Creation of KeyStore
The first and foremost requirement to implement SSL is creation of keystore file. The documentation says only three formats are supported (JKS, PKCS11 or PKCS12) and I am gonna use JKS format because it is java standard keystore and can be created using keytool commands that comes with Java installation.
So, lets create keystore. Just execute the command, it creates a jks file with private key and certificate.
keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.jks -storepass ***** -validity 3650
Please the note keystore password used while creation. This is needed in tomcat configuration. Yes, tomcat.jks should be placed in a very secured location in the server.
Configuration
After creation of keystore file, the next step is to copy this file to the server. It is best practice to copy it in conf folder of tomcat installation directory.
So, we go to the tomcat installation directory. In the conf folder there, we open the server.xml file where can enable SSL and provide the keystore file location along with keystore password.
So, basically, we add the following connector element in service element:
<Service name="Catalina">
<Service name="Catalina">
.
.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="conf/tomcat.jks" keystorePass="****" />
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="conf/tomcat.jks" keystorePass="****" />
.
.
.
</Service>
</Service>
Limiting SSL Usage
Obviously, we want to disable plaintext communication after enabling SSL. So far we have configured, supports both encrypted and plain communication. So, we disable plain text communication.
Now, we add the following lines at the end of the file inside tags of the web.xml file.
<security-constraint>
<web-resource-collection>
<web-resource-name>secure-tomcat-app</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<web-resource-collection>
<web-resource-name>secure-tomcat-app</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Restart Tomcat server and now the connection to the tomcat server is always secure.