Setting SSL (Secure Socket Layer) in Tomcat is often a requirement, especially while developing secure web applications, which requires access over HTTPS protocol. Since the Tomcat web server doesn't provide SSL settings by default, you need to know how to configure SSL in Tomcat, and even worse it varies between different tomcat versions. for Example SSL setup which works on tomcat 6, doesn't work as it is in tomcat 7. In this article, we will see, how to configure tomcat for HTTPS in both tomcat 6 and 7. For those programmers who are not very familiar with SSL and HTTPS here is a quick overview of SSL, certificates and HTTPS, and I suggest reading that article to get a better understanding of How SSL works and How websites are accessed securely over the internet.
Once we know, what are SSL, HTTPS, and Certificates we are ready to set up SSL and HTTPS in the tomcat web server? As I explained you need to have some certificate (inside keystore) in the tomcat/conf folder which tomcat will present, when a connection is made via HTTPS.
If you use Spring security you can use some of the test certificates present in their sample applications otherwise you need to generate by yourselves. You can request certificates from your windows support team or by using tools like IBM IkeyMan and keytool command to put them into truststore and keystore.
If you use Spring security you can use some of the test certificates present in their sample applications otherwise you need to generate by yourselves. You can request certificates from your windows support team or by using tools like IBM IkeyMan and keytool command to put them into truststore and keystore.
Once you have certificate ready, Open your server.xml from the tomcat/conf folder and search for Connector which defines HTTPS, it may be commented ,better look for this string "Define a SSL HTTP/1.1 Connector on port 8443". Once found replace with the following setup which is different for tomcat 6 and tomcat 7.
SSL Configuration for Tomcat 6 :
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="${catalina.home}/conf/server.jks"
keystoreType="JKS" keystorePass="changeit" />
You also need to make one more configuration change for setting up SSLEngine="off" from "on" like in below text:
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="off" />
Look for this String on top of Server.xml
SSL Configuration for Tomcat 7
SSL Setup in Tomcat7 is relatively easy as compared to Tomcat7, as you only need to make one configuration change for replacing SSL Connector with following settings :
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="${catalina.home}/conf/server.jks"
keystoreType="JKS" keystorePass="changeit" />
Settings that may vary if you set up your own certificate is keystorFile which points to a keystore, which stores certificates, keyStoreType I am using "jks", which stands for “Java Key Store” and keystorepass, which is the password for opening key store file. That's it now your tomcat 6 or Tomcat 7 is ready to serve HTTPS clients. Though you may need to configure HTTPS for your web application if you are not done already.
How to configure Java web application for HTTPS
If you want your J2EE web application to be accessed over SSL using https protocol, you can include following settings in application's web.xml :
<security-constraint>
<web-resource-collection>
<web-resource-name>HelloSSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This Security setting will enable HTTPS for all URL directed to your application. you can also selectively enable HTTPS settings for some URL by tweaking URL patterns. Since SSL requires encryption and decryption it can increase response time and if you not serving sensitive information then you only have SSL enabled for login or any particular URL which requires sensitive data.
P.S. - If you are an experienced Java/JEE Program and want to learn Spring Security end-to-end, I recommend the Learn Spring Security course by Eugen Paraschiv, The definitive guide to secure your Java application. It's useful for both junior and experienced Java Web developers. He is also the author of REST with Spring course, one of the best online courses to learn RESTful WebServices using the Spring framework.
P. S. S - If you like to learn from books, then these Spring Security books and courses are a good starting point. The content is not advanced enough for senior developers but for the junior and intermediate programmers, it's a great book.
It was showing errors after installing SSL on my java hosting account. I activated a dedicated IP for the account and then the site works fine
ReplyDeletewhat about if i want to enable ssl from my login page, i dont want to add https from my home page.
ReplyDeletei want to enable ssl after login page not from starting...
"SSL Setup in Tomcat7 is relatively easy as compared to Tomcat7"
ReplyDeleteAny good books to learn Apache Tomcat? I have heard of Apache Tomcat the Definitive Guide, do you recommend that?
ReplyDeleteWhy sslEngine off
ReplyDelete