Wednesday, September 27, 2017

Enabling SSL in Tomcat


To install and start tomcat server is a really straight forward, but to run it securely needs some extra configuration. In this article I am going to describe the steps needed to enable encryption in tomcat server so that the communication between client and server is being carried by encrypting the data traffic, and nobody in between client and server can read the information.

Creation of KeyStore

The first and foremost requirement to implement SSL is creation of keystore file. The documentation says only three formats are supported  (JKS, PKCS11 or PKCS12) and I am gonna use JKS format because it is java standard keystore and can be created using keytool commands that comes with Java installation. 

So, lets create keystore. Just execute the command, it creates a jks file with private key and certificate. 

keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.jks -storepass ***** -validity 3650

Please the not keystore password used while creation. This is needed in tomcat configuration. Yes, tomcat.jks should be placed in a very secured location in the server. 


Configuration

After creation of keystore file, the next step is to copy this file to the server. It is best practice to copy it in conf folder of tomcat installation directory. 

So, we go to tomcat installation directory. In conf folder there, we open server.xml file where can enable SSL and provide the keystore file location along with keystore password. 


So, basically, we add the following connector element in  service element:
<Service name="Catalina">
.
.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="conf/tomcat.jks" keystorePass="****" /> 
.
.
.
</Service>


Limiting SSL Usage

Obviously, we want to disable plain text communication after enabling SSL. So far we have configured, supports bot encrypted and plain communication. So, we disable plain text communication. 

Now, we add the following lines at the end of the file inside tags. 

   
    <security-constraint>
    <web-resource-collection>
        <web-resource-name>secure-tomcat-app</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

   


Restart Tomcat server and now the connection to the tomcat server is always secure. 



No comments:

Post a Comment