Skip to main content

4-step configuration of SSL encryption on Tomcat in Ubuntu Linux using Self-Signed Certificate


First things first, the title makes it clear that the user is expected to know about terms SSL, Tomcat and Linux, so getting straight to the topic. The simple steps below can save hours of your time if you followed them sequentially.

 So, you have a web application ready to deploy and you want your communication to be entrypted and make sure that you are talking to the right server. Configuring SSL on your web server and application will do both the jobs for you in 4 steps below:
  1. Creating dummy certificate
    - Run: cd /usr/lib/jvm/java-6-openjdk-i386/jre/bin/
    - Run: keytool -genkeypair -alias MyCertificate -keyalg RSA -keystore "/home/myhome/MyCertificate.cert"
    Here, we used Java's keytool application to generate a self-signed certificate.
    Enter all the information asked further: password, name, organization, etc.
    This will generate a SSL certificate file, containing encrypted text.

  2. Enabling SSL on your tomcat server
    - Run: nano /var/lib/tomcat6/conf/server.xml
    - Search for commented block for configuring SSL HTTP connector (by default, it's on port 8443)
    - Uncomment the block and you should see:
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                   maxThreads="150" scheme="https" secure="true"
                   clientAuth="false" sslProtocol="TLS" />
    - Set protocol="org.apache.coyote.http11.Http11NioProtocol":
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
                   maxThreads="150" scheme="https" secure="true"
                   clientAuth="false" sslProtocol="TLS" />
    - Next, provide the password and file path of the Certificate you created:
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
                   maxThreads="150" scheme="https" secure="true"
                   clientAuth="false" sslProtocol="TLS" 
                   keystoreFile="/home/owais/MyCertificate.cert" 
                   keystorePass="mysslcertificatepassword" />
    - Save the file and exit the editor
    - Run: service tomcat6 restart

  3. Test if it works
    - Open your browser and try: https://localhost:8443
    - The browser should warn you that the website is untrusted source. Ignore and proceed, you may add the website as an exception.

  4. Next step is to configure your web application to talk only to HTTPS enabled tomcat server
    - Open your web app's web.xml in any editor
    - Add the following lines at the bottom of your web.xml, just before </web-app> tag closure

    <!-- This block makes sure that all the resources are accessed via HTTPS -->
    <security-constraint>
     <web-resource-collection>
      <web-resource-name>HTTPSOnly</web-resource-name>
       <url-pattern>/*</url-pattern>
     </web-resource-collection>
     <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
    </security-constraint>
    <!-- This block overrides the previous for certain resources and enables them on both HTTP and HTTPS -->
    <security-constraint>
     <web-resource-collection>
      <web-resource-name>HTTPSOrHTTP</web-resource-name>
       <url-pattern>*.jpg</url-pattern>
       <url-pattern>/img/*</url-pattern>
       <url-pattern>/css/*</url-pattern>
       <url-pattern>index.html</url-pattern>
     </web-resource-collection>
     <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
     </user-data-constraint>
    </security-constraint>

Now your application and web server are both ready to talk on a secure channel.
Labels:

Comments

Post a Comment

Popular posts from this blog

Playing in Amazon's Clouds - Introduction to Elastic Computing Cloud - Part 1

A really brief Intro.. Researcher, Trying to execute an extremely computationally resource hungry experiment? App developer, unsure of how much data you'll be collecting from the users? Student, tasked to build your FYP (final year project) on distributed computing environment? Just an ordinary techie trying to catch up with the world? If you're any of these, you cannot escape the fact that Cloud computing is storming in and you have to engage yourself actively in it. Adopt it, or perish. I'm a newbie (better say wannabe) in this massive web of computing, and here just to share some experiences I'm having - successes and failures. First of all, Cloud computing is nothing new, it has been there for over 3 decades and was referred with names like Grid computing  and Distributed computing . It was business people that came up with a catchy name to attract business. The idea behind distributed computing is simple. We create a network of computers t...
Post a Comment
Read more

How to detach from Facebook... properly

Yesterday, I deactivated my Facebook account after using it for 10 years. Of course there had to be a very solid reason; there was, indeed... their privacy policy . If you go through this page, you might consider pulling off as well. Anyways, that's not what this blog post is about. What I learned from yesterday is that the so-called "deactivate" option on Facebook is nothing more than logging out. You can log in again without any additional step and resume from where you last left. Since I really wanted to remove myself from Facebook as much as I can, I investigated ways to actually delete a Facebook account. There's a plethora of blogs on the internet, which will tell you how you can simply remove Facebook account. But almost all of them will either tell you to use "deactivate" and "request delete" options. The problem with that is that Facebook still has a last reusable copy of your data. If you really want to be as safe from its s...
Post a Comment
Read more

Yet another Blog on Query Optimization for MySQL Server

If you have been into MIS development for some time, then you may have realized that buying latest, multi-thousand-dollar Machine, stuffed with a top notch processor and an army of memory chips is not sufficient to your needs when it comes to processing large data, especially when your DBMS is MySQL Server. In this article, I have tried to input  the tips and techniques to-be-followed - some in general and some specific to MySQL Server; but I would, as every blogger, repeat the same common phrase that " in the end   it all depends on your scenario ". The results you are going to see will mostly be in milliseconds so before thinking "is it worth the effort if the result is in a few milliseconds?", do know that these results are derived using a very very simple database with not more than 100000 records in a table.  With complex databases and records in millions, the effort will pay you back. Coming straight to topic, here are some points you should not ign...
1 comment
Read more