Main Tutorials

How to configure Tomcat to support SSL or https

A guide to show you how to configure Tomcat 6.0 to support SSL or https connection.

1. Generate Keystore

First, uses “keytool” command to create a self-signed certificate. During the keystore creation process, you need to assign a password and fill in the certificate’s detail.


$Tomcat\bin>keytool -genkey -alias mkyong -keyalg RSA -keystore c:\mkyongkeystore
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  yong mook kim
What is the name of your organizational unit?
  //omitted to save space
  [no]:  yes

Enter key password for <mkyong>
        (RETURN if same as keystore password):
Re-enter new password:

$Tomcat\bin>

Here, you just created a certificate named “mkyongkeystore“, which locate at “c:\“.

Certificate Details
You can use same “keytool” command to list the existing certificate’s detail


$Tomcat\bin>keytool -list -keystore c:\mkyongkeystore
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

mkyong, 14 Disember 2010, PrivateKeyEntry,
Certificate fingerprint (MD5): C8:DD:A1:AF:9F:55:A0:7F:6E:98:10:DE:8C:63:1B:A5

$Tomcat\bin>

2. Connector in server.xml

Next, locate your Tomcat’s server configuration file at $Tomcat\conf\server.xml, modify it by adding a connector element to support for SSL or https connection.

File : $Tomcat\conf\server.xml


 //...
 <!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the 
         connector should be using the OpenSSL style configuration
         described in the APR documentation -->

 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
	       keystoreFile="c:\mkyongkeystore"
	       keystorePass="password" />
  //...
Note
keystorePass="password" is the password you assigned to your keystore via “keytool” command.

3. Done

Saved it and restart Tomcat, access to https://localhost:8443/

tomcat-ssl-configuration

In this example, we are using Google Chrome to access the Tomcat configured SSL site, and you may notice a crossed icon appear before the https protocol :), this is caused by the self-signed certificate and Google chrome just do not trust it.

In production environment, you should consider buy a signed certificate from trusted SSL service provider like verisign or sign it with your own CA server

Reference

  1. Tomcat 6 : SSL configuration HOW-TO

About Author

author image
Founder of Mkyong.com, love Java and open source stuff. Follow him on Twitter. If you like my tutorials, consider make a donation to these charities.

Comments

Subscribe
Notify of
77 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Udaib khan
4 years ago

Hi mkyong,
I have configured configured ssl certificated in tomcat server.xml file through connector also my ssl certificate is signed from third party and i allowed only tls v1.2 but still when i access application there yellow insecure icon on url.

Please suggest some solutions

Sujay
4 years ago

I am getting ERR_SSL_PROTOCOL_ERROR. Not showing apache tomcat screen.

Roberto H Marquez
4 years ago

Thanks man!

Ram Pal
4 years ago

I have installed ssl but I do not want to mention 8443 in url. My web app should be open with domain only. How can it possible? please help me.

Thakur
4 years ago

I have done all the things as according, but still, it’s not working, I am getting the same problem, “this site can’t be reached”

Thirumalesh
5 years ago

the server.xml is getting overwritten after restarting the server.

lixiang
6 years ago

I’m getting error like that after passed https://localhost:8443 please let me know issues about chrome
NET::ERR_CERT_AUTHORITY_INVALID

Irinel
6 years ago

I have enabled SSL with a self signed certificate that is valid…and when I call the mothods from the controller through postman they seem to work on https but also on http. It should not work on http anymore. Can somebody help me on this ? I have a spring boot application.

Danish hamid
6 years ago
Reply to  Irinel

securedapp
/*

CONFIDENTIAL

do this ur problem will be solved

dubet
7 years ago

Hi Mykong… Thanks a lot this information.. It helped resolving SSL related issue in my end. I found the information provided by you are simple and user friendly…

King
7 years ago

Thanks Mykong. It is like breeze.

Alfonso
8 years ago

Hi All,

Can i use a certificate generate in other server?

Regards!!!

Jon Inazio
8 years ago

How to configure tomcat with APR?

Abhi
8 years ago

what is CA server?

King
8 years ago

Thanks alot man. your tutorials are great.

sofiane oukachbi
8 years ago

Don’t forget to remove your tomcat instance from Eclipse and create a new one.

orthoo
7 years ago

Thx, it was that trick

Lakshmana Kumar
8 years ago

Hi MKYONG,

I’m unable to test this in eclipse Juno with Tomcat 8.

