How to configure Tomcat to use SSL

Home > Search > How-to
  by

Configuring Tomcat to use SSL/TLS is a two part process. First you will create a keystore, and then you will configure Tomcat.

 


Create keystore

Prior to using the keytool command to create the keystore, create a directory for the keystore.

~]$ mkdir $CATALINA_HOME/ssl

 

Create the keystore. In this example, the file named myKeystore contains the keystore data.

~]$ keytool -genkey -alias tomcat -keyalg RSA -keystore $CATALINA_HOME/ssl/myKeystore

 

There will be a series of questions. Be aware that the answers you give to the questions, except for the password, will be visible in the browser.

 

Use the following command to view the keystore, to ensure the keystore was properly created.

[john.doe@server1 ~]$ keytool -list -keystore $CATALINA_HOME/ssl/myKeystore
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, Jul 6, 2017, PrivateKeyEntry, Certificate fingerprint (SHA1): 6C:31:76:72:46:8c:3A:2B:25:12:8D:13:CB:E3:DE:FE:9F:41:74:AD

 


Configure Tomcat

By default, your $CATALINA_HOME/conf/server.xml file should have the SSL configuration commented out.

<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" >
  <SSLHostConfig>
    <Certificate certificateKeystoreFile="conf/localhost-rsa.jks" type="RSA" />
  </SSLHostConfig>
</Connector>
-->

 

Remove the comments, and then revise the Connector to have the following.

<Connector 
  port="8443" 
  protocol="HTTP/1.1" 
  SSLEnabled="true" 
  maxThreads="150" 
  scheme="https" 
  secure="true"
  clientAuth="false"
  sslProtocol="TLS" 
  keystoreFile="ssl/myKeystore" 
  keystorePass="myPassword" 
  ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_ECDHE_RSA_WITH_RC4_128_SHA,
    TLS_RSA_WITH_AES_128_CBC_SHA256,
    TLS_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_256_CBC_SHA256,
    TLS_RSA_WITH_AES_256_CBC_SHA,
    SSL_RSA_WITH_RC4_128_SHA"
/>

 

Shutdown the server.

[john.doe@server1 ~]# $CATALINA_HOME/bin/shutdown.sh

 

Startup the server.

[john.doe@server1 ~]# $CATALINA_HOME/bin/startup.sh

 

You should now be able to navigate to https://localhost:8443.

 

More details are available in the Tomcat manual.

 


DEBUGGING

If some problem occurs, nmap can be used to ensure port 8443 is open.

[john.doe@server1 ~]# nmap -sS localhost
. . .
8443/tcp  open  https-alt

 

 

Check the $CATALINA_HOME/logs/catalina.out file.



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments