Apache Tomcat SSL

Coding

Middleware

Apache Tomcat

Tomcat Security

Java

This page assumes $JAVA_HOME/bin is in your PATH

JKS

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format

PKCS#12

Keystore

The command below creates a keystore (/tomcat/.keystore) and generates a key pair based certificate which will be stored in it...

(if the keystore already exists this will just add a new certificate to it)

keytool -genkeypair -alias tomcat -keyalg RSA -keystore /tomcat/.keystore.p12 -storetype pkcs12

You will be prompted for:

a password, which you should note securely
your first and last name (CN)
your Organizational Unit (OU) - normally your department name
your Organization (O)
your City or Locality (L)
your State or Province (ST)
your two letter country code (C)

Enter 'yes' to confirm your entries.The key password can be the same as the keystore password.

NOTE: If you have followed the Tomcat installation steps elsewhere on this site then you will have installed Tomcat as 'root' but will be running it as 'tomcat' (which is a user without a shell). We could login as 'tomcat' and force use of a shell, but it seems simpler to run these commands as 'root' but use -keystore to put the tomcat keystore under the /tomcat directory.

server.xml

Add this stanza to /tomcat/latest/conf/server.xml...

<Connector

protocol="org.apache.coyote.http11.Http11NioProtocol"

port="8443"

scheme="https"

secure="true"

maxThreads="150"

SSLEnabled="true"

keystoreFile="/tomcat/.keystore.p12"

keystorePass="keyStorePassword"

keyAlias="tomcat"

clientAuth="false"

sslProtocol="TLS">

</Connector>

portGenerally 8443 for SSL

schemeDefault is "http", use "https" for SSL

secureDefault is "false", should be "true" for SSL

protocolHTTP/1.1 - Don't use this setting as it will pick a protocol based on certain criteria. SSL config differs between protocols.org.apache.coyote.http11.Http11NioProtocol - Java SSL and OpenSSL support - rest of config tested with this protocolorg.apache.coyote.http11.Http11Nio2Protocol - Java SSL and OpenSSL support - rest of config should work with this protocolorg.apache.coyote.http11.Http11AprProtocol - OpenSSL support only

Restart Tomcat

systemctl restart tomcat

Bibliography

https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.htmlhttps://tomcat.apache.org/tomcat-9.0-doc/config/http.htmlhttps://stackoverflow.com/questions/42219666/difference-between-keytool-genkey-vs-genkeypairhttps://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.htmlhttps://stackoverflow.com/questions/47638950/cant-change-the-keystore-format
protocolhttps://www.baeldung.com/java-nio-vs-nio-2

Jira SSL