Written by nitinpai on September 12th, 2007
Setting Up SSL on Tomcat In 3 Easy Steps
Java EE, Tutorials
72 responses
Setting up SSL on Tomcat is easy and you don’t have to do much for converting your web application to work with the Https protocol. But however, the problem you would find to set up SSL is the documentation available over the web. The documentation source is available on the Apache site but it starts off good and ends with a lot of confusion. Especially I was confused on the OpenSSL part where it says to use OpenSSL.
It might be good in a production environment to use OpenSSL but if you just want to test out SSL with Tomcat alone then it is more than enough to just have your JDK and Tomcat setups. So I would make you walk through the same steps which I did while getting SSL up and running and building a secured web app within a matter of minutes.
The things which I have used to setup SSL consists of:
- JDK 1.6
- Tomcat 6
Even though I have used the latest version I don’t see any problems which you might face in carrying out the same set of steps for JDK 1.5 which I am about to explain. JDK comes shipped with a keytool executable which is required to generate a keystore. The keytool can be found in the earlier version of JDK too. The 3 steps which would make you to get started with setting up SSL are:
- Generating the Keystore file
- Configuring Tomcat for using the Keystore file
- Configuring your web application to work with SSL
Let’s get this party started now.
1. Generating the KeyStore file
The keystore file is the one which would store the details of the certificates necessary to make the protocol secured. Certificates contain the information as to who is the source from which you are receiving the application data and to authenticate whether it is the intended party or not. To make this keystore you would have to use the keytool. So open command prompt in Windows or the shell in Linux and type:
cd %JAVA_HOME%/bin on Windows
cd $JAVA_HOME/bin on Linux
You would land up in the Java bin directory. Now time to run the keytool command. You have to provide some parameters to the command as follows :
keytool -genkey -alias techtracer -keypass ttadmin -keystore techtracer.bin -storepass ttadmin
The highlighted words are the ones which you would have to change according to your requirements. But keep one thing in mind that both the keypass and storepass passwords should be the same. The .bin file is actually your keystore file. It would now start a questionnaire. So fill in the relevant details accordingly. Look below for a reference as to what to answer for the questions.
What is your first and last name?
[Unknown]: nitin pai
What is the name of your organizational unit?
[Unknown]: home
What is the name of your organization?
[Unknown]: techtracer
What is the name of your City or Locality?
[Unknown]: mumbai
What is the name of your State or Province?
[Unknown]: maharashtra
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN=nitin pai, OU=home, O=techtracer, L=mumbai, ST=maharashtra, C=IN correct?
[no]: yes
The command would then conclude. It would make a .bin file with the name you had provided inside the bin directory itself. In my case it was techtracer.bin which was located in
C:\Program Files\Java\jdk1.6.0_02\bin\
Put the .bin file in the webapps directory of Tomcat. This is required to avoid the need to give an absolute path of the file in the next step.
2. Configuring Tomcat for using the Keystore file
Here we would be making some changes to the server.xml file inside tomcat to tell it to use the keystore which was created in the earlier step for configuring SSL. Open the file server.xml which can be found as:
<CATALINA_HOME>/conf/server.xml
Now you have to modify it. Find the Connector element which has port=”8443″ and uncomment it if already not done. Add two lines. The highlighted lines are the newly added ones.
<Connector port=”8443″
maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″
enableLookups=”true” disableUploadTimeout=”true”
acceptCount=”100″ debug=”0″ scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS”
keystoreFile=”../webapps/techtracer.bin”
keystorePass=”ttadmin” />
You can notice that I have given the path to the keystoreFile property as relative to tomcat bin directory because the startup command will look for the .bin file. Now all you have to do is start your server and check the working of SSL by pointing your browser to the URL to:
https://localhost:8443/
Now that you have your tomcat running in the SSL mode you are ready to deploy an application to test its working. You must note that still your tomcat can run in normal mode too at the same time i.e on port 8080 with http. So it is but obvious that any application deployed to the server will be running on http and https at the same time. This is something that we don’t want. We want our application to run only in the secured mode.
3. Configuring your web application to work with SSL
In order to do this for our test, take any application which has already been deployed successfully in Tomcat and first access it through http and https to see if it works fine. If yes, then open the web.xml of that application and just add this XML fragment before web-app ends i.e </web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Explanation of the fragment is beyond the scope of this tutorial but all you should notice is that the /* indicates that now, any resource in your application can be accessed only with https be it Servlets or JSP’s. The term CONFIDENTIAL is the term which tells the server to make the application work on SSL. If you want to turn the SSL mode for this application off then just turn don’t delete the fragment. Just put the value as NONE instead of CONFIDENTIAL. That’s it!
