Home » Articles » Linux » Here

Apache Tomcat : Enable HTTPS

This article show how to enable HTTPS for Tomcat. It uses a self-signed certificate, but you could replace this with a valid Certificate Authority (CA) certificate.

• Setup
• Using a Keystore
  
  • Create Keystore
  • Configure Tomcat (Keystore)
• Using Certificates and Keys
• Restart Tomcat

Related articles.

• Apache Tomcat 8 Installation on Linux (RHEL and clones)
• Apache Tomcat 7 Installation on Linux (RHEL and clones)
• Self-Signed Certificates - keytool (Java)

Setup

Set the relevant environment variables.

export JAVA_HOME=/u01/ords/jdk1.8.0_91
export CATALINA_HOME=/u01/ords/apache-tomcat-8.0.35
export CATALINA_BASE=$CATALINA_HOME

Using a Keystore

Use this section if you plan on using a keystore.

Create Keystore

Create a keystore containing a self-signed certificate. Adjust the "-dname" values and passwords as required. The certificate is valid for about 10 years.

mkdir -p ~/keystore
cd ~/keystore

$JAVA_HOME/jre/bin/keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks \
   -dname "CN=`hostname`, OU=My Department, O=My Company, L=Birmingham, ST=West Midlands, C=GB" \
   -storepass password1 -validity 3600 -keysize 2048 -keypass password1

Configure Tomcat (Keystore)

If you are using a keystore, make the following two changes to the "$CATALINA_HOME/conf/server.xml" file.

(1)

Before:

    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    -->

After: Amend path and password for your keystore.

    <Connector port="8443" protocol="HTTP/1.1" 
               maxThreads="250" SSLEnabled="true" scheme="https" secure="true"
               keystoreFile="/home/oracle/keystore/keystore.jks"
               keystorePass="password1"
               clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"
               URIEncoding="UTF-8"
               />
               <!--
               If you are using a proxy server, you may need to add the following two entries also.
               proxyName="www.example.com"
               proxyPort="443"-->      

(2)

Before:

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

After:

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" URIEncoding="UTF-8" />

Using Certificates and Keys

Use this method if you plan to use a certificate and key, rather than a keystore. You can generate self-signed certificates, or use real certificates from a certificate authority.

• Self-Signed Certificates - keytool (Java)
• Let's Encrypt - Free Certificates on Oracle Linux (CertBot)

In this example, we are using the certificates created using Let's Encrypt for a domain called "example.com". Make the following two changes to the "$CATALINA_HOME/conf/server.xml" file.

(1)

Before:

    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    -->

After: Amend path and password for your keystore.

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               SSLCertificateFile="/etc/letsencrypt/live/example.com/cert.pem"
               SSLCertificateKeyFile="/etc/letsencrypt/live/example.com/privkey.pem"
               SSLCertificateChainFile="/etc/letsencrypt/live/example.com/chain.pem"
               SSLCACertificateFile="/etc/letsencrypt/live/example.com/chain.pem"
               SSLVerifyClient="optional" SSLProtocol="TLSv1.2"
               URIEncoding="UTF-8"
               />
               <!--
               If you are using a proxy server, you may need to add the following two entries also.
               proxyName="www.example.com"
               proxyPort="443"-->      

(2)

Before:

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

After:

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" URIEncoding="UTF-8" />

Restart Tomcat

Restart Tomcat in the normal way.

$CATALINA_HOME/bin/shutdown.sh

$CATALINA_HOME/bin/startup.sh

You will now be able to access Tomcat using both HTTP and HTTPs.

http://server:8080/
https://server:8443/

For more information see:

• Apache Tomcat 9 Installation on Linux (RHEL and clones)
• Apache Tomcat 8 Installation on Linux (RHEL and clones)
• Apache Tomcat 7 Installation on Linux (RHEL and clones)
• Self-Signed Certificates - keytool (Java)

Hope this helps. Regards Tim...

Back to the Top.

Created: 2016-06-28  Updated: 2019-05-18

0 comments, read/add them...

Home | Articles | Scripts | Blog | Certification | Videos | Misc | About

About Tim Hall
Copyright & Disclaimer