Tuesday, February 12, 2013

4-step configuration of SSL encryption on Tomcat in Ubuntu Linux using Self-Signed Certificate


First things first, the title makes it clear that the user is expected to know about terms SSL, Tomcat and Linux, so getting straight to the topic. The simple steps below can save hours of your time if you followed them sequentially.

So, you have a web application ready to deploy and you want your communication to be entrypted and make sure that you are talking to the right server. Configuring SSL on your web server and application will do both the jobs for you in 4 steps below:

  1. Creating dummy certificate
    - Run: cd /usr/lib/jvm/java-6-openjdk-i386/jre/bin/
    - Run: keytool -genkeypair -alias MyCertificate -keyalg RSA -keystore "/home/myhome/MyCertificate.cert"
    Here, we used Java's keytool application to generate a self-signed certificate.
    Enter all the information asked further: password, name, organization, etc.
    This will generate a SSL certificate file, containing encrypted text.

  2. Enabling SSL on your tomcat server
    - Run: nano /var/lib/tomcat6/conf/server.xml
    - Search for commented block for configuring SSL HTTP connector (by default, it's on port 8443)
    - Uncomment the block and you should see:
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                   maxThreads="150" scheme="https" secure="true"
                   clientAuth="false" sslProtocol="TLS" />
    - Set protocol="org.apache.coyote.http11.Http11NioProtocol":
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
                   maxThreads="150" scheme="https" secure="true"
                   clientAuth="false" sslProtocol="TLS" />
    - Next, provide the password and file path of the Certificate you created:
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
                   maxThreads="150" scheme="https" secure="true"
                   clientAuth="false" sslProtocol="TLS" 
                   keystoreFile="/home/owais/MyCertificate.cert" 
                   keystorePass="mysslcertificatepassword" />
    - Save the file and exit the editor
    - Run: service tomcat6 restart

  3. Test if it works
    - Open your browser and try: https://localhost:8443
    - The browser should warn you that the website is untrusted source. Ignore and proceed, you may add the website as an exception.

  4. Next step is to configure your web application to talk only to HTTPS enabled tomcat server
    - Open your web app's web.xml in any editor
    - Add the following lines at the bottom of your web.xml, just before </web-app> tag closure

    <!-- This block makes sure that all the resources are accessed via HTTPS -->
    <security-constraint>
     <web-resource-collection>
      <web-resource-name>HTTPSOnly</web-resource-name>
       <url-pattern>/*</url-pattern>
     </web-resource-collection>
     <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
    </security-constraint>
    <!-- This block overrides the previous for certain resources and enables them on both HTTP and HTTPS -->
    <security-constraint>
     <web-resource-collection>
      <web-resource-name>HTTPSOrHTTP</web-resource-name>
       <url-pattern>*.jpg</url-pattern>
       <url-pattern>/img/*</url-pattern>
       <url-pattern>/css/*</url-pattern>
       <url-pattern>index.html</url-pattern>
     </web-resource-collection>
     <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
     </user-data-constraint>
    </security-constraint>

Now your application and web server are both ready to talk on a secure channel.

No comments:

Post a Comment