Conclusion
These were the 3 easy steps in which you can make Tomcat to work in the SSL mode and also it tells you how easily you can turn the SSL mode on and off. If you find any difficulty or are not clear on any of the above steps feel free to drop in your queries. If you like this tutorial it would be nice of you to drop in a comment of appreciation or feedback as to how this tutorial can be improved.
72 Responses
Friday, September 14, 2007
If you need to setup SSL in a production environment, you’ll need to purchase a real SSL certificate. In this case, you may need to use OpenSSL to convert the certificate into a Java-usable format.
For more information, read my article:
http://blog.granilus.com/2007/06/adding-ssl-to-tomcat.html
Tuesday, October 16, 2007
Hi this Material was Great and very much usefull.
I would like to Know How Can I use Https for a few jsp pages in my application.
For Example My home page will be Http,when i want to capture client information it must open with https.
Thanks
sreenivas
Tuesday, October 16, 2007
Use the <security-constraint> accordingly.
Saturday, December 8, 2007
hi i cant get it working on my local machine it keeps indicating that “this web page cannot be displayed” when i use the https. thanks in advance
Monday, December 17, 2007
Hi,
This is a very useful tutorial for me. Thanks for such a nice guide. It definitely solved my problem, but i am still facing a problem. I am able to run the server in secure mode from command prompt but i am not able to do so from eclipse. The problem is that it is not able to find the .bin file created in the first step of tutorial. It says it can’t find the .bin file in the webapps directory. I hope you know that eclipse uses its own set of directories for publishing the contents to server.
Monday, December 17, 2007
@Balakrishan - I assume that since you are able to run the server in the secure mode through command prompt then it should happen through eclipse too. Even though the directory structure is different the server reads from the same server.xml.
Check if your eclipse point out to another copy of the server program. And also check if your web application is configured to use the secured mode.
Saturday, December 29, 2007
Hi,
Nice and hands on tutorial.
Thanks.
Regards,
Saravanan.V
Saturday, January 5, 2008
This is simply excellent!!!. You hammered right to the marrow, if only open source could get more writters like you, our is Java and everything thats in it!!!!!
Monday, January 7, 2008
i am unable to access through https://localhost:8443.It is not working for me
Monday, January 7, 2008
@sundar - Please recheck the steps. You might have missed out on something.
Tuesday, January 15, 2008
This is very useful and the steps are very much neat and correct to follow.
Thanks for this kind of tutorial which is really rare on web.
-Tapas
Wednesday, January 30, 2008
Great tutorial. Very easy to follow. I knew NOTHING about ssl and was still able to set it up with Tomcat in just a couple hours. There was a couple hiccups along the way and I want to mention them to everyone:
1- When you’re copying any text with ” from the browser to your text editor, make sure the quotes are copied correctly
2- You may have to change the relative path of the .bin file. For example, I had to set it to “webapps/myfilename.bin” instead of “../webapps/myfilename.bin”
Hope that helps. Thanks again Nitin!
Thursday, January 31, 2008
@ Shez Areu -
Thanks for the tips. That would surely be helpful.
Thursday, February 7, 2008
First i would like to thanks nitinpai for the tutorial and Shez Areu for the helpfully comment.
I used the above configuration with Windows XP SP2, JDK 1.5 and Tomcat 5.0.28, and everything worked fine.
When i tried the same think with Tomcat 5.5 i couldn’t access https://localhost:8443. When I tried to, nothing happened. No exception where thrown, and after a while the request timed out.
After searching a while i found that the solution was deleting (!), or renaming, the file tcnative-1.dll, from Tomcat 5.5\bin directory.
(http://www.jguru.com/forums/view.jsp?EID=1278166).
Does anyone know a better solution ? Perhaps using another version of tcnative-1.dll file? Mine version was 1.1.4.0.
Regards,
vagkavan
Friday, February 15, 2008
Thanks…I made my first Certificate….
Monday, March 10, 2008
Wonderful piece of information.. i am having problems getting it to work.. i am getting page cannot be displayed… i will recheck all my steps.
Thank you
Tuesday, March 11, 2008
It was good tutorial for beginners who does not have idea abt SSL…I tried implementing it following the above listed steps but result is page cannot be displayed…Can someone help me out of it..
