SSL_RSA_WITH_RC4_128_SHA"
/>

 

Shutdown the server.

~]# $CATALINA_HOME/bin/shutdown.sh

 

Startup the server.

~]# $CATALINA_HOME/bin/startup.sh

 

You should now be able to navigate to https://localhost:8443.

 

More details are available in the Tomcat manual.

 


DEBUGGING

If some problem occurs, nmap can be used to ensure port 8443 is open.

[john.doe@server1 ~]# nmap -sS localhost
. . .
8443/tcp  open  https-alt

 

 

Check the $CATALINA_HOME/logs/catalina.out file.



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments