How to enable HTTPS in Tomcat

In order to configure your Tomcat for HTTPS, you must first generate a server certificate for your web site. To do this, you can use the keytool command, which comes with your JDK or JRE. You’ll need to open a command shell, and your shell will need to know how to find your Java runtime environment properly. To do this on Windows, type the following commands into your command shell if you have a JDK installed:

C:\> set JAVA_HOME=C:\Program Files\Java\jdk1.6.0_16

C:\> set PATH=%JAVA_HOME%\bin;%PATH%

or, if you have a JRE, type these commands:

C:\> set JAVA_HOME=C:\Program Files\Java\jdk1.6.0_16

C:\> set PATH=%JAVA_HOME%\bin;%PATH%

On Linux, it’s very similar. For the JDK (as root):

# export JAVA_HOME=/usr/java/latest

# export PATH=$JAVA_HOME/bin:$PATH

Make sure you change /usr/java/latest to the root directory path of your JDK. For a JRE, type:

# export JRE_HOME=/usr/java/latest

# export PATH=$JRE_HOME/bin:$PATH

Then, test it by running:

keytool

You should see the keytool command’s help text. If not, you probably have the wrong path to your Java runtime, or it is not installed properly.

Next, type these commands to generate a self-signed server certificate:


keytool -genkeypair -alias tomcat -keyalg RSA -keysize 1024 -dname “CN=localhost, OU=Organization, O=Company Name, L=City, S=State, C=US”
-validity 365 -keystore keystore
Enter keystore password: <enter a new password here>

Enter key password for <tomcat>

(RETURN if same as keystore password): <just hit enter here>

The password you enter in the first password prompt will be the password for the keystore where your server certificate is stored.

Next, edit your Tomcat’s conf/server.xml to enable the HTTPS connector. Look for a connector that looks like this:


<!–
<Connector port=”8443″ protocol=”HTTP/1.1″
SSLEnabled=”true”
maxThreads=”150″ scheme=”https”
secure=”true”

clientAuth=”false” sslProtocol=”TLS” />

–>

By default, it is commented out. To uncomment it, remove the line just before the element, and also the line just after it. Then, add the attributes keystoreFile and keystorePass, so that it looks like this:


<Connector port=”8443″ protocol=”HTTP/1.1″
SSLEnabled=”true”

maxThreads=”150″ scheme=”https”
secure=”true”

clientAuth=”false” sslProtocol=”TLS”

keystoreFile=”conf/keystore” keystorePass=”your password”
/>

If you’re running Tomcat on Windows, you may set the port number to 443, which is the default HTTPS port number. On non-Windows operating systems you can only do that if you run Tomcat as root, which we don’t recommend.

Once you’ve completed the steps above, restart Tomcat, and try connecting to Tomcat over HTTPS with a URL such as https://localhost:8443 (you have to specify both “https” and port 8443 if you have configured it to listen on port 8443). Your web browser will warn you about the self-signed certificate, but otherwise it should work.

To fix that warning you’ll need to purchase a commercial HTTPS certificate and install it. See the instructions on how to do this in Chapter 6: Security of the book Tomcat: The Definitive Guide (O’Reilly).

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: