Configuring SSL/TLS in Tomcat to support HTTPS

This article details how to configure Ssl/tls in Tomcat with a few simple steps, generate a self-signed certificate using the JDK, and ultimately support the HTTPS protocol in your Application.

Production keys and certificates

Tomcat currently has only the JKS, PKCS11, and PKCS12 format key Repositories. JKS is the Java standard Java key repository format, created by the Keytool command-line Tool. The tool is included in the JDK. The PKCS12 format is an Internet standard that can be used by OpenSSL and Microsoft's Key-manager.

Create a KeyStore file to save the Server's private key and self-signed certificate:

Windows:

"%java_home%\bin\keytool"-genkey-alias Tomcat-keyalg RSA

Unix:

$JAVA _home/bin/keytool-genkey-alias Tomcat-keyalg RSA

After you execute the command, you are prompted to provide the KeyStore password First. The password that Tomcat uses by default is changeit (all letters are lowercase), and of course you can specify a custom password (if you prefer). again, you will need to specify this custom password in the server.xml configuration file, which is detailed later.

You will then be prompted for general information about the certificate, such as organization, contact name, and so On. When a user tries to access a secure page in your app, that information is displayed to the user, so make sure that the information provided is consistent with what the user expects to See.

finally, you need to enter the key password (key password), which is the private password of this certificate (not the other certificate stored in the same password repository file). The Keytool prompt will tell you that if you press enter, the password for the password Vault KeyStore is automatically used. of course, In addition to this password, you can also customize your own Password. If you choose a custom password, do not forget to server.xml specify the password in the configuration File.

The command will create a new file in the User's home directory: .keystore .

Linux Input Command Lookup

# find/-name ' *keystore '
Address Found/root/.keystore

to specify a different location or file name , you can add The-keystore parameter on the Keytool command above, followed by the full pathname to the KeyStore file. You will also need to assign this new location to the server.xml configuration file, as described later in this article. For example:

Windows:

"%java_home%\bin\keytool"-genkey-alias Tomcat-keyalg RSA
-keystore \path\to\my\keystore

Unix:

$JAVA _home/bin/keytool-genkey-alias Tomcat-keyalg RSA
-keystore/path/to/my/keystore

TOMCAT Specifies 8443 ports for HTTPS access Ports.

Modify Configuration

Uncomment the status of the /conf/server.xml "SSL http/1.1 Connector" entry in the Tomcat installation directory and develop the KeyStore path and password:

<ConnectorPort= "8443"Protocol= "org.apache.coyote.http11.Http11NioProtocol"MaxThreads= "max"sslenabled= "true"Scheme= "https"Secure= "true"Keystorefile= "${user.home}/.keystore"Keystorepass= "changeit"ClientAuth= "false"Sslprotocol= "TLS" />

TOMCAT Specifies 8443 ports for HTTPS access Ports.

Effect

first, the browser accesses HTTPS-supported pages, https://192.168.1.143:8443

next, The browser accesses the HTTP page:

When a user visits a secure page on your site for the first time, the page usually gives him a dialog box that contains details about the certificate (such as organization and contact information), and asks if he is willing to acknowledge that the certificate is a valid certificate before proceeding to the next Transaction. Some browsers may provide an option to allow forever to acknowledge the validity of the given certificate so that they do not disturb each time the user accesses the Site. however, Some browsers do not provide this Option. Once the user acknowledges the validity of the certificate, the certificate is considered valid throughout the browser Session.

Summarize

Although the intent of the SSL protocol is to help provide a secure and efficient connection as much as possible, from a performance standpoint, encryption and decryption is a non-teahouse-consuming computational resource, so it is not necessary to run the entire WEB application under the SSL protocol, and developers need to pick pages that require secure connections. For a fairly busy web site, The SSL protocol is usually used only on specific pages, i.e. pages that may exchange sensitive information, such as: login page, personal information page, shopping Cart checkout page (may enter credit card information), and so On. Any page in your app can request access through an encrypted socket, just replace the prefix of the page address http: https: .

Configuring SSL/TLS in Tomcat to support HTTPS