Regarding security, the https with SSL is a minimum requirement. Moreover it has relatively low cost in implementation. Thanks to it your transport layer will be encrypted, preventing sniffing and main in the middle attack. Thanks to it your server validity will be verified with a certificate (In this tutorial I will use self-signed certificate. If you need trusted certificate, follow the trust agency instructions).
1. Generate keystore with self-signed certificate in it
You can generate keystore with java’s keytool. Open the windows command line or shell and check if you have keytool command in your path. If command is not recognized, find keytool app in your %java_home%\bin directory.
Execute this command:
keytool -genkey -alias keyAlias -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore myKeystore.p12 -validity 3650
The keytool will generate key (-genkey) with alias (-alias), PKCS12 storetype (-storetype), RSA algorthm 2048 bytes long stored under myKeystore.p12 file with validity equal to 3650 days (10 years).
Executing this command will ask you few identity questions:
Enter keystore password: keyPwd Re-enter new password: keyPwd What is your first and last name? [Unknown]: 127.0.0.1 What is the name of your organizational unit? [Unknown]: LooksOK! What is the name of your organization? [Unknown]: LooksOK! What is the name of your City or Locality? [Unknown]: Minsk Mazowiecki What is the name of your State or Province? [Unknown]: mazowieckie What is the two-letter country code for this unit? [Unknown]: PL Is CN=127.0.0.1, OU=LooksOK!, O=LooksOK!, L=Minsk Mazowiecki, ST=mazowieckie, C=PL correct? [no]: yes
2. Check keystore contents – find your certificate in there
Issue list command to ensure that keystore contains certificate:
keytool -list -keystore keystore.p12 -storetype PKCS12
This is the output:
Keystore type: PKCS12 Keystore provider: SunJSSE Your keystore contains 1 entry keyalias, 2014-11-14, PrivateKeyEntry, Certificate fingerprint (SHA1): 5A:3C:63:EC:CD:A9:AE:AA:D1:92:B3:3A:68:5A:95:C2:98:E3:69:01
So, the certificate is truly there!
3. Copy your keystore file to Tomcat dir
You can put your keystore file whenever you want, providing you will enter the path in tomcat config. I encourage you to put it under %Tomcat_home%/conf/myKeystore.p12.
4. Configure Tomcat
Tomcat configuration file is located in %Tomcat_home%/conf/server.xml. Find this section:
<!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the BIO implementation that requires the JSSE style configuration. When using the APR/native implementation, the OpenSSL style configuration is required as described in the APR/native documentation -->
And uncomment the configuration below it. I will use the default 443 port (not the suggested 8443) and add four green lines specific to myKeystore:
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="conf/myKeystore.p12" keystoreType="PKCS12" keystorePass="keyPwd" keyPass="keyPwd" />
5. Test it
Start Tomcat and go to the:
https:\\127.0.0.1
Your browser will probably warn you about the untrusted certificate:
6. Verify the CN (Common Name)
The Common Name is the url I provided when creating keytool: 127.0.0.1. If this particular address is used in a browser, the browser will not warn you. If you’ll open the
https:\\localhost
instead, the browser will warn you also that the url entered does not match the url provided on certificate creation.
Note: Don’t use Self_signed certificates in production! Use it only in test / dev environment
Did I help you?
I manage this blog and share my knowledge for free, sacrificing my time. If you appreciate it and find this information helpful, please consider making a donation in order to keep this page alive and improve quality
Thank You!
Great post. Thank you.
Just one fix: We need to access the URL as https://127.0.0.1:8443/ with the port included…
Nice step by step instructions, great posts. Only thing is that you have mismatching name in “keytool -list” command i.e. keystore.p12 versus myKeystore.p12 in “keytool -genkey” command. Best wishes :)