Setting Up SSL on Tomcat In 3 Easy Steps

Setting up SSL on Tomcat is easy and you don’t have to do much for converting your web application to work with the Https protocol. But however, the problem you would find to set up SSL is the documentation available over the web. The documentation source is available on the Apache site but it starts off good and ends with a lot of confusion. Especially I was confused on the OpenSSL part where it says to use OpenSSL.

It might be good in a production environment to use OpenSSL but if you just want to test out SSL with Tomcat alone then it is more than enough to just have your JDK and Tomcat setups. So I would make you walk through the same steps which I did while getting SSL up and running and building a secured web app within a matter of minutes.

The things which I have used to setup SSL consists of:

  • JDK 1.6
  • Tomcat 6

Even though I have used the latest version I don’t see any problems which you might face in carrying out the same set of steps for JDK 1.5 which I am about to explain. JDK comes shipped with a keytool executable which is required to generate a keystore. The keytool can be found in the earlier version of JDK too. The 3 steps which would make you to get started with setting up SSL are:

  1. Generating the Keystore file
  2. Configuring Tomcat for using the Keystore file
  3. Configuring your web application to work with SSL

Let’s get this party started now.

1. Generating the KeyStore file

The keystore file is the one which would store the details of the certificates necessary to make the protocol secured. Certificates contain the information as to who is the source from which you are receiving the application data and to authenticate whether it is the intended party or not. To make this keystore you would have to use the keytool. So open command prompt in Windows or the shell in Linux and type:

cd %JAVA_HOME%/bin on Windows

cd $JAVA_HOME/bin on Linux

You would land up in the Java bin directory. Now time to run the keytool command. You have to provide some parameters to the command as follows :

keytool -genkey -alias techtracer -keypass ttadmin -keystore techtracer.bin -storepass ttadmin

The highlighted words are the ones which you would have to change according to your requirements. But keep one thing in mind that both the keypass and storepass passwords should be the same. The .bin file is actually your keystore file. It would now start a questionnaire. So fill in the relevant details accordingly. Look below for a reference as to what to answer for the questions.

What is your first and last name?
[Unknown]: nitin pai
What is the name of your organizational unit?
[Unknown]: home
What is the name of your organization?
[Unknown]: techtracer
What is the name of your City or Locality?
[Unknown]: mumbai
What is the name of your State or Province?
[Unknown]: maharashtra
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN=nitin pai, OU=home, O=techtracer, L=mumbai, ST=maharashtra, C=IN correct?
[no]: yes

The command would then conclude. It would make a .bin file with the name you had provided inside the bin directory itself. In my case it was techtracer.bin which was located in

C:\Program Files\Java\jdk1.6.0_02\bin\

Put the .bin file in the webapps directory of Tomcat. This is required to avoid the need to give an absolute path of the file in the next step.

2. Configuring Tomcat for using the Keystore file

Here we would be making some changes to the server.xml file inside tomcat to tell it to use the keystore which was created in the earlier step for configuring SSL. Open the file server.xml which can be found as:

<CATALINA_HOME>/conf/server.xml

Now you have to modify it. Find the Connector element which has port=”8443″ and uncomment it if already not done. Add two lines. The highlighted lines are the newly added ones.

<Connector port=”8443″
maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″
enableLookups=”true” disableUploadTimeout=”true”
acceptCount=”100″ debug=”0″ scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS”
keystoreFile=”../webapps/techtracer.bin”
keystorePass=”ttadmin” />

You can notice that I have given the path to the keystoreFile property as relative to tomcat bin directory because the startup command will look for the .bin file. Now all you have to do is start your server and check the working of SSL by pointing your browser to the URL to:

https://localhost:8443/

Now that you have your tomcat running in the SSL mode you are ready to deploy an application to test its working. You must note that still your tomcat can run in normal mode too at the same time i.e on port 8080 with http. So it is but obvious that any application deployed to the server will be running on http and https at the same time. This is something that we don’t want. We want our application to run only in the secured mode.

3. Configuring your web application to work with SSL

In order to do this for our test, take any application which has already been deployed successfully in Tomcat and first access it through http and https to see if it works fine. If yes, then open the web.xml of that application and just add this XML fragment before web-app ends i.e </web-app>

<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Explanation of the fragment is beyond the scope of this tutorial but all you should notice is that the /* indicates that now, any resource in your application can be accessed only with https be it Servlets or JSP’s. The term CONFIDENTIAL is the term which tells the server to make the application work on SSL. If you want to turn the SSL mode for this application off then just turn don’t delete the fragment. Just put the value as NONE instead of CONFIDENTIAL. That’s it!

Conclusion

These were the 3 easy steps in which you can make Tomcat to work in the SSL mode and also it tells you how easily you can turn the SSL mode on and off. If you find any difficulty or are not clear on any of the above steps feel free to drop in your queries. If you like this tutorial it would be nice of you to drop in a comment of appreciation or feedback as to how this tutorial can be improved.

266 thoughts on “Setting Up SSL on Tomcat In 3 Easy Steps

  1. Hi this Material was Great and very much usefull.

    I would like to Know How Can I use Https for a few jsp pages in my application.

    For Example My home page will be Http,when i want to capture client information it must open with https.

    Thanks
    sreenivas

  2. hi i cant get it working on my local machine it keeps indicating that “this web page cannot be displayed” when i use the https. thanks in advance

  3. Hi,
    This is a very useful tutorial for me. Thanks for such a nice guide. It definitely solved my problem, but i am still facing a problem. I am able to run the server in secure mode from command prompt but i am not able to do so from eclipse. The problem is that it is not able to find the .bin file created in the first step of tutorial. It says it can’t find the .bin file in the webapps directory. I hope you know that eclipse uses its own set of directories for publishing the contents to server.

  4. @Balakrishan – I assume that since you are able to run the server in the secure mode through command prompt then it should happen through eclipse too. Even though the directory structure is different the server reads from the same server.xml.

    Check if your eclipse point out to another copy of the server program. And also check if your web application is configured to use the secured mode.

  5. This is simply excellent!!!. You hammered right to the marrow, if only open source could get more writters like you, our is Java and everything thats in it!!!!!

  6. This is very useful and the steps are very much neat and correct to follow.
    Thanks for this kind of tutorial which is really rare on web.

    -Tapas

  7. Great tutorial. Very easy to follow. I knew NOTHING about ssl and was still able to set it up with Tomcat in just a couple hours. There was a couple hiccups along the way and I want to mention them to everyone:

    1- When you’re copying any text with ” from the browser to your text editor, make sure the quotes are copied correctly

    2- You may have to change the relative path of the .bin file. For example, I had to set it to “webapps/myfilename.bin” instead of “../webapps/myfilename.bin”

    Hope that helps. Thanks again Nitin! 🙂

  8. First i would like to thanks nitinpai for the tutorial and Shez Areu for the helpfully comment.

    I used the above configuration with Windows XP SP2, JDK 1.5 and Tomcat 5.0.28, and everything worked fine.

    When i tried the same think with Tomcat 5.5 i couldn’t access https://localhost:8443. When I tried to, nothing happened. No exception where thrown, and after a while the request timed out.

    After searching a while i found that the solution was deleting (!), or renaming, the file tcnative-1.dll, from Tomcat 5.5\bin directory.
    (http://www.jguru.com/forums/view.jsp?EID=1278166).

    Does anyone know a better solution ? Perhaps using another version of tcnative-1.dll file? Mine version was 1.1.4.0.

    Regards,
    vagkavan

  9. Wonderful piece of information.. i am having problems getting it to work.. i am getting page cannot be displayed… i will recheck all my steps.
    Thank you

  10. It was good tutorial for beginners who does not have idea abt SSL…I tried implementing it following the above listed steps but result is page cannot be displayed…Can someone help me out of it..

    Thank U

  11. I am using tomcat 5.5.20 and java 5 update 10 – and I am having problems getting it to work.. i am getting page cannot be displayed…

    any help will be great

  12. Hi,

    I followed the steps described in above artical. 1st of all i am describing what i have used

    1. jdk1.5_14
    2.Tomcat 6.0.14

    I found following problems

    1 It not excepts the relative path of the .bin file
    so that i have used as follows
    keystoreFile=”${catalina.home}/webapps/techtracer.bin”

    this is working fine.

