How to configure Tomcat to support SSL or https

A guide to show you how to configure Tomcat 6.0 to support SSL or https connection.

1. Generate Keystore

First, uses “keytool” command to create a self-signed certificate. During the keystore creation process, you need to assign a password and fill in the certificate’s detail.

$Tomcat\bin>keytool -genkey -alias mkyong -keyalg RSA -keystore c:\mkyongkeystore
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  yong mook kim
What is the name of your organizational unit?
  //omitted to save space
  [no]:  yes
 
Enter key password for <mkyong>
        (RETURN if same as keystore password):
Re-enter new password:
 
$Tomcat\bin>

Here, you just created a certificate named “mkyongkeystore“, which locate at “c:\“.

Certificate Details
You can use same “keytool” command to list the existing certificate’s detail

$Tomcat\bin>keytool -list -keystore c:\mkyongkeystore
Enter keystore password:
 
Keystore type: JKS
Keystore provider: SUN
 
Your keystore contains 1 entry
 
mkyong, 14 Disember 2010, PrivateKeyEntry,
Certificate fingerprint (MD5): C8:DD:A1:AF:9F:55:A0:7F:6E:98:10:DE:8C:63:1B:A5
 
$Tomcat\bin>

2. Connector in server.xml

Next, locate your Tomcat’s server configuration file at $Tomcat\conf\server.xml, modify it by adding a connector element to support for SSL or https connection.

File : $Tomcat\conf\server.xml

 //...
 <!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the 
         connector should be using the OpenSSL style configuration
         described in the APR documentation -->
 
 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
	       keystoreFile="c:\mkyongkeystore"
	       keystorePass="password" />
  //...
Note
keystorePass="password" is the password you assigned to your keystore via “keytool” command.

3. Done

Saved it and restart Tomcat, access to https://localhost:8443/

tomcat-ssl-configuration

In this example, we are using Google Chrome to access the Tomcat configured SSL site, and you may notice a crossed icon appear before the https protocol :), this is caused by the self-signed certificate and Google chrome just do not trust it.

In production environment, you should consider buy a signed certificate from trusted SSL service provider like verisign or sign it with your own CA server

Reference

  1. Tomcat 6 : SSL configuration HOW-TO
Tags :

About the Author

mkyong
Founder of Mkyong.com and HostingCompass.com, love Java and open source stuff. Follow him on Twitter, or befriend him on Facebook or Google Plus. If you like my tutorials, consider make a donation to these charities.

Comments

  • Pingback: plumber free estimate()

  • Pingback: locksmith vs arsonal()

  • Pingback: electrician gloves for conduit()

  • Pingback: water ionizer loans()

  • Pingback: paypal loans()

  • Pingback: Instagram likes kopen()

  • Pingback: water ionizer machines()

  • Pingback: stop parking()

  • Pingback: fue()

  • Pingback: stop parking()

  • Pingback: bedste lan lige nu()

  • Pingback: best DIRECTV deals()

  • Pingback: DIRECTV vs Dish()

  • Pingback: Espero os pais sair pra me ligar()

  • Pingback: Blue Coaster33()

  • vasanth

    Can u please the steps for Configuring the SSL in Jetty.Am stuck with it for long time.am in desperate need of help

  • sudhakar

    Hello sir,

    I want to know ssl enable for tomcat7.I followed as it is in above described for tomcat6.I created keystore file and password.Then after i start the applecation but i got MalFormedException Invalid byte 1 of 1-byte UTF-8.Plese reply me sir.

  • Amar

    In my application after adding the above the code works in both http as well as https.Should we add any declaration in web.xml ?

  • Bayern United

    MKYONG

    PINGPONG

    SINGTHESONG

  • Bayern United

    Sir how are you???

    Do you like noodles or something????

