HTTPS Tomcat Configuration

(updated: )
  1. 1. Accepted format for keystore
    1. 1.1. JKS
    2. 1.2. PKCS12
  2. 2. JSSE
  3. 3. APR (recommended)
  4. 4. web.xml
  5. 5. APR Installation
    1. 5.1. Compile APR
    2. 5.2. Configure Tomcat to Use APR

Accepted format for keystore

  • JKS
  • PKCS11
  • PKCS12 (an internet standard, can be manipulated thru openssl)

JKS

  1. Import root certificate (certificate of the CA where your certificate is signed)

    1
    2
    3
    4
    keytool -import -trustcacerts \
      -alias root \
      -file RootCertFileName.crt \
      -keystore keystore

    (
    Or MAYBE copy the keystore from jre as the base
    cp $JAVA_HOME/lib/security/cacerts keystore
    or
    cp /etc/ssl/certs/java/cacerts keystore
    )

  2. Import the certificate signed by a CA

    1
    2
    3
    4
    keytool -import \
      -alias tomcat \
      -keystore keystore \
      -file <your_certificate_filename>

PKCS12

Prepare the certificate keystore
Importing an existing certificate into a PKCS12 keystore

1
2
3
4
5
6
7
8
openssl pkcs12 -export \
  -in domain.crt \
  -inkey domain.key \
  -out domain.p12 \
  -name tomcat \
  -CAfile ca.crt \
  -caname root \
  -chain

JSSE

JSSE implementation is provided as part of the Java runtime.

1
2
3
4
5
6
7
8
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="path/to/domain.p12" 
           keystorePass="changeit"
           keyAlias="tomcat"
           clientAuth="false" sslProtocol="TLS"/>

APR (native) implementation uses the OpenSSL engine by default, more faster than JSSE approach.

1
2
3
4
5
6
7
8
9
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" scheme="https"
           protocol="org.apache.coyote.http11.Http11AprProtocol"
           maxThreads="200" secure="true" SSLEnabled="true"
           SSLCertificateFile="ssl/preshop.crt"
           SSLCertificateKeyFile="ssl/private.key"
           SSLCertificateChainFile="ssl/intermediate.crt"
           SSLCACertificateFile="ssl/root.crt"
           SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>

web.xml

If you want to ensure resources in your application is only be accessable thur https, you can configure the web.xml in your application:

1
2
3
4
5
6
7
8
9
<security-constraint>
  <web-resource-collection>
    <web-resource-name>secured</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

APR Installation

Compile APR

wget http://apache.fayea.com/apr/apr-1.5.2.tar.gz
wget http://apache.fayea.com/apr/apr-iconv-1.2.1.tar.gz
wget http://apache.fayea.com/apr/apr-util-1.5.4.tar.gz

tar -xvf apr-1.5.2.tar.gz
tar -xvf apr-iconv-1.2.1.tar.gz
tar -xvf apr-util-1.5.4.tar.gz

(
  cd apr-1.5.2
  ./configure --prefix=/usr/local/apr
  make
  sudo make install
)

(
  cd apr-iconv-1.2.1
  ./configure --prefix=/usr/local/apr-iconv --with-apr=/usr/local/apr
  make
  sudo make install
)

(
  cd apr-util-1.5.4
  ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr --with-apr-iconv=/usr/local/apr-iconv/  bin/apriconv
  make
  sudo make install
)

(
  cd $CATALINA_HOME/bin/
  tar -xvf tomcat-native.tar.gz
  cd tomcat-native-*-src/native
  ./configure --with-apr=/usr/local/apr --with-java-home=`echo $JAVA_HOME`
  make
  sudo make install
)

Configure Tomcat to Use APR

vim $CATALINA_HOME/bin/catalina.sh, add the following to the beginning of the content:

1
CATALINA_OPTS="-Djava.library.path=/usr/local/apr/lib"