Using Tomcat6 with SSL

This is in progress


Tomcat6 is installable in Ubuntu from the package tomcat6. This is a guide to configuring tomcat to run using a secured port. It has been written for Ubuntu 12.04 server (Precise Pangolin), the latest LTS release.

Fundamentally, there are two ways to do this. The first is to run tomcat as a servlet container which connects to an apache front-end, using the AJP connector. The second is to configure tomcat to provide service on a secure port itself.

Using Tomcat to Provide Servlets to Apache.

For example, installation instructions.

Configuring Tomcat to Securely Serve Content.

As the official SSL Howto for Tomcat makes clear, there are two types of connectors which can be used to have Tomcat directly respond on a secured port, those using the the Apache Runtime Library (APR) or using the the Java Secure Socket Extension (JSSE). The default configuration after installing tomcat6 is to use the JSSE connector, which is what is covered in the rest of this section.

For Tomcat to provide a secure connection, the java keystore must contain a private key and certificate which will be used to provide the secure connection.

Setting up private keys and certificates in the keystore.

Since Tomcat is configured in Ubuntu to run as the tomcat6 user, the easiest place to create the keystore is in the default location for the tomcat6 user, that is /home/tomcat6/.keystore.

Creating a self-signed key and certificate

Creating a new key and obtaining a certificate from an authority

Importing existing private keys and certificates

It is not obvious from the keytool manpage how to import existing private keys into a keystore. Fortunately, there is a blog post on how to do this. On Ubuntu, use the following command to first combine the <privateKey> and <certificate>:

sudo openssl pkcs12 -export -in <certificate> -inkey <privateKey> -out <combStore>.p12 -name <keyAlias> -chain -caname <CAname>

where <CAname> is any convenient name for the certificate authority issuing the certificate and <keyAlias> is a convenient alias for this combination which you will use below.

Once combined, use the following command to import the combination of the key and the certificate into the keystore:

sudo keytool -importkeystore -deststorepass <keystorePass> -destkeypass <keyPass> -destkeystore ~tomcat6/.keystore -srckeystore <combStore>.p12 -srcstoretype PKCS12 -srcstorepass <sourceStorePass> -alias <keyAlias>

Configure the connector.

A connector for the secure port will need to be configured in the file /etc/tomcat6/server.xml. If you edit this file, you will find a stanza with the comment Define a SSL HTTP/1.1 Connector on port 8443 where the Connector element is commented out. Enable this stanza by removing the `<!-- ... --> pair, and change the stanza to look like the following:

`<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

  • maxThreads="150" scheme="https" secure="true"

    keystorePass="<keystorePass>" clientAuth="false" sslProtocol="TLS" />`

Start-up and check.

After these configuration changes, you need to restart the tomcat server with the command sudo service tomcat6 restart. Check the output of the catalina process log to ensure there are no errors with a command like sudo tail -100 /var/log/tomcat6/catalina.out. You will see SEVERE: errors in the log if there are problems with the keystore.

Assuming there are no errors in the log, attempt to access content in one of the hosts you have defined for the Engine by opening a URL in a web browser like https://<hostname>:8443/manager.html, assuming you have the manager application installed and the host is available at <hostname>.

Securing the management applications

See Also

External Links

TomcatSSL (last edited 2012-12-08 04:50:19 by ndoc2)