    2. In my machine both http and https not working at the same times.

    Now one thing I want to know that how can I switch between both of these(http & https)

    for example user sign in and credit card page should be secure and all others should be non secure.

    Thanks in Advance.

    Regards,

    Dinesh Gupta

  13. Hi,
    I am trying to make this SSL work but no progress..
    i tried out various solutions given on web but all in veins…
    I am using jdk1.5 update 11
    and tomcat5.5.26
    Same problem as few other plp…
    Internet Explorer cannot display the webpage…
    I followed exact steps given above…

    Can you help me?

    Thanks..

  14. Hi Ninit,
    I have configured same as discussed above but not working on tomcat. Onle Https working I have checked web.xml too.

    Any one have idea.

  15. Hi nitinpai, thank you for providing this excellent tutorial to us!!!

    I would like to ask you if there’s a problem doing the same when using netbeans with tomcat 6. I follow these steps but when i try to enter https://localhost:8443 the browser shows me an error. I am sure that i havent missed anything from the steps.

    Thanks in advance

    Regards,
    Costas

  16. Problem solved!!!!
    IF you use tomcat 6 that is provided with netbeans 6 installer , then you wont edit the server.xml in path
    ”C:\Program Files\Apache Software Foundation\Apache Tomcat 6.0.14\conf” but the one in path ”{$userhome}\.netbeans\6.0rc2\apache-tomcat-6.0.14_base\conf”

  17. @Costas – Thanks for the tip. Multiple servers can sometimes lead to confusion while editing the configurations. It is advisable to use a single server instance while developing and not switching too frequently.

  18. Hello,
    First of all thanks for the great tutorial.
    I have completed all the steps and after all when I pointed my browser to
    https://localhost:8443/ there I was asked to accept the certificates and all that but when I actually attempted to point to my application (https://localhost:8443/myApp) this page came up saying “You are not authorized to access this resource.” and then from this moment on every time I point to https://localhost:8483 I get the same page with the unauthorized message.
    Could you please help me out and tell me what I should do.
    Thank you

  19. Wonderful piece of information.. i am having problems getting it to work.. i am getting page cannot be displayed… i will recheck all my steps.
    I am using jdk1.5 & tomcat 5.0
    Thank you

  20. If you still didnt page properly, Try accessing a jsp
    In that jsp, just try returns true.
    If yes, your Transport layer in that site is secured.

  21. LifecycleException: Protocol handler initialization failed: java.io.IOException: Invalid keystore format

  22. @Ani – Please check your server logs for why the resource is not accessible. It might be something with the path of the keystore or some configuration mismatch in server.xml

    Please check the relevant server docs because its possible for Tomcat 5 the configuration might be different.

  23. Nice article.

    I had to change keystoreFile=”../webapps/tomcattest.bin”
    to
    keystoreFile=”webapps/tomcattest.bin”

    in server.xml but other than that, eveything worked smoothly.

  24. Hi,
    First of all this article is ver informative.
    I tryed to run Keystore command then I got this exception “Keystore is not recognaised as internat or external command” .

    How can I fix this problem???

    Thanks,

  25. Thanks a lot….
    Its working fine now…
    But I want to know that if I have SSL certificate of some vendour (verison) then how should I do the configuration for that certificate necause it will be a file and now how to generate a key store for this using keytool command…

  26. @Naveen – It won’t be a file. It would be the keystore itself. Instead of generating it manually the vendor will be providing the keystore. This keystore would actually contain the certificate information. You would have to configure the keystore with the server in the same way as above.

  27. I wasn’t able to get the relative path part in server.xml working on a Windows system for some reason, but the rest worked like a charm. Thanks!

  28. @Paul – Relative path means the path starting from the directory in which the file is present. Usually when you are working in a production environment you are not given access to the entire file system. In such cases, it is not possible to hard code the absolute path such as C:/Program Files/…..

    So its better it you use a relative path since you already have access to the tomcat installation directory at least .

  29. I figured it out finally. I guess when you’re tired, setting things up is a bad idea. I forgot the Windows doesn’t like paths with “..” in them. Taking that out of the path worked fine.

    This is a dedicated server, so I have full access, but not using absolute path makes the whole config portable, which I do like.

    Thanks again!

  30. Let me inject what I think is a new variable into the picture: Web services in Tomcat for which the client is a stand-alone Java app (JAX-WS, if it matters) that does not run in a browser. I’ve not been able to get this to work with a self-signed certificate generated using keytool — it always fails because it can’t find a valid path to the certificate, or something like that. What does work (sort of) is using a browser to retrieve the WSDL — this works with the https protocol because I can manually respond to disregard the warning about an untrusted issuer (a luxury not available with the Web service client). Any suggestions, anyone?

  31. Hi Nitinpai,

    It worked well for me in testing environment. But for production not sure what do I have to do. WIll it cost me to ask Verisign for certificates?
    I just saw this article on keytool and it states that we can ‘submit’ CSR request to CA(verisign) and they will give a chain or certificates. Not sure how will i implement the same into production?

  32. Some suggestions
    server.xml
    check for the connector tag entries for case sensitiveness.
    it worked for me after i corrected it.

  33. For Production,

    Step1: Create CSR with your SelfSigned Certificate
    Step2: Place order for ssl certificate with your proper domain name of ur application
    Step3: You will be sent 3 certificates if it is verisign
    Root CA [ Sometimes called Chain Certificate], Intermediate CA, and your SSL Certificate

    Steps in Detail
    1. Normal keystore creation as mentioned by nitin above
    2. Create CSR
    keytool -certreq -keyalg RSA -alias -file -keystore
    3. Order of SSL Certificate

    import root ca : Note alias is different
    keytool -import -alias root -keystore -trustcacerts -file

    import intermediate ca – Note alias is different
    keytool -import -alias intermediateCA -keystore -trustcacerts -file

    Import the SSL certificate : Give alias you gave in keystore step1
    keytool -import -alias tomcat -keystore -trustcacerts -file

    4. after that configure the root ca in your web browser.
    for details, check
    verisign site tutorial

  34. Example
    keytool -import -alias root -keystore thillaikeys.keystore -trustcacerts -file RootCA.cer

    keytool -import -alias intermediateCA -keystore thillaikeys.keystore -trustcacerts -file Intermediate.cer

    keytool -import -alias tomcat -keystore thillaikeys.keystore -trustcacerts -file TrialSslCertificate.cer

  35. Karthik, Many thanks for the reply. It was indeed very useful. But I was just wondering we have a verisign certificate for another application (different host). Can I re-use the same on this new application. I know of that we cannot re-use single standard certificate on multiple servers but EV cert and wilcard cert can be re-used. But nore sure how/where to look for whether what kind of certificate the other application has to check if I can re-use it?

  36. after following the neccsary steps I am not able to start my tomcat I get the following error…..

    java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)
    Caused by: java.lang.NullPointerException
    at org.apache.catalina.startup.Catalina.await(Catalina.java:616)
    at org.apache.catalina.startup.Catalina.start(Catalina.java:576)
    … 6 more

  37. Sarbajeet Das
    – Can you upload the logs some where and send link.
    Were you able to start tomcat previously without issues.
    If so, try starting in debug mode
    and upload log file and send link. so that we can. Not able identify the problem without the error occuring portion

  38. Your solution for a single SSL Certificate works fine. Could your expand your explanation when using multiple secured sites on one Tomcat 5.5.23 Server (Multiple SSL Certificates)?
    I have found solutions and the one that might work for me is assigning multiple IP addresses to this server, but how do I change my server.xml to make it work…? Any help would probably help many others out there in the same kettle.

  39. Many thanks for this tutorial.It is the most clear I have found.
    Only one question, after follow this tutorial when I access to my application with https , in my browser apperars one message:
    certificate error
    and the browser tell me that it is not recomended to continue.
    I dont know if this is normal or not and what can I do to avoid this.
    thanks you so much

  40. You can continue in this case. Since you are using a temporary certificate which was locally created it might be possible that it won’t be valid. In practical scenarios the certificates are provided by authorized companies.

