Two ways to set up HTTPS for Tomcat

Set HTTPS

The contents of this first section refer to the article: 50420059

Usually, when you create an HTTPS server, you need a Web site's SSL certificate file, but the documents found on the Internet are basically the introduction of how to use Keytools to create a certificate, but this method of applying for the certificate will not be the majority of Internet users of the browser authentication, So if you want to create an HTTPS service that everyone can access, then request a certificate from a trusted institution.

?

While the certificates downloaded from the Certification Web site do not include the JKS certificate files that tomcat can use, you must first convert the certificate to a format that Tomcat can use. Suppose we have now requested a certificate file from the CA, and there is also a private key file:

1. EXAMPLE.COM.CRT: Certificate file, which contains the certificate of own website and intermediate certificate of CA Institution

2. Example.com.key: Private Key file

?

First, merge certificates, generate TEMP.P12 files in PKCS12 format. You will be prompted to create a password (corresponding to Keypass in the Tomcat configuration file). Command Line Input:

OpenSSL pkcs12-export-in example.com.crt-inkey example.com.key-out temp.p12-name Temp

?

Second, generate the JKS format of the KeyStore file, the format of the file can be directly identified by Tomcat. You need to enter the password created in the previous step and specify a new KeyStore password (corresponding to the Keystorepas in the Tomcat configuration file):

Keytool-importkeystore-srckeystore Temp.p12-srcstoretype Pkcs12-destkeystore Example.com.jks

?

Third, modify the configuration of the Server.xml Connector (Connector) in Tomcat, set it up and restart Tomcat to enable https:

<connector port= "8080" protocol= "Org.apache.coyote.http11.Http11Protocol" connectiontimeout= "20000" redirectport= "8443" Sslenabled= "true" scheme= "https" secure= "true" Clientauth= "false" Sslprotocol= "TLS" sslenabledprotocols= "tlsv1,tlsv1.1,tlsv1.2" Keystorefile= "/home/test/tomcat/apache-tomcat-7.0.68/example.com.jks" keypass= "Changeit" keystorepass= "Npzd9zgk"/>

• Protocol: Set up a protocol for handling traffic, using bio. See the "Tomcat Profile Resolution" subsection for a detailed explanation. As an optimization, you might consider using NiO or NIO2 (if supported) instead, and the other HTTPS settings are the same. Bio/nio/nio2 connectors are dependent on Jsse SSL for HTTPS. If you use the APR protocol, the HTTPS configuration is not the same, see the "Set up HTTPS (Apr connector implemented)" subsection. Apr is dependent on OpenSSL to implement HTTPS.
• sslenabled: Enable HTTPS.
• Scheme: An optional value is HTTP or HTTPS. When you use the Request.getscheme () method in a program, you get the value specified in the scheme, so you need to pass the correct value to the program.
• Secure: Set this value to true if you want to return the call to the Request.issecure () method to True for the request received by the connector. You may want to set this value to TRUE for SSL connectors, or for non-SSL connectors that are receiving data from an SSL accelerator (such as an encryption card), an SSL application, or a Web server. The default value is False.
• ClientAuth: Set whether to HTTPS authentication for the client, see Tomcat official website for detailed instructions. The default is False.
• Sslprotocol: The SSL protocol to use. The default value is "TLS". This property is overlapping with the Sslenabledprotocols property.
• Sslenabledprotocols: The SSL protocol to enable HTTPS support. If this value is specified, only the protocols listed here and supported by the SSL implementation will be enabled. If this value is not specified, the JVM default value is used. This property is overlapping with the Sslprotocol property.
• Keystorefile: The location of the KeyStore file where the server's HTTPS certificate is stored. You can use an absolute path or a relative path (as opposed to catalina_base).
• Keypass: The password used to access the server certificate from the specified KeyStore file. The default value is "Changeit".
• Keystorepass: The password used to access the specified KeyStore file. The default value is the value of the Keypass property.
• Keystoretype:keystore file type. The default is only "JKS".
• The name of the cryptographic suite in Ciphers:tomcat uses the JSSE cipher naming convention naming method. If you use the keyword all, you can enable all cryptographic suites, but this may not be secure, so it is used only for testing. The following is a tested cryptographic suite that guarantees security and is compatible with most clients:

TLS_ECDHE_RSA_WITH_AES_128_CBC _sha256,tls_ecdhe_rsa_with_aes_128_cbc_sha, tls_ecdhe_rsa_with_aes_256_cbc_sha384,tls_ecdhe_rsa_with_aes_256_cbc_sha, tls_rsa_with_aes_128_cbc_sha256 , tls_rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha256, tls_rsa_with_aes_256_cbc_sha,tls_ecdhe_rsa_with_3des_ede_cbc_sha, < Span style= "font-family: ' Microsoft Jacob Black '; font-size:9pt;" >tls_ecdhe_rsa_with_3des_ede_cbc_sha,ssl_rsa_with_rc4_128_sha

• Useserverciphersuitesorder: If set to True, the client is forced to select the appropriate cipher suite in the order of the server-side encryption suite. This option is only supported on Tomcat 8 and later.

