Tuesday, July 18, 2017

How to Configure HTTPS (SSL) in Tomcat 6 and 7 Java Web Server

Setting SSL (Secure Socket Layer) in Tomcat is often a requirement, especially while developing secure web applications, which requires access over https protocol. Since the Tomcat web server doesn't provide SSL settings by default, you need to know how to configure SSL in Tomcat, and even worse it varies between different tomcat versions. for Example SSL setup which works on tomcat 6, doesn't work as it is in tomcat 7. In this article we will see, how to configure tomcat for https in both tomcat 6 and 7. For those programmers who are not very familiar with SSL and https here is a quick overview of SSL, certificates and https, and I suggest reading that article to get a better understanding of How SSL works and How websites are accessed security over the internet.

Once we know, what is SSL, https, and Certificates we are ready to set up SSL and https in the tomcat web server? As I explained you need to have some certificate (inside keystore)  in tomcat/conf folder which tomcat will present, when a connection is made via https. 

If you use Spring security you can use some of the test certificates present in there sample applications otherwise you need to generate by yourselves. You can request certificates from your windows support team or by using tools like IBM IkeyMan and keytool command to put them into truststore and keystore.

Once you have certificate ready, Open your server.xml from tomcat/conf folder and search for Connector which defines https, it may be commented ,better look for this string "Define a SSL HTTP/1.1 Connector on port 8443". Once found replace with the following setup which is different for tomcat 6 and tomcat 7.

Btw, if you are new into Servlet and JSP then I also suggest you go through a comprehensive course to learn Servlet and JSP in depth. If you need a recommendations then I suggest you check out JSP, Servlet, and JDBC for Beginners: Build a Database App course on Udemy by Chad Darby. One of the hands-on course to learn Servlet and JSP. 

SSL Configuration for Tomcat 6 :

<Connector protocol="org.apache.coyote.http11.Http11Protocol"
            port="8443" minSpareThreads="5" maxSpareThreads="75"
            enableLookups="true" disableUploadTimout="true"
            acceptCount="100"  maxThreads="200"
            scheme="https" secure="true" SSLEnabled="true"
            clientAuth="false" sslProtocol="TLS"
            keystoreType="JKS" keystorePass="changeit"    />

You also need to make one more configuration change for setting up SSLEngine="off" from "on" like in below text:
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="off" />

Look for this String on top of Server.xml
SSL and HTTPS Configuration in Tomcat Server Java J2EE

SSL Configuration for Tomcat 7

SSL Setup in Tomcat7 is relatively easy as compared to Tomcat7, as you only need to make one configuration change for replacing SSL Connector with following settings :
  <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
             maxThreads="150" scheme="https" secure="true"
             clientAuth="false" sslProtocol="TLS"
             keystoreType="JKS" keystorePass="changeit"    />
Settings which may vary if you setup your own certificate is keystorFile which points to a keystore, which stores certificates, keyStoreType I am using "jks", which stands for “Java Key Store” and keystorepass, which is password for opening key store file. That's it now your tomcat 6 or tomcat 7 is ready to server https client. Though you may need to configure https for your web application ,if you not done already.

How to configure Java web application for https

If you want your J2EE web application to be accessed over SSL using https protocol, you can include following settings in application's web.xml :


This Security setting will enable HTTPS for all URL directed your application. you can also selectively enable https settings for some URL by tweaking URL pattern. Since SSL requires encryption and decryption it can increase response time and if you not serving sensitive information than you only have SSL enabled for login or any particular URL which requires sensitive data.

Further Learning
Spring Framework 5: Beginner to Guru
Java Web Fundamentals By Kevin Jones
JSP, Servlets and JDBC for Beginners: Build a Database App

P.S. - If you are an experienced Java/JEE Program and want to learn Spring Security end-to-end, I recommend the Learn Spring Security course by Eugen Paraschiv, The definitive guide to secure your Java application. It's useful for both junior and experienced Java Web developers.

He is also author of REST with Spring course, one of the best online course to learn RESTful WebServices using Spring framework.

P.S - If you like to learn from book, then Pro Spring Security by Carlo Scarioni is a good starting point. The content is not advanced enough for senior developers but for junior and intermediate programmer, it's a great book.


Sumith said...

It was showing errors after installing SSL on my java hosting account. I activated a dedicated IP for the account and then the site works fine

Unknown said...

what about if i want to enable ssl from my login page, i dont want to add https from my home page.
i want to enable ssl after login page not from starting...

zogness said...

"SSL Setup in Tomcat7 is relatively easy as compared to Tomcat7"

Anonymous said...

Any good books to learn Apache Tomcat? I have heard of Apache Tomcat the Definitive Guide, do you recommend that?

DesarrolladorFullStack said...

Why sslEngine off

Post a Comment