  41. @Wade – You don’t have to change server.xml in my opinion. The application is secured once you specify the appropriate properties in the web.xml of that particular application. You have do the same thing for all the applications.

  42. This is great for a single Webapp, what if you want to server multiple secure sites on one server? This in my current predicament, any help would be greatly appreciated.

  43. Running Tomcat 5.5.20 on XP SP2 I had to ensure I escaped the back slash cahracters in the path to the keystore file e.g. “C:\\temp\\tomcattest.bin”

  44. I don’t want to secure all the websites under the Tomcat Server, only a few, the others are not secure. The question is how do I setup for multiple sites (I believe I assign multiple IP addresses to the same server) and then using the server.xml, how do I secure separate sites with different keystore files (I believe I setup multiple services, each with it’s own connector that defines the address and the keystore). Any further help would be appreciated, like entries in the hosts file or hidden things like that. Thank you.

  45. My Two Cents in order to create a more robust certificate using keytool.

    The answer to “What is your first and last name?” should be the fully qualified domain name (FDQN) for your web server (i.e. myserver.domain.com). You will get a certificate name check warning if this is not an exact match. At the summary it is referred as teh CN (Common Name). I also suggest to use the FDQN as the “-alias” parameter.

    Question: Should I store DSA & RSA keys in my “keystore” in order to increase the security and validity of my website?

  46. Vagkavan is a genius! Like many people above, I had everything set up according to the tutorial but the browser would not connect to my site via https. No error messages, no nothing. I had been working on this problem for days until I came across Vagkavan’s suggestion that I remove tcnative-1.dll from tomcat/bin. Worked like a charm! I’m using Tomcat 5.5.

  47. I have implemented the steps above, created keystore/keypass, placed into the webapps directory. uncommented the SSL in the server.xml, and added the code to web.xml as stated.
    I am successfully connecting over port 8443 and unsecured port 80 as well.
    I tried to comment out the the HTTP 1.1 code, and this caused the https pages to throw HTTP Error 500.

    How can I implement the SSL/HTTPS and disable the HTTP connection? what am I missing?

  48. Hi Nitin,
    Your Tutorial is excellent. Even though I’m not a Java guy, I could able to set my application in SSL mode, in the first try. It worked well on Tomcat 5 & Jdk1.5 combination.

    I appreciate you for this wonderful tutorial. Keep going.

    Thanks,
    Jabesh

  49. hi, very good explanation, however i haven’t been able to run under https, the thing is that the browser keeps loading and never finish, in both cases, when i call “https://localhost:8443/” or my application, it’s made in netbeans 6.01 i have tomcat 6 and java i.5 with the last update

    i’ve checked every step

    sorry for the boder!

  50. Absolutely outstanding tutorial! Concise and easy to implement! We converted our site to use SSL with our official certificate in less than 20 minutes using this approach. I have seen no other reference on the web with even remotely this level of clarity. Thank you.

  51. Hi Nitin,

    Your post is really helpfull but i am facing a problem beyond this . I have to host two domains on single server, same IP address, ssl port 443. I am unable to generate a second keystore for second domain. I already have the cerficate from Verisign.
    Can i request your help
    Thanks

  52. Hi all
    thanks for publishing this document.this helped me a lot.btw people who didn’t get a result still,try on a older version of IE.

    Hope it will work.

  53. ya it’s a good document but when my url switch http to https
    does not come automatically,i have change in server.xml
    and in web.xml i am using CONFIDENTIAL.

    if one time url come on https then it’s is going to http automatically

    please resolve my problem..

  54. If anybody is using Firefox3 and receives the error
    “Peer’s certificate has an invalid signature.
    (Error code: sec_error_bad_signature)” recreate the
    certificate adding “-keyalg RSA” into the keytool command.

  55. thanks,it’s very useful to me.but i hava a problem.can you help me to fix it?

    i can make a method to execute with https protocal,but after do that ,i also hava a method that do not want to use https to execute it ,but it also use https protocal to execute it .what should i do .

    can you send a mail to me : andy.deqiang@gmail.com

    thanks

  56. hi by this example my login page comes on https how i switch on http if any one have example then send my mail id :aksrivastava82@gmail.com

  57. @Sudeep Please change
    keystoreFile=”../webapps/tomcattest.bin”
    to
    keystoreFile=”webapps/tomcattest.bin”

    in server.xml . If you have followed all the steps described by Nitin carefully , it should work now.
    Between i am also using Tomcat5.5 & jdk1.5 .

  58. Hi Techies,
    I followed these above steps in achieving SSL with tomcat.
    but i am getting “page cannot be displayed” error.
    i am using jdk1.6.0 and tomcat 5.0 and installed these in D: drive of my system not in c: drive.
    if i use https://localhost:8433/ it will show error called “Internet Explorer caonnot display the webpage.”
    I followed the above steps only.
    Can anybody solve my problem…..it is very urgent pls.

    Regards
    Gururaja

  59. Hi Techies,
    I followed these above steps in achieving SSL with tomcat.
    but i am getting “page cannot be displayed” error.
    i am using jdk1.6.0 and tomcat 5.0 and installed these in D: drive of my system not in c: drive.
    if i use https://localhost:8443/ it will show error called “Internet Explorer caonnot display the webpage.”
    I followed the above steps only.
    Can anybody solve my problem…..it is very urgent pls.

    Regards
    Gururaja

  60. Hi Nitin,

    I am trying to setup mutual authentication using ssl, and am using JKS storetype for the server and client keystores. My client is a java class using the sslsockets.

    I am getting the following error when I post the request
    [java] Caused by: java.net.SocketException: Software caused connection abort: recv failed
    [java] at java.net.SocketInputStream.socketRead0(Native Method)
    [java] at java.net.SocketInputStream.read(SocketInputStream.java:129)
    ….
    ….

    The post given below asks to use pkcs12 type.
    http://bytes.com/groups/java/18519-software-caused-connection-abort-recv-failed

    But pkcs12 does not get support from keytool, and as such apache tomcat is blowing up when I switch to PKCS12.

    It will be great if you can throw some light on this.

    regards,
    Satish

  61. Hi Nitin
    first of all thanx a lot fa wonderful post.I got page cannot be displayed all the time .But luckily yesterday i got it rite.
    I made two changes:
    1.keystoreFile=”/webapps/…..
    2. Give fiirst name as your hostname.
    3.open http://“hostname”:8443/
    for hostname goto command prompt and type “hostname
    Thanks

  62. Nitin

    Many thanks for this post. Very helpful, ran into a few snags but got it working.

    My first problem was that my Tomcat 6 service would not start manually from Windows services panel. I found that the quickest solution was to reinstall Tomcat

    Next, using port 8443 I got no response from the server. So instead I used port 443 which worked just fine.

    Here is the change to server.xml

    Notice, I had to use a forward as the leading path.

    Now, when I start Tomcat from within my Eclipse IDE, it could not find the keystore file. I had to copy it again to the Eclipse workspace folder for my projects. In my case, it was

    C:\source\.metadata\.plugins\org.eclipse.wst.server.core\tmp0\webapps

    Hope this helps others.

    Good luck to others and thanks for your post.

    Regards
    Franco

  63. Hi Nitin ,
    This information is very useful for everyone.
    and it’s help me alot.

    i also want to share some knowledge.if any one have any doubt regarding webservice in java.he can mail me on my mail call.sudeep@gmail.com.

  64. Well, very nice. Its working fine too.
    Now please help me with clientAuth=”true”. I want to set client authentication true.

    So please tell me the steps.

  65. Hi All

    I am facing problem with the certificate I have just created. When I call https://localhost/ then it shows busy on the browser and display nothing ,however the http://localhost/ works fine. Also there is some warnings in the load of the tomcat as:

    WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property ‘minSpareThreads’ to ’25’ did not find a matching property.
    Feb 16, 2009 3:28:34 PM org.apache.catalina.startup.SetAllPropertiesRule begin
    WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property ‘maxSpareThreads’ to ’75’ did not find a matching property.
    Feb 16, 2009 3:28:34 PM org.apache.catalina.startup.SetAllPropertiesRule begin
    WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property ‘debug’ to ‘0’ did not find a matching property.
    Feb 16, 2009 3:28:34 PM org.apache.catalina.startup.SetAllPropertiesRule begin
    WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property ‘clientAuth’ to ‘true’ did not find a matching property.
    Feb 16, 2009 3:28:34 PM org.apache.catalina.startup.SetAllPropertiesRule begin
    WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property ‘keystoreFile’ to ‘webapps/my.keystore’ did not find a matching property.
    Feb 16, 2009 3:28:34 PM org.apache.catalina.startup.SetAllPropertiesRule begin
    WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property ‘keystorePass’ to ‘topsecret’ did not find a matching property.