?

Set HTTPS (Apr connector implementation)

1, if you follow the "set up HTTPS" subsection, then the constructed HTTPS site is probably incompatible with the Java 6 client, then all Java applications running on JDK 6 call our HTTPS Site API interface, will fail. This can be tested on the https://www.ssllabs.com/website:

When you actually invoke an HTTPS site with an application running in Java 6, you will report a similar "Javax.net.ssl.SSLHandshakeException:Remote host closed connection during handshake "Error message. This is not why the encryption suite used by the HTTPS site is incompatible with the Java 6 client, but the HTTPS site does not properly handle the HTTPS handshake message for the Java 6 client.

?

2, in order to solve the above problem, we need to use the APR connector to implement HTTPS. Apr is dependent on OpenSSL for HTTPS, and APR connectors are better than Bio/nio/nio2 connectors, not only in terms of performance or functionality. Before you configure the APR connector for Tomcat, you need to install APR and OpenSSL first, see the "Apr issues" subsection.

?

3. Modify the configuration of the Server.xml Connector (Connector) in Tomcat and reboot Tomcat when set up:

<connector port= "8443" protocol= "Org.apache.coyote.http11.Http11AprProtocol" connectiontimeout= "20000" maxthreads= "500" Sslenabled= "true" scheme= "https" secure= "true" Clientauth= "false" Sslprotocol= "tlsv1,tlsv1.1,tlsv1.2" Sslcertificatechainfile= "/HOME/TEST/TOMCAT/APACHE-TOMCAT-7.0.68/CA.CRT" Sslcertificatefile= "/HOME/TEST/TOMCAT/APACHE-TOMCAT-7.0.68/EXAMPLE.COM.CRT" Sslcertificatekeyfile= "/home/test/tomcat/apache-tomcat-7.0.68/example.com.key" Sslciphersuite= "ecdhe-rsa-aes128-gcm-sha256:high:!anull:!enull:! export:! Des:! rc4:! Md5:!krsa " Sslhonorcipherorder = "true"/>

• Protocol: Be sure to use the APR Connector protocol here. The following configurations of Sslprotocol, Sslcertificatefile, Sslcertificatekeyfile, and so on are only applicable to ARP implementations.
• Sslprotocol: The SSL protocol to support.
• Sslcertificatechainfile: The file path that contains the intermediate CA certificate. The certificate file is in PEM encoded format.
• Sslcertificatefile: The file path of the certificate that contains the intermediate CA certificate and the Web site itself. The certificate file is in PEM encoded format.
• Sslcertificatekeyfile: The path to the private key file. The private key file is in PEM encoded format.
• Sslciphersuite: Encryption Suite. The default is "high:!anull:!enull:! export:! Des:! rc4:! Md5:!krsa ".
• Sslhonorcipherorder: If set to True, the client is forced to select the appropriate cipher suite in the order of the server-side encryption suite.

?

There are two points to note:

1) Sslprotocol is used to set the SSL protocol to be supported. If you specify more than one protocol for a OpenSSL-based connector, it will always support Sslv2hello; If only one protocol is specified, it will not support Sslv2hello. This is the feature that makes ARP implementations of HTTPS compatible with Java 6 clients.

2) sslcertificatechainfile The specified file contains only the certificate of the intermediate CA, sslcertificatefile the certificate in the specified file that contains both the intermediate CA and the website itself (the Web site certificate should be placed in front of the intermediate CA certificate in the file). This is not the case with configuring HTTPS in Nginx. In Tomcat, you need to specify both Sslcertificatechainfile and Sslcertificatefile, otherwise the certificate chain is incomplete. At this point, there is no error in using the browser to access the site, which may be because the browser automatically downloads the intermediate CA's certificate to form the complete certificate chain. However, if you use a Java client program to invoke an HTTPS site, an error may occur because the certificate chain provided by the server is incomplete. The certificate that contains both the intermediate CA and the Web site itself is included in Sslcertificatefile because, like Java 6, the client does not support SNI (server Name Indication), so the server must provide all the required certificates to it at once. Otherwise, if the server provides a certificate that contains only the certificate of the Web site itself, it considers the certificate to be invalid.

?

4, the last words, if possible, to https://www.ssllabs.com/ssltest/above the test of your HTTPS site, see if there is any problem.

?

Tomcat sets HTTPS in two ways