Configure SSL/TLS in Tomcat to support HTTPS
Created#More Posted time:Nov 21, 2016 14:54 PM
This article details how to configure SSL/TLS in Tomcat with a few simple steps and how to use JDK to generate self-signed certificates to achieve HTTPS support in the application.
Generate keys and certificates
Tomcat currently only supports the operation on keystores in JKS, PKCS11 or PKCS12 format. JKS is a standard format of “Java keystore” in Java and is created using the keytool. This tool is included in JDK. PKCS12 format is an internet standard. You can create a keystore file using OpenSSL and the Key-Manager of Microsoft
to save the private keys and self-signed certificates of the server:
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
After running the command, it will first prompt you to provide the keystore password. The default password of Tomcat is changeit (all in lower case). Of course you can specify a self-defined password (as you like). Similarly, you also need to specify this self-defined password in the server.xml configuration file. I will detail this later on.
Next, it will prompt you to provide general information about the certificate, such as organization, contact name and so on. When a user tries to visit a secure page in your application, this information will be displayed to the user. So you must ensure that the information provided is consistent with the expected content of the user.
At last, you also need to input the key password. This password is the dedicated password for this certificate (instead of for other certificates stored in the same keystore file). The keytool will prompt that if you press the Enter key, the password of the keystore will apply automatically. Of course, you can define a password of your own. If you choose to use a self-defined password, do not forget to specify the password in the server.xml configuration file.
Below are the detailed steps:
C:\Users\admin>"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA
Enter the keystore password:
Enter the new password again:
What are your last name and first name?
What is the name of your organization unit?
What is the name of your organization?
What is your city or region?
What is your province/municipality/autonomous region?
What is the double-letter code of the country/region of the unit?
CN=waylau, OU=waylau.com, O=waylau.com, L=hangzhou, ST=zhejiang, C=china. Is it correct
Enter the key password of <tomcat>
(If it matches the keystore password, press Enter):
If all the operations are normal, we now will create a new JKS keystore which includes a self-signed certificate. Create a new JKS keystore which includes a self-signed certificate.
This command will create a new file in the home directory of the user: .keystore.
In order to specify a different location or file name, you can add the -keystore parameter to the above-mentioned keytool command, followed by the full path to the keystore file. You also need to specify the new location in the server.xml configuration file. For details, see thelater part. For example:
"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA -keystore \path\to\my\keystore
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /path/to/my/keystore
Cancel the annotation status of “SSL HTTP/1.1 Connector” item in the /conf/server.xml file in the installation directory of Tomcat, and formulate the path and password of the keystore:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
Tomcat specifies Port 8443 for HTTPS access.
If you want to hide the port number, you need to set the HTTPS port of Tomcat to 443.
If you want to redirect all the HTTP requests to HTTPS, you can modify web.xml in the conf file of Tomcat and add the following under the node:
<!-- Authorization setting for SSL -->
In specific, the is the filtering policy of the configuration file. For example, to only implement automatic conversion to HTTPS for .jsp requests, configure as follows:
In, you can configure the request path /*, login.html, login.jsp and so on that you want to implement automatic conversion for.
First, visit a page without HTTPS support in the browser http://localhost:8080.
Next, visit the HTTPS page in the browser: https://localhost:8443/
When a user visits a secure page on your site for the first time, the page will usually prompt a dialog box for the user, including the certificate details (such as organization and contact information), and inquiry whether the user is willing to acknowledge this certificate as valid and proceed to the next transaction. Some browsers may provide an option to always acknowledge the validity of the certificate given, so that the dialog box will not pop up again every time when the user visits this site. But some browsers do not offer this option. Once the user acknowledges the validity of the certificate, the certificate is deemed valid throughout the browser session.
Prompt of Firefox Browser
This connection is not trusted.
You are trying to connect to localhost:8443 securely in Firefox, but we are not sure of the security of this connection.
Usually when you try to connect to a site securely, the site will display the trusted credentials to prove you are visiting the correct site. However, the identity of the website cannot be verified as a trusted site.
How can we solve this problem?
If you once visited this website normally, this error may indicate that someone may try to pretend to be this website and you should stop browsing.
The localhost:8443 is using an invalid certificate.
This certificate is not trusted because of its self-signed signature.
This certificate is only valid for waylau.
(Error code: sec_error_unknown_issuer)
If you have fully acknowledged what has happened, you can make Firefox to start trusting the credentials of this site. Even if you trust this site, this error may indicate that someone tried to intervene in your connection.
Do not add exceptions easily, unless you understand and agree with the reason for this site being labeled as untrusted.
The prompt of Google is as follows:
Although the SSL protocol aims to provide secure and efficient connections as much as possible, the encryption and decryption are very computing-resource-consuming from the perspective of performance. Therefore, it is totally unnecessary to run the entire Web application in SSL protocol and developers should select the pages for secure connection. For a very busy website, only some specific pages, namely that pages that exchange sensitive information, will adopt SSL protocol, such as: the login page, the profile page, settlement page of the shopping cart (may involve the input of credit card information) and so on. Any page in the application can be accessed by requests with SSL, you just need to change the prefix of the page URL http: to https:.