How to configure Tomcat to support SSL or https
A guide to show you how to configure Tomcat 6.0 to support SSL or https connection.
1. Generate Keystore
First, uses “
keytool” command to create a self-signed certificate. During the keystore creation process, you need to assign a password and fill in the certificate’s detail.
$Tomcat\bin>keytool -genkey -alias mkyong -keyalg RSA -keystore c:\mkyongkeystore Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: yong mook kim What is the name of your organizational unit? //omitted to save space [no]: yes Enter key password for <mkyong> (RETURN if same as keystore password): Re-enter new password: $Tomcat\bin>
Here, you just created a certificate named “mkyongkeystore“, which locate at “c:\“.
You can use same “
keytool” command to list the existing certificate’s detail
$Tomcat\bin>keytool -list -keystore c:\mkyongkeystore Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry mkyong, 14 Disember 2010, PrivateKeyEntry, Certificate fingerprint (MD5): C8:DD:A1:AF:9F:55:A0:7F:6E:98:10:DE:8C:63:1B:A5 $Tomcat\bin>
2. Connector in server.xml
Next, locate your Tomcat’s server configuration file at $Tomcat\conf\server.xml, modify it by adding a connector element to support for SSL or https connection.
File : $Tomcat\conf\server.xml
//... <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation --> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="c:\mkyongkeystore" keystorePass="password" /> //...
keystorePass="password"is the password you assigned to your keystore via “
Saved it and restart Tomcat, access to https://localhost:8443/
In this example, we are using Google Chrome to access the Tomcat configured SSL site, and you may notice a crossed icon appear before the https protocol :), this is caused by the self-signed certificate and Google chrome just do not trust it.
In production environment, you should consider buy a signed certificate from trusted SSL service provider like verisign or sign it with your own CA server