Tuesday, November 11, 2008

Securing Tomcat

This post explains how you can enable SSL on Tomcat.

Let's first create a self-signed certificate.

[CATALINA_HOME]>keytool -genkey -alias webapp -keyalg RSA -keystore keystore.jks
The above will create a keystore with the name keystore.jks in side [CATALINA_HOME].

Also, notice that here we used webapp as the CN - so, we need to edit the file C:\WINDOWS\system32\drivers\etc\hosts and add the following entry - so we can make our certificate trusted by the browser.

127.0.0.1 webapp

Now, lets edit - [CATALINA_HOME]\conf\server.xml to make Tomcat SSL enabled.

<Service name="Catalina">

<!-- Add the following -->
<!-- 'tomcat' is the password you gave while creating keystore.jks -->
<!-- Make sure keystore.jks is inside [CATALINA_HOME] -->
<Connector port="8443"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="keystore.jks"
keystorePass="tomcat"/>
</Service>
All set, hit the url, https://webapp:8443 - now broswer will give you a warning saying that your certificate is not trusted.

Install the cert in the browser to get rid of the warning.

0 comments: