Home » Articles » Linux » Here
Apache Tomcat : Enable HTTPS
This article show how to enable HTTPS for Tomcat. It uses a self-signed certificate, but you could replace this with a valid Certificate Authority (CA) certificate.
Related articles.
- Apache Tomcat 8 Installation on Linux (RHEL and clones)
- Apache Tomcat 7 Installation on Linux (RHEL and clones)
- Self-Signed Certificates - keytool (Java)
Setup
Set the relevant environment variables.
export JAVA_HOME=/u01/ords/jdk1.8.0_91 export CATALINA_HOME=/u01/ords/apache-tomcat-8.0.35 export CATALINA_BASE=$CATALINA_HOME
Using a Keystore
Use this section if you plan on using a keystore.
Create Keystore
Create a keystore containing a self-signed certificate. Adjust the "-dname" values and passwords as required. The certificate is valid for about 10 years.
mkdir -p ~/keystore cd ~/keystore $JAVA_HOME/jre/bin/keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks \ -dname "CN=`hostname`, OU=My Department, O=My Company, L=Birmingham, ST=West Midlands, C=GB" \ -storepass password1 -validity 3600 -keysize 2048 -keypass password1
Configure Tomcat (Keystore)
If you are using a keystore, make the following two changes to the "$CATALINA_HOME/conf/server.xml" file.
(1) Before: <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> --> After: Amend path and password for your keystore. <Connector port="8443" protocol="HTTP/1.1" maxThreads="250" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/home/oracle/keystore/keystore.jks" keystorePass="password1" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" URIEncoding="UTF-8" /> <!-- If you are using a proxy server, you may need to add the following two entries also. proxyName="www.example.com" proxyPort="443"--> (2) Before: <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> After: <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" URIEncoding="UTF-8" />
Using Certificates and Keys
Use this method if you plan to use a certificate and key, rather than a keystore. You can generate self-signed certificates, or use real certificates from a certificate authority.
- Self-Signed Certificates - keytool (Java)
- Let's Encrypt - Free Certificates on Oracle Linux (CertBot)
In this example, we are using the certificates created using Let's Encrypt for a domain called "example.com". Make the following two changes to the "$CATALINA_HOME/conf/server.xml" file.
(1) Before: <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> --> After: Amend path and password for your keystore. <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" SSLCertificateFile="/etc/letsencrypt/live/example.com/cert.pem" SSLCertificateKeyFile="/etc/letsencrypt/live/example.com/privkey.pem" SSLCertificateChainFile="/etc/letsencrypt/live/example.com/chain.pem" SSLCACertificateFile="/etc/letsencrypt/live/example.com/chain.pem" SSLVerifyClient="optional" SSLProtocol="TLSv1.2" URIEncoding="UTF-8" /> <!-- If you are using a proxy server, you may need to add the following two entries also. proxyName="www.example.com" proxyPort="443"--> (2) Before: <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> After: <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" URIEncoding="UTF-8" />
Restart Tomcat
Restart Tomcat in the normal way.
$CATALINA_HOME/bin/shutdown.sh $CATALINA_HOME/bin/startup.sh
You will now be able to access Tomcat using both HTTP and HTTPs.
http://server:8080/ https://server:8443/
For more information see:
- Apache Tomcat 9 Installation on Linux (RHEL and clones)
- Apache Tomcat 8 Installation on Linux (RHEL and clones)
- Apache Tomcat 7 Installation on Linux (RHEL and clones)
- Self-Signed Certificates - keytool (Java)
Hope this helps. Regards Tim...