    Can anybosy just help me out asI am stuck from last two days onto it.

    Any help would be greatly apppreciated.

    Regards

    Ajay Kumar

  66. Hi All

    I found the solution for the tomcat 6.

    You have to provide the settings for the connector as

    like below:

    and

    This settng is specific to tomcat 6

    Regards

    Ajay Kumar

  67. I followed above tutorial and it works fine.
    I have generated keystore server.jks using openssl. Could you plz suggest how can I configure this in tomcat.

  68. hi, i am using Tomcat 5 and jdk 1.5, i followed the step you mentioned very carefully, but it is showing Failed to Connect,
    do not know where should i hit for this,, please help me,
    thanks

  69. protocol=”HTTP/1.1″ SSLEnabled=”true”
    should be there otherwise it is not working in my setup
    tomcat 6 and jdk1.5

    Thanks for help.IT is reallly cool and very helpful.

  70. ok ,
    thank you RAVi
    so after words i shifted to jdk1.6.0 and tomcat 6.0, ..below is my server.xml file, would be great if u look into it and find out where i am missing the right things.

    <!—->



    <!–

    –>

    <!– You should set jvmRoute to support load-balancing via AJP ie :

    –>

    <!– The request dumper valve dumps useful debugging information about
    the request headers and cookies that were received, and the response
    headers and cookies that were sent, for all requests received by
    this instance of Tomcat. If you care only about requests to a
    particular virtual host, or a particular application, nest this
    element inside the corresponding or entry instead.

    For a similar mechanism that is portable to all Servlet 2.4
    containers, check out the “RequestDumperFilter” Filter in the
    example application (the source for this filter may be found in
    “$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters”).

    Request dumping is disabled by default. Uncomment the following
    element to enable it. –>
    <!–

    –>

    <!–

    –>

    <!–

    –>

    <!–

    –>

    <!–

    –>

    <!– Defines a cluster for this node,
    By defining this element, means that every manager will be changed.
    So when running a cluster, only make sure that you have webapps in there
    that need to be clustered and remove the other ones.
    A cluster has the following parameters:

    className = the fully qualified name of the cluster class

    clusterName = a descriptive name for your cluster, can be anything

    mcastAddr = the multicast address, has to be the same for all the nodes

    mcastPort = the multicast port, has to be the same for all the nodes

    mcastBindAddress = bind the multicast socket to a specific address

    mcastTTL = the multicast TTL if you want to limit your broadcast

    mcastSoTimeout = the multicast readtimeout

    mcastFrequency = the number of milliseconds in between sending a “I’m alive” heartbeat

    mcastDropTime = the number a milliseconds before a node is considered “dead” if no heartbeat is received

    tcpThreadCount = the number of threads to handle incoming replication requests, optimal would be the same amount of threads as nodes

    tcpListenAddress = the listen address (bind address) for TCP cluster request on this host,
    in case of multiple ethernet cards.
    auto means that address becomes
    InetAddress.getLocalHost().getHostAddress()

    tcpListenPort = the tcp listen port

    tcpSelectorTimeout = the timeout (ms) for the Selector.select() method in case the OS
    has a wakup bug in java.nio. Set to 0 for no timeout

    printToScreen = true means that managers will also print to std.out

    expireSessionsOnShutdown = true means that

    useDirtyFlag = true means that we only replicate a session after setAttribute,removeAttribute has been called.
    false means to replicate the session after each request.
    false means that replication would work for the following piece of code: (only for SimpleTcpReplicationManager)

    replicationMode = can be either ‘pooled’, ‘synchronous’ or ‘asynchronous’.
    * Pooled means that the replication happens using several sockets in a synchronous way. Ie, the data gets replicated, then the request return. This is the same as the ‘synchronous’ setting except it uses a pool of sockets, hence it is multithreaded. This is the fastest and safest configuration. To use this, also increase the nr of tcp threads that you have dealing with replication.
    * Synchronous means that the thread that executes the request, is also the
    thread the replicates the data to the other nodes, and will not return until all
    nodes have received the information.
    * Asynchronous means that there is a specific ‘sender’ thread for each cluster node,
    so the request thread will queue the replication request into a “smart” queue,
    and then return to the client.
    The “smart” queue is a queue where when a session is added to the queue, and the same session
    already exists in the queue from a previous request, that session will be replaced
    in the queue instead of replicating two requests. This almost never happens, unless there is a
    large network delay.
    –>

    <!–

    –>

    <!–

    –>

    <!–

    –>

    <!–

    –>

    thank you very much

  71. <!—->



    <!–

    –>

    <!– You should set jvmRoute to support load-balancing via AJP ie :

    –>

    <!– The request dumper valve dumps useful debugging information about
    the request headers and cookies that were received, and the response
    headers and cookies that were sent, for all requests received by
    this instance of Tomcat. If you care only about requests to a
    particular virtual host, or a particular application, nest this
    element inside the corresponding or entry instead.

    For a similar mechanism that is portable to all Servlet 2.4
    containers, check out the “RequestDumperFilter” Filter in the
    example application (the source for this filter may be found in
    “$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters”).

    Request dumping is disabled by default. Uncomment the following
    element to enable it. –>
    <!–

    –>

    <!–

    –>

    <!–

    –>

    <!–

    –>

    <!–

    –>

    <!– Defines a cluster for this node,
    By defining this element, means that every manager will be changed.
    So when running a cluster, only make sure that you have webapps in there
    that need to be clustered and remove the other ones.
    A cluster has the following parameters:

    className = the fully qualified name of the cluster class

    clusterName = a descriptive name for your cluster, can be anything

    mcastAddr = the multicast address, has to be the same for all the nodes

    mcastPort = the multicast port, has to be the same for all the nodes

    mcastBindAddress = bind the multicast socket to a specific address

    mcastTTL = the multicast TTL if you want to limit your broadcast

    mcastSoTimeout = the multicast readtimeout

    mcastFrequency = the number of milliseconds in between sending a “I’m alive” heartbeat

    mcastDropTime = the number a milliseconds before a node is considered “dead” if no heartbeat is received

    tcpThreadCount = the number of threads to handle incoming replication requests, optimal would be the same amount of threads as nodes

    tcpListenAddress = the listen address (bind address) for TCP cluster request on this host,
    in case of multiple ethernet cards.
    auto means that address becomes
    InetAddress.getLocalHost().getHostAddress()

    tcpListenPort = the tcp listen port

    tcpSelectorTimeout = the timeout (ms) for the Selector.select() method in case the OS
    has a wakup bug in java.nio. Set to 0 for no timeout

    printToScreen = true means that managers will also print to std.out

    expireSessionsOnShutdown = true means that

    useDirtyFlag = true means that we only replicate a session after setAttribute,removeAttribute has been called.
    false means to replicate the session after each request.
    false means that replication would work for the following piece of code: (only for SimpleTcpReplicationManager)

    replicationMode = can be either ‘pooled’, ‘synchronous’ or ‘asynchronous’.
    * Pooled means that the replication happens using several sockets in a synchronous way. Ie, the data gets replicated, then the request return. This is the same as the ‘synchronous’ setting except it uses a pool of sockets, hence it is multithreaded. This is the fastest and safest configuration. To use this, also increase the nr of tcp threads that you have dealing with replication.
    * Synchronous means that the thread that executes the request, is also the
    thread the replicates the data to the other nodes, and will not return until all
    nodes have received the information.
    * Asynchronous means that there is a specific ‘sender’ thread for each cluster node,
    so the request thread will queue the replication request into a “smart” queue,
    and then return to the client.
    The “smart” queue is a queue where when a session is added to the queue, and the same session
    already exists in the queue from a previous request, that session will be replaced
    in the queue instead of replicating two requests. This almost never happens, unless there is a
    large network delay.
    –>

    <!–

    –>

    <!–

    –>

    <!–

    –>

    <!–

    –>

  72. Sarbajeet – your error occurred because you (like me) copied and pasted from the blog. The quotes are using the curly quotes instead of the standard quotes like “these”. The XML parser can’t handle that

  73. Hi, im using tomcat. When i boot with the root user, it works fine, but when i boot tomcat with another user, it doesn’t. Can anybody help me?

