One of the essential tasks for securing Tomcat is to configure SSL certificate, so web application is accessible over HTTPS. There are many ways to achieve this.
You can terminate SSL at a load balancer Implement SSL at CDN level Use web servers like Apache, Nginx, etc. in front and implement SSL there
However, if you are not using any of the above or using this as a front-end or need to deploy SSL directly in Tomcat, then the following will help you. In this article, we will do as below.
Generate CSR (Certificate signing request) Import certificate in a keystore file Enable SSL in Tomcat Configure TLS protocol Change Tomcat to listen on 443 port Test Tomcat for SSL vulnerability
Let’s start…
Preparing for SSL/TLS Certificate
The first step would be to generate a CSR and get that signed by the certificate authority. We will use keytool utility to manage the certificates.
Login to the Tomcat server Go to the tomcat installation path Create a folder called ssl Execute command to create a keystore
There is two variable in above commands which you may want to change. Ex: Pay attention to the first and last name question. This is a bit of misleading I think. It’s not your name but the domain name which you want to secure. Once you provide all the information, it will create a keystore file on a present working directory. Next would be to generate a new CSR with the newly created keystore with below command. This will create a CSR which you need to send to the certificate authority to get it signed. If you are playing around, then you may consider using a FREE certificate provider else go for a premium one. I got the certificate signed and will proceed to import into keystore with below command.
Import root certificate is given by the provider
Import intermediate certificate
Note: without importing root & intermediate, you won’t be able to import domain certificate into keystore. If you have more than one intermediate, then you got to import them all.
Import domain certificate
and, you will get a confirmation that it was installed. Great, so certificate keystore is ready now. Let’s move to the next step. If you are new to SSL and interested to know more then enroll in this online course – SSL/TLS Operations.
Enable SSL in Tomcat
Assuming you are still logged into Tomcat server, go to conf folder
Take a backup of the server.xml file Go to <Connector port=“8080” protocol=“HTTP/1.1” section and add a line
Don’t forget to change the keystore file name and password with yours Restart tomcat and you should see Tomcat is accessible over HTTPS
Sweet!
Standard HTTPS Port
Why? Well, if you look at above screenshot, I am accessing Tomcat over 8080 with https which is not standard and some more reasons.
You don’t want to ask users to use custom port Browser will give warning as certificate is issued on domain name without the port
So idea is to make Tomcat listen on 443 port so it’s accessible just over https:// without the port number. To do so, edit server.xml with your favorite editor
Go to <Connector port=“8080” Change port from 8080 to 443 It should look like this
Restart Tomcat and access your application with https without any port number
Impressive, it’s a success!
SSL/TLS Vulnerability Test
Finally, we will perform a test to ensure it’s not vulnerable to online threats. There are many online tools which I discussed here, and here I will use SSL Labs.
Go to SSL Labs and enter the URL to begin the test
And it’s GREEN – A rating. However, its always a good idea to scroll down the report and see if you find any vulnerability and fix it. So that was all for today. I hope this helps you to know the procedure of securing Tomcat with SSL/TLS certificate. If you are interested in learning more then I would highly recommend this course.