Skip to main content

Installing SSL in tomcat

Here are the steps to install SSL in tomcat.

1. Create a key pair
keytool -keysize 2048 -genkey -alias <pick a name> -keyalg RSA -keystore tomcat.keystore
default password, if not changed, is changeit
  • First and last name - type your website url, for example, www.company.com
  • Organizational unit - for example, engineering, production etc.
  • Organization - full name of your company
  • City/Locality - name of the city
  • State/Province - name of state
  • Country code - two letter country code. refer to this site
  • type yes to confirm and press ENTER
    when asked for a password for private key, select same password as the keystore otherwise you will run into this bug #38217 at the time of installation
2. Generate a certificate request (CSR)
keytool -certreq -keyalg RSA -alias <your alias> -file <your company name>.csr -keystore tomcat.keystore

3. Copy/paste the entire content of .csr and follow the steps described by your certificate provider, for example godaddy etc, to submit the csr.

4. Download the issued certificate and install it in your keystore. For example, download a zip file from godaddy, and follow these steps;
keytool -import -alias root -trustcacerts -file gd_bundle.crt
keytool -import -alias cross -trustcacerts -file gd_cross_intermediate.crt
keytool -import -alias intermed -trustcacerts -file gd_intermediate.crt
keytool -import -alias <your alias> -trustcacerts -file YourDomain.crt

5. Enable SSL in tomcat. Uncomment following connector in /conf/server.xml and add keystore details.
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="<path to keystore>/tomcat.keystore" keystorePass="<keystore password>" keyAlias="<your alias>" />

6. Append following snippet in WEB-INF/web.xml of your web application. 

 <security-constraint>
    <display-name>ssl redirect</display-name>
    <web-resource-collection>
       <web-resource-name>Protected Area</web-resource-name>
       <!-- Define the context-relative URL(s) to be protected -->
       <url-pattern>/*</url-pattern>
       <!-- If you list http methods, only those methods are protected -->
    </web-resource-collection>
    <user-data-constraint>
       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
 </security-constraint>


7. Make sure redirect port of the http connector is pointing to correct ssl port
<connector port="80" protocol="HTTP/1.1" font="" connectionTimeout="20000" redirectPort="443" />

8. stop and start tomcat

9. try http://<your-domain> and it should automatically redirect you to https://<your-domain>

Labels:

Comments

Post a Comment

Popular posts from this blog

Creating no-reply@domain.com account in Postfix

If you wanted to send emails to users but did not want to receive any replies to the email, you would need to setup a no-reply@domain.com email account. These kind of email ids are useful when sending emails containing forgotten passwords or activation code. Below are the steps for creating such account in Postfix. 1. Identify the file containing alias for Postfix First, make sure the following line in the ALIAS DATABASE section of the /etc/postfix/main.cf is NOT commented out: alias_maps = hash:/etc/aliases 2. Create an alias that redirects messages to /dev/null Edit /etc/aliases and add following entry devnull: /dev/null 3. Create a virtual email id Edit /etc/postfix/virtual and add following entry no-reply@domain.com devnull 4. refresh postfix alias and postfix cache Execute following commands. (You may require root privileges) > newaliases > postfix reload
4 comments
Read more

.ssh/config: “Bad configuration option: UseKeychain” on Mac OS

After upgrading Mac OS to Mojave I started seeing this error when doing "git pull". I was able to follow the steps below as described here ; 1. open ssh config vi ~/.ssh/config 2. Add the following lines to ssh config to keep your configuration compatible with both new and old versions of openssh. IgnoreUnknown UseKeychain UseKeychain yes That fixed the issue for me. Try running git pull again.    More details about the issue are available here . 
Post a Comment
Read more

jupyter notebook execution error: "http://localhost:8889/tree?token=xxx" doesn’t understand the “open location” message

I got this error when I tried to launch jupyter notebook on a mac. It is not a fatal error. I could still go to browser directly and copy/paste the url manually. The error indicates that when the command automatically tried to launch a browser, it couldn't find the default browser in jupyter configuration file. The easy fix is to specify the browser. Here are the steps to do so; 1.   Open ~/.jupyter/jupyter_notebook_config.py in an editor.       If the file does not exist then you can create a default config file by typing the following command;       jupyter notebook --generate-config 2. Search for a word "browser" to locate a following line.     #c.NotebookApp.browser = ''     By default it is commented. You can uncomment it and use one of the following values depending on your browser preference.     # set default browser to chrome     c.NotebookApp.browser = 'chrome'     ...
Post a Comment
Read more