Secured Socket Layer (SSL) is the cryptography protocol to provide message security over the internet. It works on the notion of Private and Public keys and messages are encrypted before sending it over the network. To configure SSL on Tomcat, we need a digital certificate that can be created using Java keytool for development environment. For production environment, you should get the digital certificate from SSL certificate providers, for example, Verisign or Entrust.
Follow below steps to create your own digital certificate:
Pankaj:TEMP Pankaj$ keytool -genkey -alias tomcat -keyalg RSA -keystore mycertificate.cert Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: Pankaj Kumar What is the name of your organizational unit? [Unknown]: Dev What is the name of your organization? [Unknown]: JournalDev What is the name of your City or Locality? [Unknown]: Bangalore What is the name of your State or Province? [Unknown]: Karnataka What is the two-letter country code for this unit? [Unknown]: IN Is CN=Pankaj Kumar, OU=Dev, O=JournalDev, L=Bangalore, ST=Karnataka, C=IN correct? [no]: Yes Enter key password for <tomcat> (RETURN if same as keystore password): Re-enter new password: Pankaj:TEMP Pankaj$ ls mycertificate.cert
I have used password “changeit” for keystore and key but you can use whatever you want.
Now our digital certificate is ready and next step is to enable HTTPS communication port in tomcat and set it to use our digital certificate for providing SSL support.
To enable SSL open ~Tomcat_Installation/conf/server.xml file and uncomment following line:
<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" keystoreFile="/Users/Pankaj/tomcat/conf/mycertificate.cert" clientAuth="false" sslProtocol="TLS" />
So we can access any web application on both HTTP and HTTPS ports. We can set up tomcat to redirect all HTTP request to HTTPS port with some configurations.
1. In ~TomcatInstallation/conf/server.xml
For HTTP Connector, set the redirect port to the HTTPS connector port. It will look somewhat like this:
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> <Connector port="8090" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" />
2. In ~TomcatInstallation/conf/web.xml
Add below configuration but make sure to add it after all the servlet mapping tags.
<!-- added by Pankaj for automatic redirect from HTTP to HTTPS --> <security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
Restart the tomcat now and all the HTTP requests will automatically be redirected to HTTPS i.e http://localhost:8080/axis2 will be automatically redirected to https://localhost:8443/axis2
Note: If you don’t want to provide ports in the URLs, then use 80 for HTTP and 443 for HTTPS and in this case you can skip the first step to automatic redirect HTTP requests to HTTPS because it will automatically pick the default port 443.
Update: If you are working on Tomcat, you might be interested in following posts.