Thank U
Tuesday, March 11, 2008
@Suma @latha - Since you both are getting the same problems can you tell me which version are you using for Tomcat?
Wednesday, March 12, 2008
i am using Tomcat 6.0
Thursday, March 13, 2008
I am using tomcat 5.5.20 and java 5 update 10 - and I am having problems getting it to work.. i am getting page cannot be displayed…
any help will be great
Wednesday, April 2, 2008
Hi,
I followed the steps described in above artical. 1st of all i am describing what i have used
1. jdk1.5_14
2.Tomcat 6.0.14
I found following problems
1 It not excepts the relative path of the .bin file
so that i have used as follows
keystoreFile=”${catalina.home}/webapps/techtracer.bin”
this is working fine.
2. In my machine both http and https not working at the same times.
Now one thing I want to know that how can I switch between both of these(http & https)
for example user sign in and credit card page should be secure and all others should be non secure.
Thanks in Advance.
Regards,
Dinesh Gupta
Wednesday, April 2, 2008
Hi All,
Can some one explain how to configure SSL in Jboss4.2
Thanks
Regards,
Dinesh Gupta
Thursday, April 3, 2008
@Dinesh - You would have to study about the security aspects of web.xml to do the configuration.
Friday, April 4, 2008
Hi,
I am trying to make this SSL work but no progress..
i tried out various solutions given on web but all in veins…
I am using jdk1.5 update 11
and tomcat5.5.26
Same problem as few other plp…
Internet Explorer cannot display the webpage…
I followed exact steps given above…
Can you help me?
Thanks..
Friday, April 4, 2008
Hi Ninit,
I have configured same as discussed above but not working on tomcat. Onle Https working I have checked web.xml too.
Any one have idea.
Friday, April 4, 2008
Hey dinesh,
can u tell me how you got SSL working….???
Thanks
Monday, April 7, 2008
Hi Hetal,
Just follow the steps described above.
Regards,
Dinesh
Sunday, April 13, 2008
Hi nitinpai, thank you for providing this excellent tutorial to us!!!
I would like to ask you if there’s a problem doing the same when using netbeans with tomcat 6. I follow these steps but when i try to enter https://localhost:8443 the browser shows me an error. I am sure that i havent missed anything from the steps.
Thanks in advance
Regards,
Costas
Monday, April 14, 2008
Problem solved!!!!
IF you use tomcat 6 that is provided with netbeans 6 installer , then you wont edit the server.xml in path
”C:\Program Files\Apache Software Foundation\Apache Tomcat 6.0.14\conf” but the one in path ”{$userhome}\.netbeans\6.0rc2\apache-tomcat-6.0.14_base\conf”
Monday, April 14, 2008
@Costas - Thanks for the tip. Multiple servers can sometimes lead to confusion while editing the configurations. It is advisable to use a single server instance while developing and not switching too frequently.
Tuesday, April 15, 2008
Very useful tutorial!
Friday, April 18, 2008
nice , thanks alot
any translation for jetty, thou ? :p
Tuesday, April 22, 2008
nice, thanks
I made my first SSL, but when i try to enter : https://localhost:8443, a warning poped up (its not good at all). How can i remove this warning??? Maybe using real cert or else?
Tuesday, April 22, 2008
Hello,
First of all thanks for the great tutorial.
I have completed all the steps and after all when I pointed my browser to
https://localhost:8443/ there I was asked to accept the certificates and all that but when I actually attempted to point to my application (https://localhost:8443/myApp) this page came up saying “You are not authorized to access this resource.” and then from this moment on every time I point to https://localhost:8483 I get the same page with the unauthorized message.
Could you please help me out and tell me what I should do.
Thank you
Sunday, April 27, 2008
Hi,
Very good tutorials
Monday, May 5, 2008
Very Gud Man.
Tuesday, May 13, 2008
Wonderful piece of information.. i am having problems getting it to work.. i am getting page cannot be displayed… i will recheck all my steps.
I am using jdk1.5 & tomcat 5.0
Thank you
Wednesday, May 14, 2008
If you still didnt page properly, Try accessing a jsp
In that jsp, just try returns true.
If yes, your Transport layer in that site is secured.
