Setup SSL on Apache Tomcat

In this tutorial we explain how you can access your Apache Tomcat via a SSL (HTTPS) connection.

1. Prerequisites

  1. Install Apache Tomcat as explained here Install Apache Tomcat on Windows
  2. JDK is installed correctly

2. Generate self-signed certificate

First we have to generate a self-signed certificate and encryption key to secure our connection. In command line enter:

C:\>cd %JAVA_HOME%/bin

C:\Program Files\Java\jdk1.8.0_45\bin>keytool -genkey -alias tomcat -keyalg RSA

You will be asked to enter some information about your name, company etc.:

C:\Program Files\Java\jdk1.8.0_45\bin>keytool -genkey -alias tomcat -keyalg RSA
Enter keystore password:  
What is your first and last name?
  [Unknown]:  Malte Sander
What is the name of your organizational unit?
  [Unknown]:  
What is the name of your organization?
  [Unknown]:  Tutorial Academy
What is the name of your City or Locality?
  [Unknown]:  Munich
What is the name of your State or Province?
  [Unknown]:  Bavaria
What is the two-letter country code for this unit?
  [Unknown]:  DE 
Is CN=Malte Sander, OU=Unknown, O=Tutorial Academy, L=Munich, ST=Bavaria, C=DE correct?
  [no]:  yes
Enter key password for <tomcat>
	(RETURN if same as keystore password):  
C:\Program Files\Java\jdk1.8.0_45\bin>

The default password is changeit. We used TutorialAcademy. Now you should have a “.keystore” file in your USER folder.

3. Adapt Tomcat server.xml config for SSL

The port attribute (default 8443) is the TCP/IP port number on which Tomcat listens for secure connections. You can adapt this to any port. E.g. the default port 443 for HTTPS communications. However on many operating systems a special setup is required to run Tomcat on port numbers lower than 1024.

Copy the following (bold) content in your server.xml located in the conf folder in your Tomcat installation.

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
	   port="8443" maxThreads="200"
	   scheme="https" secure="true" SSLEnabled="true"
	   keystoreFile="${user.home}/.keystore" keystorePass="TutorialAcademy"
	   clientAuth="false" sslProtocol="TLS"/>

Preferably between the following content:

<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
         This connector uses the NIO implementation that requires the JSSE
         style configuration. When using the APR/native implementation, the
         OpenSSL style configuration is required as described in the APR/native
         documentation -->
    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    -->
	
	<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
	<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
			   port="8443" maxThreads="200"
			   scheme="https" secure="true" SSLEnabled="true"
			   keystoreFile="${user.home}/.keystore" keystorePass="TutorialAcademy"
			   clientAuth="false" sslProtocol="TLS"/>

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

Adapt the keystorePass (“TutorialAcademy”) attribute to the password you used when generating the self-signed certificate. Start or restart the Tomcat server afterwards.

If you changed the port number, you should adapt the value redirectPort attribute on the non-SSL connector. Tomcat can automatically redirect users who try to access a page with security constraints (e.g. HTTPS) as specified in the servlet definition:

    <!-- A "Connector" represents an endpoint by which requests are received
         and responses are returned. Documentation at :
         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
         Java AJP  Connector: /docs/config/ajp.html
         APR (HTTP/AJP) Connector: /docs/apr.html
         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
    -->
    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />

4. Test the configuration

In your browser, enter (adapt the port if you did so in the server.xml):

https://localhost:8443/

Depending on your browser, you have to accept the provided certificate and should be redirected to the standard Tomcat starting page.

If you have problems or questions, feel free to comment and ask.

Facebooktwitterredditpinterestlinkedinmail

Related posts

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.