Tomcat SSL (HTTPS) Configuration

1.   Create a new key Store

1.      To create a new keystore from scratch, containing a single self-signed Certificate, execute the following from a terminal command line.

Windows:

keytool -genkey -alias tomcat -keyalg RSA

Unix:

keytool -genkey -alias tomcat -keyalg RSA

Note: - Please ensure JAVA_HOME set properly and should be added to path variable.

(To Confirm - Run echo %path% on command prompt should contain Java\jdk1.6.0_14\bin)

Need to provide below information while creating the keystore.

C:\>keytool -genkey -alias tomcat -keyalg RSA Enter keystore password:changeit Re-enter new password: changeit What is your first and last name?   [Unknown]:  Java Designer What is the name of your organizational unit?   [Unknown]:  Java What is the name of your organization?   [Unknown]:  Java Designer What is the name of your City or Locality?   [Unknown]:  Trowbridge What is the name of your State or Province?   [Unknown]:  Wiltshire What is the two-letter country code for this unit?   [Unknown]:  UK Is CN=Java, OU=Java, O=Java Designer, L=Trowbridge, ST=Wiltshire, C=UK correct?   [no]:  Y Enter key password for <tomcat>         (RETURN if same as keystore password): changeit Re-enter new password: changeit

Note 1:- After executing this command, you will first be prompted for the keystore password. The default password used by Tomcat is "changeit" (all lower case), although you can specify a custom password if you like. You will also need to specify the custom password in the server.xml configuration file (as described in Point 3 in next section).

Note 2:- your private key password and keystore password should be the same.

After successfully execution of above command keystore file created under user home directory (Ex: C:\Users\username).

2.      Copy the generated .keystore file to tomcat home directory.

2.  Tomcat Configuration Changes

The final step is to configure the Connector in the $CATALINA_BASE/conf/server.xml file, where $CATALINA_BASE represents the base directory for the Tomcat 6 instance.

1.      Uncomment the connector tag for https.

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"                maxThreads="150" scheme="https" secure="true"                clientAuth="false" sslProtocol="TLS" />

2.  Add entry for keystorefile location and keystorepass.

             Keystorefile : Location of generated keystore file(which is copied to Tomcat home directory).

             keystorePass:  Password provided while creating the keystore file.

<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"                maxThreads="150" scheme="https" secure="true"                clientAuth="false" sslProtocol="TLS"     keystoreFile="${catalina.home}/.keystore" keystorePass=" changeit"  />

After completing these configuration changes, you must restart Tomcat as you normally do, and you should be in business. You should be able to access any web application supported by Tomcat via SSL. For example, try:

https://localhost:8443/<application>

In case of it would not work, check the catalina log file under logs folder of Tomcat.

Reference Documents – http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html