Thursday, July 18, 2013

How to Configure HTTPS (SSL) in Tomcat 6 and 7 Java Web Server

Setting SSL (Secure Socket Layer) in Tomcat is often a requirement, especially while developing  secure web application, which requires access over https protocol. Since Tomcat web server doesn't provide SSL settings by default, you need to know how to configure SSL in tomcat, and even worse it varies between different tomcat versions. for Example SSL setup which works on tomcat 6, doesn't work as it is in tomcat 7. In this article we will see, how to configure tomcat for https in both tomcat 6 and 7. For those programmers who are not very familiar with SSL and https here is a quick overview of SSL, certificates and https, and I suggest reading that article to get better understanding of How SSL works and How websites are accessed security over internet.

SSL and HTTPS Configuration in Tomcat Server Java J2EE
Once we know ,what is SSL, https and Certificates we are ready to setup SSL and https in tomcat web server. As I explained you need to have some certificate (inside keystore)  in tomcat/conf folder which tomcat will present, when a connection is made via https. If you use Spring security you can use some of test certificates present in there sample applications otherwise you need to generate by yourselves. You can request certificates from your windows support team or by using tools like IBM IkeyMan and keytool command to put them into truststore and keystore.

Once you have certificate ready, Open your server.xml from tomcat/conf folder and search for Connector which defines https, it may be commented ,better look for this string "Define a SSL HTTP/1.1 Connector on port 8443". Once found replace with following setup which is different for tomcat 6 and tomcat 7

SSL Configuration for Tomcat 6 :


<Connector protocol="org.apache.coyote.http11.Http11Protocol"
            port="8443" minSpareThreads="5" maxSpareThreads="75"
            enableLookups="true" disableUploadTimout="true"
            acceptCount="100"  maxThreads="200"
            scheme="https" secure="true" SSLEnabled="true"
            clientAuth="false" sslProtocol="TLS"
            keystoreFile="${catalina.home}/conf/server.jks"
            keystoreType="JKS" keystorePass="changeit"    />

You also need to make one more configuration change for setting up SSLEngine="off" from "on" like in below text:
 
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="off" />

Look for this String on top of Server.xml

SSL Configuration for Tomcat 7

SSL Setup in Tomcat7 is relatively easy as compared to Tomcat7, as you only need to make one configuration change for replacing SSL Connector with following settings :
 
  <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
             maxThreads="150" scheme="https" secure="true"
             clientAuth="false" sslProtocol="TLS"
             keystoreFile="${catalina.home}/conf/server.jks"
             keystoreType="JKS" keystorePass="changeit"    />
 
 
Settings which may vary if you setup your own certificate is keystorFile which points to a keystore, which stores certificates, keyStoreType I am using "jks", which stands for “Java Key Store” and keystorepass, which is password for opening key store file. That's it now your tomcat 6 or tomcat 7 is ready to server https client. Though you may need to configure https for your web application ,if you not done already.

How to configure Java web application for https

If you want your J2EE web application to be accessed over SSL using https protocol, you can include following settings in application's web.xml :


    <security-constraint>
        <web-resource-collection>
            <web-resource-name>HelloSSL</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>


This Security setting will enable HTTPS for all URL directed your application. you can also selective enable https settings for some URL by tweaking URL pattern. Since SSL requires encryption and decryption it can increase response time and if you not serving sensitive information than you only have SSL enable for login or any particular URL which requires sensitive data.

2 comments :

Sumith said...

It was showing errors after installing SSL on my java hosting account. I activated a dedicated IP for the account and then the site works fine

Ashwini Sharma said...

what about if i want to enable ssl from my login page, i dont want to add https from my home page.
i want to enable ssl after login page not from starting...

Post a Comment