How to configure Tomcat to support SSL or https
A guide to show you how to configure Tomcat 6.0 to support SSL or https connection.
1. Generate Keystore
First, uses “keytool” command to create a self-signed certificate. During the keystore creation process, you need to assign a password and fill in the certificate’s detail.
$Tomcat\bin>keytool -genkey -alias mkyong -keyalg RSA -keystore c:\mkyongkeystore Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: yong mook kim What is the name of your organizational unit? //omitted to save space [no]: yes Enter key password for <mkyong> (RETURN if same as keystore password): Re-enter new password: $Tomcat\bin>
Here, you just created a certificate named “mkyongkeystore“, which locate at “c:\“.
You can use same “
keytool” command to list the existing certificate’s detail$Tomcat\bin>keytool -list -keystore c:\mkyongkeystore Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry mkyong, 14 Disember 2010, PrivateKeyEntry, Certificate fingerprint (MD5): C8:DD:A1:AF:9F:55:A0:7F:6E:98:10:DE:8C:63:1B:A5 $Tomcat\bin>
2. Connector in server.xml
Next, locate your Tomcat’s server configuration file at $Tomcat\conf\server.xml, modify it by adding a connector element to support for SSL or https connection.
File : $Tomcat\conf\server.xml
//... <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation --> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="c:\mkyongkeystore" keystorePass="password" /> //...
keystorePass="password" is the password you assigned to your keystore via “keytool” command.3. Done
Saved it and restart Tomcat, access to https://localhost:8443/
In this example, we are using Google Chrome to access the Tomcat configured SSL site, and you may notice a crossed icon appear before the https protocol :), this is caused by the self-signed certificate and Google chrome just do not trust it.
In production environment, you should consider buy a signed certificate from trusted SSL service provider like verisign or sign it with your own CA server
Reference
I have built an Web Application on struts 1.3.x and deployed in Tomcat 7. Single Sign On is also deployed on top of apache and for communication mod_jk is also installed. I had set the timeout in Tomcat for 30 mins. SSL is also enabled.
Sometimes when users were working then the application automatically logs out. Can you suggest me what may be the solution. If you need any info then please do let me know.
I don’t want this post to be published any where.
http://www.mulesoft.com/tomcat-ssl
another good reference
How can I restrict HTTPS to some applications / URL patterns hosted on my tomcat server?
protocol=”HTTP/1.1″ didnt work. i change to protocol=”org.apache.coyote.http11.Http11Protocol” and it works
Excellent Article! Thanks to the author for taking the time out to compose it.
Very intuitive, and it has demystified essential SSL setup by using good old Tomcat. It has also worked fine on Tomcat 5.5.
Can one server have multiple instances of Tomcat running that are both configured for SSL? how does the second (or 3rd, or 4th) get configured?
i am getting invalid server certificate even if i have given correct keystore password in tomcat ssl configuration.
Hi everyone,
I have a typical case where tomcat is running and i run the batch for stopping it.But the cammand promt shows ‘stopping catalina services’ it the port is not yet free and when i run the tomcat ‘Socket bind failed’ exception occurs.
Note : the stopping and starting of tomcat is done programatically through java.
It gives me exception when I use protocol=”HTTP/1.1″ but works fine for protocol=”org.apache.coyote.http11.Http11NioProtocol”.
Also I am getting the Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error when I try to use the cacerts from the security directory of jre but works fine for the self-signed certificate.
Hi, i have the same problem, have you solve this error?
Yes I solved the problem by adding my certificate to the cacerts using the IBM KeyManager tool.
It works file when i start server mannualy, but in eclipse if i run any project it gives error data not found. Any help.
For the Eclipse Tomcat integration, try modifying the server.xml in the Eclipse Servers folder, and not in $TOMCAT_HOME/conf/server.xml
Hi, i have an application and i can access it using http://localhost:8080/myApp and https://localhost:8443/myApp. However, i want to get rid of specifying 8080 or 8443 for http and https respectively. Especially for https, i want https://localhost/myApp to work and access myApp under securely (using 8443) with out showing the port in the url. How can i achieve this. I am using tomcat 5.5.31. Please help.
Hi Vikram,
I am sure you would have figured it by now. You can achieve this through Apache – Tomcat integration, Apache being the HTTP Web Server, which is accessible on port 80 (HTTP) or 443 (HTTPS). Internally, Apache will route the request to http://:8080/ or https:/// as the case may be.
Hi Mkyong,
tnx for the sample, it was very help full,
And i got a issue in tomcat7, when i used in windows7
error in server start up-
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-apr-8443"]
this was resolved by commenting as following-
this was resolved by commenting as following line-
this was resolved by commenting as following line-
Listener className=”org.apache.catalina.core.AprLifecycleListener” SSLEngine=”on”
I installed tomcat v7 and Eclipse but in testing the installation the error i have is
“Server Tomcat v 7 at local host refused to start”
“Server instaces is not configured”
kindly help
i have a create war file of my project, the web.xml entry is
Ganesha
index.html
index.htm
index.jsp
default.html
default.htm
default.jsp
securedapp
/*
CONFIDENTIAL
i have generate the key using
keytool -genkey -alias server -keypass changeit -keystore server.keystore -storepass changet
and put this file in C:\server.keystore
server.xml entry is
i deploy my war file in tomcat
and start server,
when i click to my project in tomcat manager
my project url is:https://localhost:8443/Ganesha/
but the browser says:
This webpage is not available
The webpage at https://localhost:8443/Ganesha/ might be temporarily down or it may have moved permanently to a new web address.
Here are some suggestions:
Reload this web page later.
Error 7 (net::ERR_TIMED_OUT): The operation timed ou
step-1:
i have a create war file of my project, the web.xml entry is
Ganesha
index.html
index.htm
index.jsp
default.html
default.htm
default.jsp
securedapp
/*
CONFIDENTIAL
step-2:
i have generate the key using
keytool -genkey -alias server -keypass changeit -keystore server.keystore -storepass changet
and put this file in C:\server.keystore
step-3:
server.xml entry is
step-4:
i deploy my war file in tomcat
and start server,
when i click to my project in tomcat manager
my project url is:https://localhost:8443/Ganesha/
but the browser says:
This webpage is not available
The webpage at https://localhost:8443/Ganesha/ might be temporarily down or it may have moved permanently to a new web address.
Here are some suggestions:
Reload this web page later.
Error 7 (net::ERR_TIMED_OUT): The operation timed out
Unable to connect https:\\localhost:8443
I have done successfully creation of certificate
Incorporate in Server.xml file
But i am unable to connect with https:\\localhost:8443
i can with http:\\localhost:8080
please help me out
I have done successfully creation of certificate
Incorporate in Server.xml file
But i am unable to connect with https:\\localhost:8443
i can with http:\\localhost:8080
Your keystore and key passwords could be different. Change your key’s password to be the same as that of the keystore. It should work.
Thanks again.