Tomcat: Configuring SSL

SSL Brief

SSL is a Secure Sockets Layer, a technology that allows Web browsers and Web servers to communicate over secure connections. This is a two-way process, which means that the server and the browser encrypt all the exchanged data before sending the data.

An important feature of SSL is that it requires authentication. This means that when you use a Web browser to access the server, the server provides a certificate to the browser.

When using Tomcat, there are several scenarios:

1) By default, SSL is not enabled, and access to the app via the HTTPS protocol is definitely a failure.

2) Only when SSL is enabled, it can only be accessed through the HTTPS protocol. (Don't say AJP here)

3) When HTTP,HTTPS is enabled, it can be accessed simultaneously via HTTP and HTTPS.

Generate KeyStore

Certificates are required to be supported by a keystore, and the KeyStore file represents the KeyStore. There are several forms of key files, and the KeyStore currently supported by Tomcat are: JKS,PKCS11,PKCS12. Where JKs is Java KeyStore, which is implemented by Java, you can create keystore files from the Jdk/bin/keytool tool. PKCS12 is a network standard that can be managed through OpenSSL, Microsoft's Key-manager.

The following uses JKS to function the KeyStore format.

-keyalg is the algorithm that generates the public and private keys. Commonly used are RSA, DSA and so on.

The use of the above password must be consistent, which is required by Tomcat. Where the first password is the password of the KeyStore file, access to the file requires a password, and the last password is the key generated by the password.

The location of the generated KeyStore file is the default in ${user.home}/.keystore, and if you want to change the location, you can use the command:

Configuring SSL in Server.xml

Keystorepass is the access password for the KeyStore file. You can modify it for the other.

Keystorefile is the location of the KeyStore file, allowing Tomcat to find the KeyStore when it starts.

Test

Test 1 : Enable HTTPS only , do not enable HTTP

In Server.xml, annotate the connector of port 8080 and remove the connector comment for Port 8443. Then start Tomcat.

Access docs via Http\https, respectively:

Http://localhost:8080/docs, Https://localhost:8443/docs

Result: Only HTTPS can be accessed.

Test 2 : HTTP , HTTPS also enable

In Server.xml, remove the comments for port 8080, 8443, and then start Tomcat with connector.

Access docs separately with Http\https:

Http://localhost:8080/docs, Https://localhost:8443/docs

The result: both are normally accessed.

Redirectport effect

Let's take a look at how the Tomcat official documentation explains:

Catalina would automatically redirect the request to the port number specified here.

　　If the current connector supports a non-SSL request (that is, it can be accessed as an HTTP method) and the requested resource matches the URL specified in <security-constraint> in Web. XML, Catalina will automatically rewrite the request to the Redirectport specified port. The Redirectport configuration is the port of the SSL connector.

The URL configured under Security-constraint is the configuration used to authenticate the visitor, and how is it related to SSL?

Take this question and see the description of the Web. XML in Oracle's official documentation:

> web-resource-collection is the configuration URL.

> Auth-constraint is configured for identity authentication.

> User-data-constraint is used to define how the data is processed when the client communicates with the server.

The following are the child elements under User-data-constrain:

There are 2 transport-guarantee values that involve SSL: integral, Confidential:

Integral: Data transferred between client and server cannot be tampered with.

Confidential: The data transferred between the client and server is required to be converted and the original content cannot be seen directly.

Tomcat: Configuring SSL