Configuring Tomcat to use SSL

SSL stands for Secure Socket Layer. It allows the communication between your browser and the webserver to be encrypted. Tomcat is a Servlet/JSP container but is just a simple webserver as well. Typically, the Apache web server is used to serve static pages while the servlet/JSP requests are redirected to the Tomcat container. Then you can simply configure SSL on the Apache Web server level, in which case you would not need to do SSL configuration on Tomcat itself. It is useful however if you are running Tomcat standalone.

1) Install JSSE

If you are not using JDK1.4+, you need to install JSSE separately. I was using JDK1.3.1 to create this example, and to make it easy, I copied to files jcert.jar, jnet.jar, jsse.jar into c:\jdk1.3.1\jre\lib\ext. If you do this, you don’t need to fiddle around with the classpath. You can d/l JSSE here: http://java.sun.com/products/jsse/.

2) Create a keystore file that contains your certificate:

C:\Program Files\Apache Tomcat 4.0>keytool -genkey -alias tomcat -keyalg RSA 
                                           -keystore tomcatkeystore.kst
Enter keystore password:  123456
What is your first and last name?
  [Unknown]:  Joris Van den Bogaert
What is the name of your organizational unit?
  [Unknown]:  Esus
What is the name of your organization?
  [Unknown]:  Esus
What is the name of your City or Locality?
  [Unknown]:  Brussels
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:  BE
Is <CN=Joris Van den Bogaert, OU=Esus, O=Esus, L=Brussels, ST=Unknown, C=BE> correct?
  [no]:  yes
 
Enter key password for <tomcat>
        (RETURN if same as keystore password):  123456

3) Modify TOMCAT-HOME/bin/server.xml

You can just uncomment the SSL connector. Modify it so that it points to the keystore file that you just created:

    <!-- Define an SSL HTTP/1.1 Connector on port 8443 -->
    <Connector className="org.apache.catalina.connector.http.HttpConnector"
               port="8443" minProcessors="5" maxProcessors="75"
               enableLookups="true"
	       acceptCount="10" debug="0" scheme="https" secure="true">
      <Factory className="org.apache.catalina.net.SSLServerSocketFactory"
               clientAuth="false" protocol="TLS"
               keystoreFile="tomcatkeystore.kst" 
               keystorePass="123456"/>
    </Connector>

Note 1: 8443 is the port number that Tomcat will listen to for secure connections. If you want
to use another port number, make sure you also change the redirectPort attribute in the non-SSL connector to point to the port you choose.

Note 2: If you didn’t specify the option -keystore when creating your certificate, the keystore would have been stored in your home directory as .keystore. In that case, you don’t need to specify the keystoreFile nor keystorePass.

4) Restart Tomcat

5) Check it out: https://localhost:8443