  74. Hi everyone, and thanks for the tutorial.. very clear and simple, still not working for me..

    https://localhost:8443 keeps running, no response from the server..

    I have no clue where it could come from.

    Am running tomcat 6.0 from eclipse.
    i have jdk 1.6.

    http://localhost:8080 works fine but not https..:8443

  75. i configured in the server.xml with the keystore file and password. but i am getting error message while starting server

    Displayed in the console:
    WARNING: Reinitializing ServerSocket
    May 12, 2009 4:13:04 PM org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket
    SEVERE: Endpoint [SSL: ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=8443]] ignored exception: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
    java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)

    Can anyone help me to fix this issue.
    Advance Thanks

  76. Nice Work here!

    I generated my CSR with an -alias of “server” not “tomcat”. Is this a problem for implementing Tomcat with SSL?

  77. very nice . . . can finally test SSL on my local server without having to download temp certificates from cert authorities.

    Great write up and easy to follow. Couple of things that worked for me:
    1) I had to use keystoreFile=”${catalina.home}/webapps/myFile.bin” to get it to find the bin file
    2) After installing the certificate on firefox it still did not work, restarting firefox corrected this

    Excellent tutorial – thank you.

  78. You missed something in the server.xml. I am one of those guys that is already getting frustrated why I get the page cannot be found error.

    SSLEnabled=”true”

    im using version 6.0.18 tomcat
    This made my jdk 5.5 and 6.0.13 version work.

  79. Hi, im using tomcat. When i boot with the root user, it works fine, but when i boot tomcat with another user, it doesn’t. Can anybody help me?

  80. Tomcat CSR(Certificate Signing Request)
    and SSL Certificate Installation
    step1:
    Create a new folder c:\tomcat-ssl, open command prompt (via Start-Run and type in “cmd”) then type in cd \tomcat-ssl
    Step2:
    Generate a keystore and keyentry (= Private Key) using the command:
    c:\tomcat-ssl>keytool -genkey -keyalg RSA -alias tomcat -keystore .keystore
    Enter keystore password: changeit
    What is your first and last name?
    [Unknown]: localhost
    What is the name of your organizational unit?
    [Unknown]: Java courses.com
    What is the name of your organization?
    [Unknown]: Itonjava
    What is the name of your City or Locality?
    [Unknown]: Hyderabad
    what is the name of your State or Province?
    [Unknown]: Andhra Pradesh
    What is the two-letter country code for this unit?
    [Unknown]: IN
    Is CN= localhost, OU= Java courses.com, O= Itonjava, L= Hyderabad, ST= Andhra Pradesh, C= IN correct?
    [No]: yes
    Enter key password for
    (RETURN if same as keystore password) Just press enter here…
    After pressing enter key keystore file(.keystore in this example) is created in
    C:\tomcat-ssl directory.
    [NOTE: 1)Please specify the same password for the keystore and the keyEntry or else you will receive the following error message when you restart the Jakarta engine: java.security.UnrecoverableKeyException: Cannot recover key
    2) Please run: keytool -list -keystore [keystorename] to make sure you can read the keystore file.
    Enter keystore password: changeit
    Keystore type: jks
    Keystore provider: SUN
    Your keystore contains 1 entry
    tomcat, Jun 12, 2009, PrivateKeyEntry,
    Certificate fingerprint (MD5): 23:EA:41:97:0D:EB:DA:B9:46:6F:BC:B4:86:61:D0:39
    The keystore will be stored in your JDK/bin directory. Create a copy of the keystore file and store it on a removable disk for safe keeping in case of a server crash.
    3) The default name, for the keystore is .keystore, if none was provided.]
    Step3: Generate a CSR using the command
    C:\tomcat-ssl>keytool -certreq -alias tomcat -keyalg RSA -file certreq.csr
    -keystore .keystore
    Enter keystore password: changeit
    The CSR will be saved to your c:\tomcat-ssl directory:

    —–BEGIN NEW CERTIFICATE REQUEST—–
    Xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    —–END NEW CERTIFICATE REQUEST—–
    Step4:
    Send the CSR file to your certificate authority (CA).In our case we have used VeriSign(CA)
    Step 5:
    When you receive the certificates(CA certificate, SSL certificate) save the VeriSign signed Certificates in a notepad file named “intermediateCA.cer” and “ssl.cer” for example.
    Step 6:
    Import the Certificate into the keystore using the following commands:
    a) C:\tomcat-ssl>keytool -import -alias intermediateCA -keystore .keystore -trustcacerts -file intermediateCA.cer
    Enter keystore password: changeit
    Certificate was added to keystore
    b) C:\tomcat-ssl>keytool -import -alias ssl -keystore .keystore -trustcacerts -file
    ssl.cer
    Enter keystore password: changeit
    Trust this certificate? [no]: yes
    Certificate was added to keystore
    Step7:
    copy the tomcat-ssl file and paste it in the webapps folder of Apache Tomcat5.5.
    Edit the Tomcat Configuration file by clicking on conf folder-> server.xml file

    Stop and start the tomcat web server to take the changes effect
    Finally to test open a web browser and type https://localhost:8443
    Step8:
    To redirect port from http to https copy the following in
    Tomcat->webapps->Root->web-inf->web.xml directory

    Automatic SLL Forwarding
    /*

    CONFIDENTIAL

    by using the above it works fine what i want is to generate a certificate using openssl can anybody help me????????

  81. hi
    thanks for your post,it helps me so much… 🙂

    can i ask u to help me about login and authentication in Tomcat 6 webserver ? please help me, i have a problem in j_security_check action … 🙁

    my email is:henahier1365@yahoo.com

  82. How to enable the ssl for one of the folder under my website which is hosted in jboss.

    Root.war contains the website
    and it contains a folder called “secure”
    I want to use all files under secure folder using ssl
    and rest with normal http

    any input will be appreciated

    thanks in advance

  83. hi firends,
    i need code to implement an openssl for a webapplication. so anybody plz help me on this issue……………..as early as possible

  84. I followed the steps and got the web-site secured with OpenSSL v3 in development/test environment, in production where we have deployed VeriSign certificate, the vulnerability and penetration testing with NESSUS 4, it shows that the site has a risk due to weak ciphers and SSLv2 enablement. Server.xml settings are :
    />

    By the way we are using Tomcat 6.0 web server
    Any clue ? Thanks

  85. Ah, if it was only that easy….I have been working on this for several hours, hoping it does not turn into several days as these things sometimes do. Whenever I enter the keytool and get prompted for the parameters it just hangs at this point. I can not see any file generated nor have I found any .keystore files. Do you have any idea where I might look for the issue? Any help is much appreciated.
    Thanks.

  86. Hi,
    All the docs/articles I have found on this subject say enter the command keytool with a -genkey flag, this article included. After repeatedly trying this unsucessfully. I did a keytool -help and did not see the genkey option. I did see a -genkeypair option, which I used and it seemed to generate the .bin file. I have not tried the remaining steps but I am wondering if this is correct. As in my other post, doing just a genkey on my system gets through all the prompts but never creates the .bin file and just hangs. Option genkeypair created the file. I am using java version 1.6. I was hoping you could shed some light on this. Thanks in advance.

  87. Hi Phil.
    The way I handled it was the following:
    I typed in my cmd prompt:
    keytool -genkey -alias tomcat -keyalg RSA
    Then answered all the questions. The last prompt suggests to hit “return” key if password is the same. Just to be safe enter it again.
    Then (assuming you are using Tomcat) in your server.xml to “connector” part the following line:
    keystoreFile=”${user.home}/.keystore”
    keystorePass=”yourpassword”
    By default .keystore file is generated in your home directory, for example:
    C:\Documents and Settings\phil
    Name of the file is “.keystore”. See if it works.

