Steps to Configure SSL on Tomcat and Setup Auto Redirect from HTTP to HTTPS

Secured Socket Layer (SSL) is the cryptography protocol to provide message security over the internet. It works on the notion of Private and Public keys and messages are encrypted before sending it over the network. To configure SSL on Tomcat, we need a digital certificate that can be created using Java keytool for development environment. For production environment, you should get the digital certificate from SSL certificate providers, for example, Verisign or Entrust.

Follow below steps to create your own digital certificate:


Pankaj:TEMP Pankaj$ keytool -genkey -alias tomcat -keyalg RSA -keystore mycertificate.cert
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  Pankaj Kumar
What is the name of your organizational unit?
  [Unknown]:  Dev
What is the name of your organization?
  [Unknown]:  JournalDev
What is the name of your City or Locality?
  [Unknown]:  Bangalore
What is the name of your State or Province?
  [Unknown]:  Karnataka
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=Pankaj Kumar, OU=Dev, O=JournalDev, L=Bangalore, ST=Karnataka, C=IN correct?
  [no]:  Yes

Enter key password for <tomcat>
	(RETURN if same as keystore password):
Re-enter new password:
Pankaj:TEMP Pankaj$ ls
mycertificate.cert

I have used password “changeit” for keystore and key but you can use whatever you want.

Now our digital certificate is ready and next step is to enable HTTPS communication port in tomcat and set it to use our digital certificate for providing SSL support.

To enable SSL open ~Tomcat_Installation/conf/server.xml file and uncomment following line:

<Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               keystoreFile="/Users/Pankaj/tomcat/conf/mycertificate.cert"
	       clientAuth="false" sslProtocol="TLS" />

To avoid any misplacement of the certificate, I have put that in the tomcat conf directory. Now restart tomcat and try to access any web application over https with port 8443.

So we can access any web application on both HTTP and HTTPS ports. We can set up tomcat to redirect all HTTP request to HTTPS port with some configurations.

1. In ~TomcatInstallation/conf/server.xml

For HTTP Connector, set the redirect port to the HTTPS connector port. It will look somewhat like this:

<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
    <Connector port="8090" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" redirectPort="8443" acceptCount="100"
               connectionTimeout="20000" disableUploadTimeout="true" />

2. In ~TomcatInstallation/conf/web.xml

Add below configuration but make sure to add it after all the servlet mapping tags.

<!-- added by Pankaj for automatic redirect from HTTP to HTTPS -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Restart the tomcat now and all the HTTP requests will automatically be redirected to HTTPS i.e http://localhost:8080/axis2 will be automatically redirected to https://localhost:8443/axis2

Note: If you don’t want to provide ports in the URLs, then use 80 for HTTP and 443 for HTTPS and in this case you can skip the first step to automatic redirect HTTP requests to HTTPS because it will automatically pick the default port 443.

Update: If you are working on Tomcat, you might be interested in following posts.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to JournalDev Newsletter
Get the FREE access to Monthly Newsletter and Free PDF eBooks
*No Spam Guaranteed. By entering your email address, you agree also subscribing to our newsletter.
Oops! - Something went wrong.
Close
Cryptography For Dummies - eBook (usually $22.99) FREE for a limited time! Download Now
Exclusive Offer: Citrix™ Whitepaper on Denial of Service Attack Download Now