  • Pingback: Raspberry Pi Powered, Android Controlled, Tomcat Serviced, Remote Garage Door Opener | SainSmart()

  • Bhaskar

    Hi,

    Will the application deployed in the tomcat will still be accessible in tomcat’s non https port?. By default the http port is 8080. So if we configure tomcat for https in 8443 port,will the application be still available in the http port 8080?

  • Alex K

    Storing keystore password in server.xml looks wrong. What would be more secure way to set it up?

  • Himanshu Modi

    Thanks it was helpful.

    To make https work with above settings, below line needs to be commented out

    in server.xml

    • Himanshu Modi

      Thanks it was helpful.

      To make https work with above settings, below line needs to be commented out

      in server.xml

      • Himanshu Modi

        The listener tag which need to be commented out in server.xml is as follows-

        Listener className=”org.apache.catalina.core.AprLifecycleListener” SSLEngine=”on”

  • saurabh

    great thanks!!
    your tutorials are really cool, simple and works out very well :)
    keep posting !

  • Ashabasa

    Hello

    When I try to generate the key using : keytool -genkey -alias Myalias-keyalg RSA -keystore c:\Myfolder, I get to fill all needed information, but when I arrive to this part :
    ** Is CN=Loiane Groner, OU=home, O=home, L=Sao Paulo, ST=SP, C=BR correct?
    [no]: yes **
    they send me back to filling user full name, and it’s the same thing all over again.
    Do you happen to know where the problem is ?
    Thank you !!

  • Jack

    I have built an Web Application on struts 1.3.x and deployed in Tomcat 7. Single Sign On is also deployed on top of apache and for communication mod_jk is also installed. I had set the timeout in Tomcat for 30 mins. SSL is also enabled.

    Sometimes when users were working then the application automatically logs out. Can you suggest me what may be the solution. If you need any info then please do let me know.

    I don’t want this post to be published any where.

  • http://www.expunto.com Sambhav
  • http://www.expunto.com Sambhav

    How can I restrict HTTPS to some applications / URL patterns hosted on my tomcat server?

  • Pingback: How to Enable SSL/HTTPS on Tomcat 7 on RHEL | BlogoSfera()

  • Daniel Robertus

    protocol=”HTTP/1.1″ didnt work. i change to protocol=”org.apache.coyote.http11.Http11Protocol” and it works

    • guest

      This doesnot work

    • Denis

      +1

  • http://none SB

    Excellent Article! Thanks to the author for taking the time out to compose it.

    Very intuitive, and it has demystified essential SSL setup by using good old Tomcat. It has also worked fine on Tomcat 5.5.

  • Tony

    Can one server have multiple instances of Tomcat running that are both configured for SSL? how does the second (or 3rd, or 4th) get configured?

  • pallavi

    i am getting invalid server certificate even if i have given correct keystore password in tomcat ssl configuration.

  • Muazzam

    Hi everyone,
    I have a typical case where tomcat is running and i run the batch for stopping it.But the cammand promt shows ‘stopping catalina services’ it the port is not yet free and when i run the tomcat ‘Socket bind failed’ exception occurs.
    Note : the stopping and starting of tomcat is done programatically through java.

  • Eshan

    It gives me exception when I use protocol=”HTTP/1.1″ but works fine for protocol=”org.apache.coyote.http11.Http11NioProtocol”.

    Also I am getting the Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error when I try to use the cacerts from the security directory of jre but works fine for the self-signed certificate.

    • darwine

      Hi, i have the same problem, have you solve this error?

      • Eshan

        Yes I solved the problem by adding my certificate to the cacerts using the IBM KeyManager tool.

  • vivek

    It works file when i start server mannualy, but in eclipse if i run any project it gives error data not found. Any help.

    • http://none SB

      For the Eclipse Tomcat integration, try modifying the server.xml in the Eclipse Servers folder, and not in $TOMCAT_HOME/conf/server.xml

  • vikram

    Hi, i have an application and i can access it using http://localhost:8080/myApp and https://localhost:8443/myApp. However, i want to get rid of specifying 8080 or 8443 for http and https respectively. Especially for https, i want https://localhost/myApp to work and access myApp under securely (using 8443) with out showing the port in the url. How can i achieve this. I am using tomcat 5.5.31. Please help.