  88. Hi NG
    I had issued this command:
    keytool -genkeypair -alias tomcat -keypass changeit -keystore tomcat.bin -storepass changeit.

    This command completed succesfully and created a tomcat.bin keystore file that I validated by doing a keytool -list and it seemed to respond that it was a valid keystore.
    I am curious about why genkey does not work for me or even exist as an option when i do a -help, but -genkeypair seems to work and I see no other articles talking about this.
    Either way I have found the information here very useful and thank you for it

  89. Hi,
    THank you very much for the useful instruction. I test something, if you change “CONFIDENTIAL” to “NONE” then can apply SSL protocol to evey page you need. I am not quite sure, but I just tried it

  90. RE: Madhuri

    I’m using Tomcat 6

    You might want to try the absolute path keystoreFile=”webapps/?.bin” instead of the relative one.

    BTW is there a debug mode for SSL and if there is how can i turn it on so that I can tell what’s wrong with my SSL setup easily?

  91. Thanks for the Information It was easy to understand rather than presented in the original documentation presented in the Site..

    Thanks again

  92. Much simpler and more straightforward than Apache’s version

    Some observations:

    – used webapps/*.bin instead of ../webapps/*.bin
    -added protocol=”HTTP/1.1″ to Connector tag

    Thanks bro…you just ended my long wait for good sleep

  93. Hello ,

    I installed Open SSL with apache.But i am getting security alert when i am trying to apen the website with https.Can any body guide me how to disable this pop up.

  94. Who signed the certificate?
    Check inside your browser’s settings to see if the CA that signed the certificate is in the trusted root certification authorities.

  95. Thank you for information. I did everything as you wrote, but got error :

    You tried to access the address http://localhost:8084/Portal/, which is currently unavailable. Please make sure that the Web address (URL) is correctly spelled and punctuated, then try reloading the page.

    What is wrong?
    could You suggest me something?

  96. Thank you for you help on http to https but i am facing one small problem.
    My html do not display any content when redirected as https

  97. Hello,

    First of all, thank you for the wonderful document. But when I followed all the steps, I am getting the message:

    Failed to Connect
    Firefox can’t establish a connection to the server at localhost.

    I tried all the paths mentioned above. But failed to connect.
    Could anyone suggest me something?

    Thanks.

  98. I have followed the above steps to configure https,

    But i am not able yo upload file in https, but the same is working in http

  99. Pai,

    You so great, indeed you made my evening.
    Great tutorial, very precise and straight to the point.

    Thanks so much.

    Just one problem i encountered is on the ,
    I am using Apache Tomcat 4.0 and when I tried to specify I got some error that is not allowed in apache complained that

  100. hi there,
    I want to implement SSL in grails. I cannot find the file /conf/server.xml in grails folder structure. Does any dev faceed similar problem?

    Much appreciated.

  101. Hi,

    I have followed the steps above, but after that I cannot start the tomcat service anymore. I’m using jdk1.5 and tomcat 5.0.16 (Windows server). Whenever I input the following in the server.xml file, I got error in starting the tomcat service:

    keystoreFile=”D:\Tomcat_3\webapps\techtracer.bin”
    keystorePass=”changeit”

    I haven’t updated the web.xml yet, cause I haven’t successfully started the tomcat service and haven’t tested the http and https connection. Please give me advise on this, our next release will be coming soon and they need all these set. Also, I would like to ask if certificate really needs to be imported in the keystore file. cause it is not included in the above steps.

    Thank you so much in advance!

    Sincerely,
    Jocelyn

  102. The 3 easy steps documented above are clear as a bell and I’d love to say they worked for me, but they didn’t. I got error messages during Tomcat 6 startup, indicating that several matching properties could not be found (clientAuth, keystoreFile, etc).

    Ajay Kumar above posted that very problem. He also posted a solution, but the text of the solution was missing from his post! If he’s out there, and can repost the solution that would be great. Or if somebody else knows and can post it I would appreciate it. Thanks.

  103. I think I may have solved my problem. I looked more carefully at this post: http://www.mail-archive.com/users@tomcat.apache.org/msg41367.html, in which the contributor says he changed the protocol keyword. He changed its value from “HTTP/1.1” to “org.apache.tomcat.util.net.NioSelectorPool”, and that’s what I tried. Now when I attempt to connect to “https://localhost:8443” I get a warning about the certificate (which is correct as I understand it), and then I continue to the local Apache Tomcat web page.

    Does anybody know why the protocol value “HTTP 1.1” doesn’t work? The above post didn’t specifically say to use that value (or any value), but that’s the default value in the commented Tomcat 6 server.xml code, and it is also recommended in Murach’s Java Servlets and JSP.

  104. I had a few problems configuring HTTPS on Tomcat 6 on Windows and finally, I managed to get things working. Essentially with only a few minor changes to the confiuration described here. Here is my config. The differences lie in the path to the keystoreFile (had to be relative to TOMCAT_HOME) and adding the SSLEnabled=”true” attribute really made a difference. Good luck to all.

  105. i have tried as u explained after correcting tomcat serever.xml , i am not getting tomcat flash screen in ssl mode

  106. I was having issues getting SSL to run port 8080 would return the site just fine but not HTTPS on 443 or 8443 depending if I changed it of course.

    The following tweaks resolved it for me.
    protocol=”HTTP/1.1?
    SSLEnabled=”true”

    Finally in my webapps folder where my webapp was there is a cfg directory, evidentally Tomcat 6 will overwrite the server.xml file with anything in the webapps\cfg directory I simply deleted the 2 files I had in there and after a service restart everything was working with no errors in the catalina.log file.

    Hope it helps

  107. If you get this error:
    com.sun.org.apache.xerces.internal.impl.io.MalformedByteSequenceException: Invalid byte 1 of 1-byte UTF-8 sequence.

    Check the quotes!

    When you copy paste:
    keystoreFile=”../webapps/techtracer.bin”
    keystorePass=”ttadmin”

    from this webpage to your server.xml, it will paste non-standard double quotes which will throw off the tomcat XML parser.

  108. With Tomcat 6.0.24 no matter what I do, I get the error: ssl_error_rx_record_too_long

    When I switch the Tomcat 5.5.29, everything works once I delete tcnative-1.dll from tomcat/bin

  109. In Tomcat 6.0.24, I had to set the protocol attribute as follows:
    Connector port=”8443″ protocol=”org.apache.coyote.http11.Http11NioProtocol”
    maxThreads=”150″

    In Tomcat 5.5.29, I did not have to set the protocol – in fact it gave a ClassNotFoundError if I set the protocol!

  110. Note that if you do not set the protocol attribute in Tomcat 6.0.24 (as shown above) you may get a series of errors saying that it could not set a bunch of properties, including keystoreFile and keystorePass – so watch out for that!

  111. OMG! Java is _always_ messy in it’s configuration options. Mahesh Lavannis, you just saved me with that piece of info. I’m on Apache Tomcat/5.5.29 and I got the infamous “error: ssl_error_rx_record_too_long” error no matter what I did. Finally changing the protocol to protocol=”org.apache.coyote.http11.Http11Protocol” helped. I did not get a classnotfound error either. Thanks a bunch! I wish they would make things easier to use.

  112. Tried all your steps as per doc…but no luck..8443 does not respond. 8080 is OK. How and where do we import the certificate like in IIS ?
    explain step by step….

  113. Thank you! Thank you!!

    Running Standalone Apache Tomcat 6.0 on Windows 2003. Using GlobalSign.

    https:// was working but so was http://

    Both brought up the page.

    Your instructions were the last piece of the puzzle.

    The steps were very clear.

