Setting SSL (Secure Socket Layer) in Tomcat is often a requirement, especially while developing secure web application, which requires access over https protocol. Since Tomcat web server doesn't provide SSL settings by default, you need to know how to configure SSL in tomcat, and even worse it varies between different tomcat versions. for Example SSL setup which works on tomcat 6, doesn't work as it is in tomcat 7. In this article we will see, how to configure tomcat for https in both tomcat 6 and 7. For those programmers who are not very familiar with SSL and https here is a quick overview of SSL, certificates and https, and I suggest reading that article to get better understanding of How SSL works and How websites are accessed security over internet.
Once we know ,what is SSL, https and Certificates we are ready to setup SSL and https in tomcat web server. As I explained you need to have some certificate (inside keystore) in tomcat/conf folder which tomcat will present, when a connection is made via https. If you use Spring security you can use some of test certificates present in there sample applications otherwise you need to generate by yourselves. You can request certificates from your windows support team or by using tools like IBM IkeyMan and keytool command to put them into truststore and keystore.
Once you have certificate ready, Open your server.xml from tomcat/conf folder and search for Connector which defines https, it may be commented ,better look for this string "Define a SSL HTTP/1.1 Connector on port 8443". Once found replace with following setup which is different for tomcat 6 and tomcat 7
SSL Configuration for Tomcat 6 :
You also need to make one more configuration change for setting up SSLEngine="off" from "on" like in below text:
Look for this String on top of Server.xml
SSL Configuration for Tomcat 7
SSL Setup in Tomcat7 is relatively easy as compared to Tomcat7, as you only need to make one configuration change for replacing SSL Connector with following settings :
Settings which may vary if you setup your own certificate is keystorFile which points to a keystore, which stores certificates, keyStoreType I am using "jks", which stands for “Java Key Store” and keystorepass, which is password for opening key store file. That's it now your tomcat 6 or tomcat 7 is ready to server https client. Though you may need to configure https for your web application ,if you not done already.
How to configure Java web application for https
If you want your J2EE web application to be accessed over SSL using https protocol, you can include following settings in application's web.xml :
This Security setting will enable HTTPS for all URL directed your application. you can also selective enable https settings for some URL by tweaking URL pattern. Since SSL requires encryption and decryption it can increase response time and if you not serving sensitive information than you only have SSL enable for login or any particular URL which requires sensitive data.
P.S. - If you are an experienced Java/JEE Program and want to learn Spring Security end-to-end, I recommend Learn Spring Security course by Eugen Paraschiv, The definitive guide to secure your Java application. It's useful for both junior and experienced Java Web developers.
He is also author of REST with Spring course, one of the best online course to learn RESTful WebServices using Spring framework.
P.S - If you like to learn from book, then Pro Spring Security by Carlo Scarioni is a good starting point. The content is not advanced enough for senior developers but for junior and intermediate programmer, it's a great book.