How to configure Tomcat to support SSL or https

A guide to show you how to configure Tomcat 6.0 to support SSL or https connection.

1. Generate Keystore

First, uses “keytool” command to create a self-signed certificate. During the keystore creation process, you need to assign a password and fill in the certificate’s detail.


$Tomcat\bin>keytool -genkey -alias mkyong -keyalg RSA -keystore c:\mkyongkeystore
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  yong mook kim
What is the name of your organizational unit?
  //omitted to save space
  [no]:  yes

Enter key password for <mkyong>
        (RETURN if same as keystore password):
Re-enter new password:

$Tomcat\bin>

Here, you just created a certificate named “mkyongkeystore“, which locate at “c:\“.

Certificate Details
You can use same “keytool” command to list the existing certificate’s detail


$Tomcat\bin>keytool -list -keystore c:\mkyongkeystore
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

mkyong, 14 Disember 2010, PrivateKeyEntry,
Certificate fingerprint (MD5): C8:DD:A1:AF:9F:55:A0:7F:6E:98:10:DE:8C:63:1B:A5

$Tomcat\bin>

2. Connector in server.xml

Next, locate your Tomcat’s server configuration file at $Tomcat\conf\server.xml, modify it by adding a connector element to support for SSL or https connection.

File : $Tomcat\conf\server.xml


 //...
 <!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the 
         connector should be using the OpenSSL style configuration
         described in the APR documentation -->

 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
	       keystoreFile="c:\mkyongkeystore"
	       keystorePass="password" />
  //...
Note
keystorePass="password" is the password you assigned to your keystore via “keytool” command.

3. Done

Saved it and restart Tomcat, access to https://localhost:8443/

tomcat-ssl-configuration

In this example, we are using Google Chrome to access the Tomcat configured SSL site, and you may notice a crossed icon appear before the https protocol :), this is caused by the self-signed certificate and Google chrome just do not trust it.

In production environment, you should consider buy a signed certificate from trusted SSL service provider like verisign or sign it with your own CA server

Reference

  1. Tomcat 6 : SSL configuration HOW-TO

About the Author

author image
mkyong
Founder of Mkyong.com, love Java and open source stuff. Follow him on Twitter, or befriend him on Facebook or Google Plus. If you like my tutorials, consider make a donation to these charities.

Comments

Leave a Reply

avatar
newest oldest most voted
Bayern United
Guest
Bayern United

MKYONG

PINGPONG

SINGTHESONG

lixiang
Guest
lixiang

I’m getting error like that after passed https://localhost:8443 please let me know issues about chrome
NET::ERR_CERT_AUTHORITY_INVALID

Irinel
Guest
Irinel

I have enabled SSL with a self signed certificate that is valid…and when I call the mothods from the controller through postman they seem to work on https but also on http. It should not work on http anymore. Can somebody help me on this ? I have a spring boot application.

Danish hamid
Guest
Danish hamid

securedapp
/*

CONFIDENTIAL

do this ur problem will be solved

ellococareloco
Guest
ellococareloco

regards,

With this http: // localhost: 8443 does not redirect to https.

You must configure it to redirect http: // localhost: 8443 to https: // localhost: 8443

Danish hamid
Guest
Danish hamid

Edit in web.xml

securedapp
/*

CONFIDENTIAL

The url pattern is set to /* so any page/resource from your application is secure (it can be only accessed with https). The transport-guarantee tag is set to CONFIDENTIAL to make sure your app will work on SSL.

dubet
Guest
dubet

Hi Mykong… Thanks a lot this information.. It helped resolving SSL related issue in my end. I found the information provided by you are simple and user friendly…

King
Guest
King

Thanks Mykong. It is like breeze.

Alfonso
Guest
Alfonso

Hi All,

Can i use a certificate generate in other server?

Regards!!!

Jon Inazio
Guest
Jon Inazio

How to configure tomcat with APR?

Abhi
Guest
Abhi

what is CA server?

King
Guest
King

Thanks alot man. your tutorials are great.

sofiane oukachbi
Guest
sofiane oukachbi

Don’t forget to remove your tomcat instance from Eclipse and create a new one.

orthoo
Guest
orthoo

Thx, it was that trick

Lakshmana Kumar
Guest
Lakshmana Kumar
Hi MKYONG, I’m unable to test this in eclipse Juno with Tomcat 8. I have the following error. Exception in thread “main” javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://localhost:8280/HelloWorldWS/hello?wsdl. It failed with: Unrecognized SSL message, plaintext connection?. at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:136) at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:122) at com.sun.xml.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:226) at com.sun.xml.ws.client.WSServiceDelegate.(WSServiceDelegate.java:189) at com.sun.xml.ws.client.WSServiceDelegate.(WSServiceDelegate.java:159) at com.sun.xml.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:81) at javax.xml.ws.Service.(Unknown Source) at javax.xml.ws.Service.create(Unknown Source) at com.mkyong.client.HelloWorldClient.main(HelloWorldClient.java:17) Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? at sun.security.ssl.InputRecord.handleUnknownRecord(Unknown Source) at sun.security.ssl.InputRecord.read(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) at java.net.URL.openStream(Unknown Source) at… Read more »
Sam S
Guest
Sam S