    My website is now https://

    Much appreciation

  114. Thanks you nitinpai, Its clear and loud. Its nice to have people like you in java community & Thanks India 😉

  115. Thanks Nitin Pai

    1. I configure what has explained above, no one works until i do dissable connector port 80/8080 on server.xml, restart tomcat, and its work.

    after that, i open connector port 80/8080 on server.xml and both http and https work well.

    i also use full path for directory where the key stored (“/u01/aplication/tomcat6/webapps/techtacer.bin”) not only (“../webapps/techtacer.bin”)

    2. For hint you can try different web browser (IE, Firefox, Chrome, etc).

    3. im running on tomcat6 and java5

  116. I did below steps to configure SSL on Tomcat 6.0.16 with jdk 1.5

    1 – Created a JKS (.keystore file) using java keytool.
    This file will be placed in C:\Documents and Settings\user_name
    2 – Configured tomcat to use SSL connector ie added below lines in ${catalina_home}\conf\server.xml

    3 – Added below lines in ${catalina_home}\conf\web.xml.
    Alternatively, we can add these lines in application’s web.xml also. It’s like global variable Vs local variable

    myapp
    /myapp/login
    session
    /myapp/session

    CONFIDENTIAL

    4 – I am able to see tomacat’s index.html on https://localhost:8443. This means SSL is configured properly.

    5 – Now what I expect is, when I access url http://localhost:8080/myapp/login it should redirect to https://localhost:8443/myapp/login

    But, this is not happening. In Firefox it gives error as “The browser connected successfully, but the connection was interrupted while transferring information”
    and there are not errors in server’s logs

    Does anyone know wht problem it could be ?

  117. Hello – thank you for this information. I have my tomcat server (5.5) all setup for SSL and it works perfectly using:
    https://localhost:8443

    If I use
    http://localhost:8080

    It redirects to https just as it should. But my issue is that the user can use

    http://localhost:8443

    And still hit my page in certain situations without the https. If anyone knows how to disable this I would be most grateful as my work place is requiring it. Have searched all over!

  118. A note to those using JDK 6; the usage of `genkey` in this article has been replaced by `genkeypair`. On JDK 6 the command would be:
    keytool -genkeypair -alias techtracer -keypass ttadmin -keystore techtracer.bin -storepass ttadmin

  119. Great writeup, helped me a lot. Thanks !!
    Is there a way by which I can only configure the login page as https and others as http

  120. Thank you so much Nitin, it worked for me.
    In production I need to configure SSL Under Apache server. Appreciate if you publish steps for the same

  121. I followed the steps mentioned in this article when ever i try to run it says

    The connection was interrupted.what is problem

  122. thanks a lot because not give more idea about https this 2toris give idea 4 makes https thanks kindly give more idea in core java j2ee thanks
    bye sajeev

  123. Steps to Convert HTTP to HTTPS:
    1. To generate Keypair and password:
    JDK_Home\bin>keytool -genkeypair -alias Tomcat -keyalg RSA
    Provide some preliminary details and give password as “changeit”(Password should be any)
    2. Edit the file:-
    TOMCAT_HOME\server.xml

    Note: keystorePass = “changeit” (Here Password Should be same as the password which is provided in Step.1)

  124. i fixed ssl_error_rx_record_too_long. i still config and generate key, but if you install tomcat 6, in document bin, it will have tc-native.dll. Therefor tomcat using APR, it’s simple to fix, delete tc-native.dll. if you still want to using APR, should be using the OpenSSL style configuration described in the APR documentation

  125. Thank you so much Nitin, this was very helpful to me but these steps only laid a path for using ssl internally.

    In production I need to configure SSL Under Apache server. Appreciate if you publish steps for the same

  126. I am kind of tight on cash, but I need the SSL certificate. Is there a way you could help me find a way to receive it for free(if it is not illegal)? Thanks

  127. I am still getting problem that
    “The page cannot be displayed”
    while using https insted of http

  128. Hi, it looks a nice guide line, but it isn’t working on my machine.
    after configuring tomcat service is unable to start (no any sufficient error message to understand the problem.).
    please help me out.

  129. gr8 artical.
    Thanx for this article.
    Please can you publish how to enable ssl with oc4j for production envirnoment.

  130. Thanks for the good guidance. Procedure is very clear and straightforward. Recommended.

  131. Secure Connection Failed

    An error occurred during a connection to localhost:8443.

    SSL received a record that exceeded the maximum permissible length.

    (Error code: ssl_error_rx_record_too_long)

    The page you are trying to view cannot be shown because the
    authenticity of the received data could not be verified.
    Please contact the web site owners to inform them of this problem.
    Alternatively, use the command found in the help menu to report this
    broken site.

    this is the error i got when i typed https://localhost:8443. What would
    be the problem?
    .

  132. Hi,

    I am expecting sample12.keystore file When I run the below command from java_home/bin. But it is not generating keystore file.

    keytool -genkey -alias innovista -keypass webadmin -keystore sample12 -storepass webadmin

    thanks

  133. Hi Nitin,
    Thanks for your crisp article!! It works like a charm. Even with Tomcat 5.5 , this one worked smoothly.

    Thanks,
    Anirban.

  134. I get a servlet jsp not found error after I made changes in the web.xml of the service that I have deployed in my tomcat. Where am I going wrong?

  135. I have both my tomcat with http and https working even after I make the changes mentioned. I have added all the snippets you mentioned in the server.xml as well as the web.xml in the service that I have deployed in my tomcat. Please let me know what I can do.

  136. Hi , the meterial is very use fill , but i am facing this problem when i try to access it from the machine ,
    My machine is located in Finland server ,i am accessing it by VPN the same machine ,

    after the above configuration , on the firefox browser 5 , it give the following error , what may be a problem , i trie with lot of options as on the NET but no luck

    http://myserver:8181/spspdev_07_09?pltfm=arusko
    on the HTTPS if i do

    https://myserver:8181/spspdev_07_09?pltfm=arusko
    following is the error .

    SSL received a record that exceeded the maximum permissible length.

    (Error code: ssl_error_rx_record_too_long)

    Please help

  137. Hi NItin,

    Running the above code in command prompt the .bin file is not getting created. Is there any other way to create it?Please suggest something for this.

  138. Great article.

    Two problems I ran into:
    1) Needed to run the command prompt to create the keystore file in administrative mode .
    2) In server.xml I needed to change the relative path to the kestoreFile to “webapps/keystorefilename” instead of “../webapps/keystorefilename”

  139. It’s ALMOST working:

    When he server starts I see several warnings like this…

    WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property ‘minSpareThreads’ to ’75’ did not find a matching property.

    Then I see what looks to be good…

    INFO: Initializing Coyote HTTP/1.1 on http-8443

    … and finally…

    INFO: Server startup in 1213 ms

    But when I do…

    https://localhost:8443/

    I get an error/empty page.

    It seems like SSLEnabled=”true” ought to be in there somewhere in the server.xml statement

  140. I had the same error (ssl_error_rx_record_too_long) as many and this configuration worked for me with JDK 1.6 and Tomcat 6:

    Thanks for the great howto by the way.

  141. After applied above steps, I am not able to access SSL. I am getting below error at my local machine.

    SSL connection error

    Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don’t have.

  142. Please let me offer one small refinement. The keystore utility is optimized for creating a keystore for a human, that is why it prompts you for a first and last name. When creating a keystore for Tomcat, a web container, I recommend that you specify the fully qualified host name when prompted for the first and last name. Many HTTP clients (even some browsers) will report an error if the CN (common name) returned does not match the fully qualified host name that was the target of the HTTP request.

  143. Follow-up on my post of Aug 16, 2011. It was a work thing with me. When I did it at home, it worked fine. http://localhost:8443 brought up the apache Tomcat page as it should have. We have a LOT of “protections” on our work PCs.

  144. Hi ,

    I am done the above mentioned steps.My doubt is i have created a web service in axis2 and deployed successfully in tomcate 6.Now i want this web services to access it as https so that i get encrypted data for field like password.since i have created java project not a web project so there is no web.xml file..how can i configre those security tag so that only https work.
    Please reply as soon as possible.i need it urgently.

    Thanks
    manish

  145. hi I have generated a keystore file whose password was blank
    now when i try to change password and enterieng old one i am getting the following output
    password should be atleast 6 character

  146. Thank you for this article .Can you please provide some information on OpenSSL, does it generate certificate and how can we use it.