Wednesday, May 14, 2008
my previous post code was removed
request.isSecure()
Wednesday, May 14, 2008
when i m trying to access https://localhost:8443 ,i m getting page cannot be displayed,
& i rechecked all my steps,but why it is not working,i m not getting
I m using Tomcat5.0 & jdk1.5
Thursday, May 15, 2008
LifecycleException: Protocol handler initialization failed: java.io.IOException: Invalid keystore format
Thursday, May 15, 2008
@Ani - Please check your server logs for why the resource is not accessible. It might be something with the path of the keystore or some configuration mismatch in server.xml
Please check the relevant server docs because its possible for Tomcat 5 the configuration might be different.
Tuesday, May 20, 2008
Nice article.
I had to change keystoreFile=”../webapps/tomcattest.bin”
to
keystoreFile=”webapps/tomcattest.bin”
in server.xml but other than that, eveything worked smoothly.
Monday, June 2, 2008
hi this is about for localhost could anybody please explain for reomte connection
Monday, June 2, 2008
Hi,
First of all this article is ver informative.
I tryed to run Keystore command then I got this exception “Keystore is not recognaised as internat or external command” .
How can I fix this problem???
Thanks,
Tuesday, June 3, 2008
@Naveen - The command is “keytool” and not “keystore”
Tuesday, June 3, 2008
Thanks a lot….
Its working fine now…
But I want to know that if I have SSL certificate of some vendour (verison) then how should I do the configuration for that certificate necause it will be a file and now how to generate a key store for this using keytool command…
Wednesday, June 4, 2008
@Naveen - It won’t be a file. It would be the keystore itself. Instead of generating it manually the vendor will be providing the keystore. This keystore would actually contain the certificate information. You would have to configure the keystore with the server in the same way as above.
Wednesday, June 4, 2008
Thanks a lot Nitin…
Sunday, June 8, 2008
I wasn’t able to get the relative path part in server.xml working on a Windows system for some reason, but the rest worked like a charm. Thanks!
Sunday, June 8, 2008
@Paul - Relative path means the path starting from the directory in which the file is present. Usually when you are working in a production environment you are not given access to the entire file system. In such cases, it is not possible to hard code the absolute path such as C:/Program Files/…..
So its better it you use a relative path since you already have access to the tomcat installation directory at least .
Sunday, June 8, 2008
I figured it out finally. I guess when you’re tired, setting things up is a bad idea. I forgot the Windows doesn’t like paths with “..” in them. Taking that out of the path worked fine.
This is a dedicated server, so I have full access, but not using absolute path makes the whole config portable, which I do like.
Thanks again!
Monday, June 9, 2008
@Paul - Yea, you got the right point which I missed
Tuesday, June 10, 2008
Let me inject what I think is a new variable into the picture: Web services in Tomcat for which the client is a stand-alone Java app (JAX-WS, if it matters) that does not run in a browser. I’ve not been able to get this to work with a self-signed certificate generated using keytool — it always fails because it can’t find a valid path to the certificate, or something like that. What does work (sort of) is using a browser to retrieve the WSDL — this works with the https protocol because I can manually respond to disregard the warning about an untrusted issuer (a luxury not available with the Web service client). Any suggestions, anyone?
Thursday, June 12, 2008
Hi Nitinpai,
It worked well for me in testing environment. But for production not sure what do I have to do. WIll it cost me to ask Verisign for certificates?
I just saw this article on keytool and it states that we can ’submit’ CSR request to CA(verisign) and they will give a chain or certificates. Not sure how will i implement the same into production?
Thursday, June 12, 2008
Some suggestions
server.xml
check for the connector tag entries for case sensitiveness.
it worked for me after i corrected it.
Thursday, June 12, 2008
For Production,
Step1: Create CSR with your SelfSigned Certificate
Step2: Place order for ssl certificate with your proper domain name of ur application
Step3: You will be sent 3 certificates if it is verisign
Root CA [ Sometimes called Chain Certificate], Intermediate CA, and your SSL Certificate
Steps in Detail
1. Normal keystore creation as mentioned by nitin above
2. Create CSR
keytool -certreq -keyalg RSA -alias -file -keystore
3. Order of SSL Certificate
import root ca : Note alias is different
keytool -import -alias root -keystore -trustcacerts -file
import intermediate ca - Note alias is different
keytool -import -alias intermediateCA -keystore -trustcacerts -file
Import the SSL certificate : Give alias you gave in keystore step1
keytool -import -alias tomcat -keystore -trustcacerts -file
4. after that configure the root ca in your web browser.