I have the following error.

Exception in thread “main” javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://localhost:8280/HelloWorldWS/hello?wsdl. It failed with:

Unrecognized SSL message, plaintext connection?.

at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:136)

at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:122)

at com.sun.xml.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:226)

at com.sun.xml.ws.client.WSServiceDelegate.(WSServiceDelegate.java:189)

at com.sun.xml.ws.client.WSServiceDelegate.(WSServiceDelegate.java:159)

at com.sun.xml.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:81)

at javax.xml.ws.Service.(Unknown Source)

at javax.xml.ws.Service.create(Unknown Source)

at com.mkyong.client.HelloWorldClient.main(HelloWorldClient.java:17)

Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

at sun.security.ssl.InputRecord.handleUnknownRecord(Unknown Source)

at sun.security.ssl.InputRecord.read(Unknown Source)

at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)

at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)

at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)

at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)

at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)

at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)

at java.net.URL.openStream(Unknown Source)

at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:785)

at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.resolveWSDL(RuntimeWSDLParser.java:236)

at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:107)

… 7 more

Firefox the following error message shown

Secure Connection Failed

An error occurred during a connection to localhost:8280.

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

Please do let me know for any inputs you have .

Regards,
Laskhmana Kumar

Sam S
8 years ago

Hi, I configured my tomcat 8 with these settings. I can access it from localhost and it works.
But I can’t use it from global IP and remotely, I can access my app from HTTP port but not from HTTPS (8443). I have disabled firewall.
I tried resolveHosts=”true” (as I used for HTTP) too, but it didn’t work.
Did I miss anything for remote access?

Sam S
8 years ago
Reply to  Sam S

I found my solution.
I am using Amazon EC2 VM and I have forgotten to open inbound rule for 8443 port in security group.
Thanks anyway.

Ram Pal
4 years ago
Reply to  Sam S

I am also using AWS EC2 , I want to open my tomcat app with ssl without mention any port. I configured 80 and 443 port in server.xml. But some time it gives error like tomcat shutdown port not running. please help

Puri Jagan
8 years ago

hi

govind
9 years ago

Hi Mkyong,

it was very help full,

Elio
9 years ago

Mkyong,

I have a configuration where I need HTTPS on the client side as well as for connections initiated by the Tomcat server itself. (i.e. Tomcat -> (SSL) -> Other server). I configured a connector running on port 8443 correctly (https cert shows up in browser), but Tomcat is not using the cert for communications initiated by it. Where can I configure the process’ keystore without modifying my code or using -D opts (which will show my keystore’s location and password out in the open)?

Abhishek Singhal
9 years ago

Thnx Mkyong….this example is simple nd useful..

Orlando D'Free
9 years ago

This didn’t work for me, but it was close. When I launched myy server, I got this error message: No Certificate file specified or invalid file format.
I read somewhere that the fix was to change the protocol attribute in the Connector tag in the server.xml file.
I changed it from “HTTP/1.1” to “org.apache.coyote.http11.Http11NioProtocol” and relaunched my server, and it worked fine after that.
(I was running Tomcat 6.0.35)

Ashwini Sharma
9 years ago

hi, its working , but now i want to add https from my login page not from my home page…

Guest
9 years ago

hello, mr mkyoung i used keystoreFile=”c:mkyongkeystore”
keystorePass=”password” /> but it show me file not found exception…
plz help me .

Varun
10 years ago

Thanks Mkyong. You saved me from a sleepless night…

antonio
10 years ago

Could you please add some lines about the location of the keystore? Is its location relevant?

Ashwini Sharma
9 years ago
Reply to  antonio

you just put on c:/yourfilename

vasanth
10 years ago

Can u please the steps for Configuring the SSL in Jetty.Am stuck with it for long time.am in desperate need of help

sudhakar
10 years ago

Hello sir,

I want to know ssl enable for tomcat7.I followed as it is in above described for tomcat6.I created keystore file and password.Then after i start the applecation but i got MalFormedException Invalid byte 1 of 1-byte UTF-8.Plese reply me sir.

Amar
10 years ago

In my application after adding the above the code works in both http as well as https.Should we add any declaration in web.xml ?

Puri Jagan
8 years ago
Reply to  Amar

yes we need to add the security constraint in the web.xml related to your project

it will work as redirect to http to https

Bayern United
10 years ago

MKYONG

PINGPONG

SINGTHESONG