| author | description | parsely-post-id | referrer | robots | theme-color | title | twitter:app:id:iphone | twitter:app:name:iphone | twitter:app:url:iphone | twitter:card | twitter:image:src | twitter:site | viewport | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Pascal Fares |
Secure Socket Layer (SSL) is a protocol that provides security for
communications between client and server by implementing encrypted data
and certificate-based authentication. If you’re using…
|
65cd26290b70 |
unsafe-url |
index,follow |
\#000000 |
|
828256236 |
Medium |
medium://p/65cd26290b70 |
summary\_large\_image |
@Medium |
width=device-width,minimum-scale=1,initial-scale=1 |
Secure Socket Layer (SSL) is a protocol that provides security for communications between client and server by implementing encrypted data and certificate-based authentication.
If you’re using Apache Tomcat as a Server for your web-application , chances are that at least some of the data you’re handling is sensitive, and SSL is an easy way to offer your users security. But the configuration process and SSL itself can be a little confusing for first-time users.
There are many CA from which you can get a certificate, but almost all of them will cost you money. But, with Let’s Encrypt you can get a valid SSL certificate for your domain at no cost.
This guide will break down the messy process of installing a SSL certificate for tomcat server into easily understandable pieces:
Before starting work on this task, I assume you already have:
- Running Centos system with sudo privileges shell access.
- A domain name registered and pointed to your server’s public IP address. For this tutorial, we use example.com and www.example.com,{.at .cg .ht .hu .hv .hw} which is pointed to our server.
- Recent version of JAVA installed.
- Recent version of tomcat server installed in your .
- Have port 80 and 8443 open in your firewall
- Have Openssl installed.
The certbot package is provided by EPEL. If the EPEL repository{.at .cg .ht .hu .hv .hw} is not installed on your system, you can install it using the following command:
sudo yum install epel-release
Once the EPEL repository is enabled, install the certbot package by typing:
sudo yum install certbot
If you have an active firewall, e.g firewalld**,** open https port on the firewall.
# firewall-cmd --add-service https --permanent
# firewall-cmd --reload
Once the LetsEncrypt (CA) verifies the authenticity of your domain, SSL certificate will be issued. For generating keypair and getting a SSL certificate against that keypair for your domain we need to type the following command:
sudo certbot certonly --standalone -d www.example.com
If everything goes fine. A new ssl will be issued at below location. Navigate to below directory and view files.
cd /etc/letsencrypt/live/example.com
ls
Files List:
cert.pem
chain.pem
fullchain.pem
privkey.pem
At first create a PKCS12 that contains both your full chain and the private key. You need to have openssl installed for that.
openssl pkcs12 -export -out /tmp/example.com_fullchain_and_key.p12 \
-in /etc/letsencrypt/live/example.com/fullchain.pem \
-inkey /etc/letsencrypt/live/example.com/privkey.pem \
-name tomcat
Then convert that PKCS12 to a JKS, using java`s keytool
keytool -importkeystore \
-deststorepass samplePassword -destkeypass samplePassword -destkeystore /tmp/example.com.jks \
-srckeystore /tmp/example.com_fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass samplePassword \
-alias tomcat
Replace samplePassword with your password
Now go to your tomcat application and open your server.xml file
# vim /etc/tomcat/conf/server.xml
Ensure the following section is commented out
<!---
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
Configure connector to use a shared thread pool
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
Next is to define SSL HTTP/1.1 Connector on port 8443
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/tmp/example.com.jks"
keystorePass="samplePassword"
clientAuth="false" sslProtocol="TLS" />
With above configuration, http to https redirect will be done automatically for the application.
Now just Stop and Start Apache Tomcat and you are done.
Your tomcat server along with all the application that runs on it is ssl secured.
The author is a seasoned professional in cryptography and security. He is the cofounder of ObboyLabs . He also a consultant to BCC, ICT Division Bangladesh & leads their Certificate Authority team.
- Ssl{.kf .kg .cg .bo .r .hy .kh .a .b .fb}
- Security{.kf .kg .cg .bo .r .hy .kh .a .b .fb}
- Tomcat{.kf .kg .cg .bo .r .hy .kh .a .b .fb}
- Lets Encrypt{.kf .kg .cg .bo .r .hy .kh .a .b .fb}
- Ssl Certificate{.kf .kg .cg .bo .r .hy .kh .a .b .fb}
[]{.r}
{.r
.dz .sv .su width="40"
height="40"}
[]{.bj .b .bk .bl .bm .bn .r .dc .q}
[Lorenz Vanthillo{.at .au .av .aw .ax .ay .az .ba .bb .bc .en .bf .bg .bh .bi}[ in Better Programming{.at .au .av .aw .ax .ay .az .ba .bb .bc .en .bf .bg .bh .bi}]{}]{.bj .ef .eg .bl .eh .ei .ej .ek .el .em .dc}
[[]{.bj .ef .eg .bl .eh .ei .ej .ek .el .em .bo}]{.bj .b .bk .bl .bm .bn .r .bo .bp}
Mar 31, 2018{.at .au .av .aw .ax .ay .az .ba .bb .bc .en .bf .bg .bh .bi} · 4 min read
[Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch{.at .au .av .aw .ax .ay .az .ba .bb .bc .bf .bg .ng .nh .np}]{.bj .b .bk .bl .bm .bn .r .nn .no}
[Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore{.at .au .av .aw .ax .ay .az .ba .bb .bc .bf .bg .ng .nh .np}]{.bj .b .bk .bl .bm .bn .r .nn .no}
[Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade{.at .au .av .aw .ax .ay .az .ba .bb .bc .bf .bg .ng .nh .np}]{.bj .b .bk .bl .bm .bn .r .nn .no}