Hi, I configured my tomcat 8 with these settings. I can access it from localhost and it works.
But I can’t use it from global IP and remotely, I can access my app from HTTP port but not from HTTPS (8443). I have disabled firewall.
I tried resolveHosts=”true” (as I used for HTTP) too, but it didn’t work.
Did I miss anything for remote access?

Sam S
Guest
Sam S

I found my solution.
I am using Amazon EC2 VM and I have forgotten to open inbound rule for 8443 port in security group.
Thanks anyway.

Puri Jagan
Guest
Puri Jagan

hi

govind
Guest
govind

Hi Mkyong,

it was very help full,

Elio
Guest
Elio

Mkyong,

I have a configuration where I need HTTPS on the client side as well as for connections initiated by the Tomcat server itself. (i.e. Tomcat -> (SSL) -> Other server). I configured a connector running on port 8443 correctly (https cert shows up in browser), but Tomcat is not using the cert for communications initiated by it. Where can I configure the process’ keystore without modifying my code or using -D opts (which will show my keystore’s location and password out in the open)?

Abhishek Singhal
Guest
Abhishek Singhal

Thnx Mkyong….this example is simple nd useful..

Orlando D'Free
Guest
Orlando D'Free

This didn’t work for me, but it was close. When I launched myy server, I got this error message: No Certificate file specified or invalid file format.
I read somewhere that the fix was to change the protocol attribute in the Connector tag in the server.xml file.
I changed it from “HTTP/1.1” to “org.apache.coyote.http11.Http11NioProtocol” and relaunched my server, and it worked fine after that.
(I was running Tomcat 6.0.35)

Ashwini Sharma
Guest
Ashwini Sharma

hi, its working , but now i want to add https from my login page not from my home page…

Guest
Guest
Guest

hello, mr mkyoung i used keystoreFile=”c:mkyongkeystore”
keystorePass=”password” /> but it show me file not found exception…
plz help me .

Varun
Guest
Varun

Thanks Mkyong. You saved me from a sleepless night…

antonio
Guest
antonio

Could you please add some lines about the location of the keystore? Is its location relevant?

Ashwini Sharma
Guest
Ashwini Sharma

you just put on c:/yourfilename

vasanth
Guest
vasanth

Can u please the steps for Configuring the SSL in Jetty.Am stuck with it for long time.am in desperate need of help

sudhakar
Guest
sudhakar

Hello sir,

I want to know ssl enable for tomcat7.I followed as it is in above described for tomcat6.I created keystore file and password.Then after i start the applecation but i got MalFormedException Invalid byte 1 of 1-byte UTF-8.Plese reply me sir.

Amar
Guest
Amar

In my application after adding the above the code works in both http as well as https.Should we add any declaration in web.xml ?

Puri Jagan
Guest
Puri Jagan

yes we need to add the security constraint in the web.xml related to your project

it will work as redirect to http to https

trackback
Raspberry Pi Powered, Android Controlled, Tomcat Serviced, Remote Garage Door Opener | SainSmart

[…] Configure Tomcat to use a self-signed SSL certificate for the web app. […]

Bhaskar
Guest
Bhaskar

Hi,

Will the application deployed in the tomcat will still be accessible in tomcat’s non https port?. By default the http port is 8080. So if we configure tomcat for https in 8443 port,will the application be still available in the http port 8080?

sagar borage
Guest
sagar borage

yes for sure check it….

Alex K
Guest
Alex K

Storing keystore password in server.xml looks wrong. What would be more secure way to set it up?

Elio
Guest
Elio

Try using correct permissions on your filesystem, preventing other users from reading the file.

Himanshu Modi
Guest
Himanshu Modi

Thanks it was helpful.

To make https work with above settings, below line needs to be commented out

in server.xml

Himanshu Modi
Guest
Himanshu Modi

Thanks it was helpful.

To make https work with above settings, below line needs to be commented out

in server.xml

Himanshu Modi
Guest
Himanshu Modi

The listener tag which need to be commented out in server.xml is as follows-

Listener className=”org.apache.catalina.core.AprLifecycleListener” SSLEngine=”on”

saurabh
Guest
saurabh

great thanks!!
your tutorials are really cool, simple and works out very well :)
keep posting !