for details, check
verisign site tutorial
Thursday, June 12, 2008
Example
keytool -import -alias root -keystore thillaikeys.keystore -trustcacerts -file RootCA.cer
keytool -import -alias intermediateCA -keystore thillaikeys.keystore -trustcacerts -file Intermediate.cer
keytool -import -alias tomcat -keystore thillaikeys.keystore -trustcacerts -file TrialSslCertificate.cer
Thursday, June 12, 2008
Karthik, Many thanks for the reply. It was indeed very useful. But I was just wondering we have a verisign certificate for another application (different host). Can I re-use the same on this new application. I know of that we cannot re-use single standard certificate on multiple servers but EV cert and wilcard cert can be re-used. But nore sure how/where to look for whether what kind of certificate the other application has to check if I can re-use it?
Thursday, June 12, 2008
@Karthik - Thanks for the detailed explanation.
Monday, June 23, 2008
after following the neccsary steps I am not able to start my tomcat I get the following error…..
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)
Caused by: java.lang.NullPointerException
at org.apache.catalina.startup.Catalina.await(Catalina.java:616)
at org.apache.catalina.startup.Catalina.start(Catalina.java:576)
… 6 more
Tuesday, June 24, 2008
Sarbajeet Das
- Can you upload the logs some where and send link.
Were you able to start tomcat previously without issues.
If so, try starting in debug mode
and upload log file and send link. so that we can. Not able identify the problem without the error occuring portion
Monday, June 30, 2008
Your solution for a single SSL Certificate works fine. Could your expand your explanation when using multiple secured sites on one Tomcat 5.5.23 Server (Multiple SSL Certificates)?
I have found solutions and the one that might work for me is assigning multiple IP addresses to this server, but how do I change my server.xml to make it work…? Any help would probably help many others out there in the same kettle.
Wednesday, July 2, 2008
Many thanks for this tutorial.It is the most clear I have found.
Only one question, after follow this tutorial when I access to my application with https , in my browser apperars one message:
certificate error
and the browser tell me that it is not recomended to continue.
I dont know if this is normal or not and what can I do to avoid this.
thanks you so much
Thursday, July 3, 2008
You can continue in this case. Since you are using a temporary certificate which was locally created it might be possible that it won’t be valid. In practical scenarios the certificates are provided by authorized companies.
Thursday, July 3, 2008
@Wade - You don’t have to change server.xml in my opinion. The application is secured once you specify the appropriate properties in the web.xml of that particular application. You have do the same thing for all the applications.
Thursday, July 3, 2008
This is great for a single Webapp, what if you want to server multiple secure sites on one server? This in my current predicament, any help would be greatly appreciated.
Tuesday, July 8, 2008
Running Tomcat 5.5.20 on XP SP2 I had to ensure I escaped the back slash cahracters in the path to the keystore file e.g. “C:\\temp\\tomcattest.bin”
Tuesday, July 8, 2008
I don’t want to secure all the websites under the Tomcat Server, only a few, the others are not secure. The question is how do I setup for multiple sites (I believe I assign multiple IP addresses to the same server) and then using the server.xml, how do I secure separate sites with different keystore files (I believe I setup multiple services, each with it’s own connector that defines the address and the keystore). Any further help would be appreciated, like entries in the hosts file or hidden things like that. Thank you.
Thursday, July 10, 2008
My Two Cents in order to create a more robust certificate using keytool.
The answer to “What is your first and last name?” should be the fully qualified domain name (FDQN) for your web server (i.e. myserver.domain.com). You will get a certificate name check warning if this is not an exact match. At the summary it is referred as teh CN (Common Name). I also suggest to use the FDQN as the “-alias” parameter.
Question: Should I store DSA & RSA keys in my “keystore” in order to increase the security and validity of my website?
Thursday, July 24, 2008
Vagkavan is a genius! Like many people above, I had everything set up according to the tutorial but the browser would not connect to my site via https. No error messages, no nothing. I had been working on this problem for days until I came across Vagkavan’s suggestion that I remove tcnative-1.dll from tomcat/bin. Worked like a charm! I’m using Tomcat 5.5.
Monday, July 28, 2008
I have implemented the steps above, created keystore/keypass, placed into the webapps directory. uncommented the SSL in the server.xml, and added the code to web.xml as stated.
I am successfully connecting over port 8443 and unsecured port 80 as well.
I tried to comment out the the HTTP 1.1 code, and this caused the https pages to throw HTTP Error 500.
How can I implement the SSL/HTTPS and disable the HTTP connection? what am I missing?