  147. Thaks for your post!!! It’s great!
    I follow the Rakshit request: can you write about a production certicate?

  148. I am thankful to you for a simple and enriching post. Moving ahead, can you please help me setting up ssl for a particular application deployed in Tomcat. I have 2 applications deployed in Tomcat. One application requires ssl communication and the other does not. Let me know if this is possible.

  149. I FINALLY got this to work using apache-tomcat-6.0.33 with the following:

    keytool -genkey -alias youralias -keypass xxxxxxx -storepass xxxxxxx -keyalg RSA

    Note: use your own alias instead of youralias and your own password instead of xxxxxxx.

    This creates the default .keystore file in your primary user directory. In my case, this is c:\documents and settings\hurstd\.keystore

    In the server.xml, I simply uncommented the “stock” 8443 section and also added my keystorePass as follows:

    It worked like magic after that. I hope this helps anyone else having trouble.

  150. Something about the BLOG eliminated my 8443 lines from the server.xml file. I’ll try them again by removing the greater than and less than from the ends. Just remember to put tham back if you copy and paste.

    Connector port=”8443″ protocol=”HTTP/1.1″ SSLEnabled=”true”
    maxThreads=”150″ scheme=”https” secure=”true”
    clientAuth=”false” sslProtocol=”TLS” keystorePass=”hhraweb”/

  151. I can set up the https as described . but the request payload

    still can be seen without any encryption. I missed something?

  152. OrNot, So your web site comes up using 8443? Are you trying to communicate with your site via a web service or something? If so, you’re going to have to get into the certificate business. I’ve not done that yet, but there are instructions on the apache Tomcat web site. You’ll have to generate a Certificate.

    I will try to get it working on mine and post something.

  153. hi Nitin,

    Very useful piece of information.

    Please add the steps to create the Root Certificate also. Then it will be very useful.

    But thank you so much for this information. It was so easy that I could do it in an hour.

    Thanks.

  154. SSL connection error
    Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don’t have.
    Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.

    getting this error please help. i followed all the steps.

  155. Hi nitin,
    Really good article.Its neat and simple.But,I am getting null values when i get the parameter values in servlet through HttpRequest.I am not able proceed with the application. Everything is fine except this.
    Please help ASAP..

    Thanks a lot…

  156. This is very good article. it helps me to configure the https to make the application secure.

    Thanks a lot….

  157. Hi while am going through step1 getting keytool error:
    java.io.file not found exception(Access denied).

  158. My Enviroment is :
    Java: C:\Program Files\Java\jdk1.6.0\bin
    Tomcat : D:\Apache Software Foundation\Tomcat 6.0
    Generating the KeyStore file
    C:\Program Files\Java\jdk1.6.0\bin
    keytool -genkey -alias techtracer -keypass ttadmin -keystore techtracer.bin -storepass ttadmin
    Configured Tomcat for using the Keystore file
    1. My http port no :

    2. . Put the techtracer.bin file in the webapps directory of Tomcat
    3. Configured Https Port

    I started the server with http://localhost:8080
    Its working fine
    But while its not working fine with https://localhost:8443

  159. step-1:
    i have a create war file of my project, the web.xml entry is

    Ganesha

    index.html
    index.htm
    index.jsp
    default.html
    default.htm
    default.jsp

    securedapp
    /*

    CONFIDENTIAL

    step-2:
    i have generate the key using
    keytool -genkey -alias server -keypass changeit -keystore server.keystore -storepass changet
    and put this file in C:\server.keystore

    step-3:
    server.xml entry is

    step-4:
    i deploy my war file in tomcat
    and start server,
    when i click to my project in tomcat manager
    my project url is:https://localhost:8443/Ganesha/
    but the browser says:
    This webpage is not available
    The webpage at https://localhost:8443/Ganesha/ might be temporarily down or it may have moved permanently to a new web address.
    Here are some suggestions:
    Reload this web page later.
    Error 7 (net::ERR_TIMED_OUT): The operation timed out

  160. i have a create war file of my project, the web.xml entry is

    Ganesha

    index.html
    index.htm
    index.jsp
    default.html
    default.htm
    default.jsp

    securedapp
    /*

    CONFIDENTIAL

    i have generate the key using
    keytool -genkey -alias server -keypass changeit -keystore server.keystore -storepass changet
    and put this file in C:\server.keystore

    server.xml entry is

    i deploy my war file in tomcat
    and start server,
    when i click to my project in tomcat manager
    my project url is:https://localhost:8443/Ganesha/
    but the browser says:
    This webpage is not available
    The webpage at https://localhost:8443/Ganesha/ might be temporarily down or it may have moved permanently to a new web address.
    Here are some suggestions:
    Reload this web page later.
    Error 7 (net::ERR_TIMED_OUT): The operation timed ou

  161. Hi when i tried these steps , they they didn’t work for me and plus no tomcat on localhost:8080 is giving unable to connect too . any ideas ??

  162. Hi when i tried these steps , they they didn’t work for me and plus now tomcat on localhost:8080 is giving unable to connect too . any ideas ??

  163. IF you get a webpage cannot be displayed error,

    Comment out/delete the following line from the server.xml and restart tomcat.

    Works for me now

  164. The line to delete is ………

    Listener className=”org.apache.catalina.core.AprLifecycleListener” SSLEngine=”on”

  165. No matter what (and I followed each & every comment as well) Tomcat will load OK (as per log file:)

    INFO: Starting Coyote HTTP/1.1 on http-8080
    Sep 11, 2012 3:20:51 PM org.apache.coyote.http11.Http11Protocol start
    INFO: Starting Coyote HTTP/1.1 on http-8443
    Sep 11, 2012 3:20:51 PM org.apache.jk.common.ChannelSocket init
    INFO: JK: ajp13 listening on /0.0.0.0:8009
    Sep 11, 2012 3:20:51 PM org.apache.jk.server.JkMain start
    INFO: Jk running ID=0 time=0/15 config=null
    Sep 11, 2012 3:20:51 PM org.apache.catalina.startup.Catalina start
    INFO: Server startup in 2545 ms

    but it is not accessible on 8443 (even the port is actually open & listening)

  166. Hi Pai,

    Thanks a lot for this crisp and clear tutorial. It worked like a breeze for me.

    Kind Regards,

    Vishal

  167. Actually after filling the details for keytool like what is the ur organization name like that i got the error message as file not found exception can any one clarify this error.

  168. Great tutorial ,I have the same setup but I want to know how to import the SSL self signed certificate (from another LDAP server ) to my server (which runs tomcat application ) local trustore..
    Thanks in Advance..

  169. Can I just say what a comfort to find someone who really knows what they
    are discussing on the internet. You definitely understand how to bring a problem to light and make it important.
    More and more people need to look at this
    and understand this side of the story. I was surprised you are
    not more popular given that you most certainly possess the
    gift.

  170. I did these steps but I am not able to connect to my database. I can’t see how these changes would affect my database settings. Any insight on this error.

  171. Fabulous write-up. Its neat as well as straightforward. Nevertheless, I am acquiring null ideals once i obtain the parameter ideals throughout servlet via HttpRequest. I am incapable progress with all the software. Every thing is okay other than that.

  172. I am having troubles setting up ssl with tomcat 7. We have certs that we want to use but not sure how to import them. Also tried running this above set up by creating a keystore and tomcat wont even start. I am using remote access with a server we made just for this setup. Any ideas?

  173. If you are looking to buy a desktop PC for your home it is likely you will want it to perform a variety of tasks from basic things like sending emails
    and word processing to more complex tasks like downloading
    music and streaming video from the internet.
    But television do not provide the same pleasure of watching
    a movie as does movie theatre with its huge screen and surround sound system.
    Wine and beer is served on Saturdays and Sundays beginning when the Cinema opens
    its doors, which is generally at 11:30 a.

    Here is my webpage … La Planète des singes l’affrontement fr

  174. I am getting following error

    java.lang.IllegalArgumentException: java.io.IOException: Alias name tomcat does not identify a key entry

    can you please help me to solve the issue.

  175. Followed your tutorial steps on tomcat7, server can not be started by running startup.bat file.
    By commenting
    server starts normally and can be accessed by http://localhost:8080/

    Tried by disabling windows firewall, still server fails to start when entry of <connector port 8443 is present

Leave a Reply

Your email address will not be published. Required fields are marked *