    • http://none SB

      Hi Vikram,

      I am sure you would have figured it by now. You can achieve this through Apache – Tomcat integration, Apache being the HTTP Web Server, which is accessible on port 80 (HTTP) or 443 (HTTPS). Internally, Apache will route the request to http://:8080/ or https:/// as the case may be.

  • Haris

    Hi Mkyong,

    tnx for the sample, it was very help full,

    And i got a issue in tomcat7, when i used in windows7

    error in server start up-
    SEVERE: Failed to initialize end point associated with ProtocolHandler [“http-apr-8443″]

    this was resolved by commenting as following-

    • Haris

      this was resolved by commenting as following line-

      • Haris

        this was resolved by commenting as following line-

        Listener className=”org.apache.catalina.core.AprLifecycleListener” SSLEngine=”on”

  • Alaba

    I installed tomcat v7 and Eclipse but in testing the installation the error i have is

    “Server Tomcat v 7 at local host refused to start”
    “Server instaces is not configured”

    kindly help

  • ravi

    i have a create war file of my project, the web.xml entry is

    Ganesha

    index.html
    index.htm
    index.jsp
    default.html
    default.htm
    default.jsp

    securedapp
    /*

    CONFIDENTIAL

    i have generate the key using
    keytool -genkey -alias server -keypass changeit -keystore server.keystore -storepass changet
    and put this file in C:\server.keystore

    server.xml entry is

    i deploy my war file in tomcat
    and start server,
    when i click to my project in tomcat manager
    my project url is:https://localhost:8443/Ganesha/
    but the browser says:
    This webpage is not available
    The webpage at https://localhost:8443/Ganesha/ might be temporarily down or it may have moved permanently to a new web address.
    Here are some suggestions:
    Reload this web page later.
    Error 7 (net::ERR_TIMED_OUT): The operation timed ou

  • ravi

    step-1:
    i have a create war file of my project, the web.xml entry is

    Ganesha

    index.html
    index.htm
    index.jsp
    default.html
    default.htm
    default.jsp

    securedapp
    /*

    CONFIDENTIAL

    step-2:
    i have generate the key using
    keytool -genkey -alias server -keypass changeit -keystore server.keystore -storepass changet
    and put this file in C:\server.keystore

    step-3:
    server.xml entry is

    step-4:
    i deploy my war file in tomcat
    and start server,
    when i click to my project in tomcat manager
    my project url is:https://localhost:8443/Ganesha/
    but the browser says:
    This webpage is not available
    The webpage at https://localhost:8443/Ganesha/ might be temporarily down or it may have moved permanently to a new web address.
    Here are some suggestions:
    Reload this web page later.
    Error 7 (net::ERR_TIMED_OUT): The operation timed out

  • http://shalsofttech.com gopala krishna

    Unable to connect https:\\localhost:8443

    I have done successfully creation of certificate
    Incorporate in Server.xml file

    But i am unable to connect with https:\\localhost:8443
    i can with http:\\localhost:8080

  • http://shalsofttech.com gopala krishna

    please help me out

    I have done successfully creation of certificate
    Incorporate in Server.xml file

    But i am unable to connect with https:\\localhost:8443
    i can with http:\\localhost:8080

    • Priyatham

      Your keystore and key passwords could be different. Change your key’s password to be the same as that of the keystore. It should work.

  • Levan

    Thanks again.

  • Pingback: Tomcat – Container Authentication with JAX-WS()

  • Pingback: Deploy JAX-WS web services on Tomcat + SSL connection()

  • Pingback: SunCertPathBuilderException: unable to find valid certification path to requested target()

  • Pingback: java.security.cert.CertificateException: No name matching localhost found()

  • Pingback: Tomcat : java.io.IOException: Keystore was tampered with, or password was incorrect()