Java Web Programming with Eclipse contents
Last modified February 06, 2011 01:37 am

back next

Web Application Security (continued)

Configure HTTPS

Video

Overview

These instructions explain how to configure Tomcat for SSL/TLS. After following these instructions, users may access web applications securely through port 8443.

The instructions show how to generate a self-signed certificate that browsers can use to authenticate the server. Consequently, browsers will not be able verify the authenticity of the certificate because it will not have been signed by a trusted third party whose certificates are pre-installed in the client system or added to the client system. For a commercial web site open to the public, you would typically have a third party sign your certificate and use this to authenticate yourself to browsers. For a web application that is intended to be used by a pre-defined group of users, you avoid purchasing signed certificate by adding your self-signed certificate to the trust stores within the client environments.

You can still use HTTPS without doing any of the above procedures, but your users will need to accept an un-trusted certificate each time they visit your site. The following instructions are to setup your system in this way.

Create Keystore with Self-Signed Certificate

You need to generate a self-signed certificate and store it in a file called keystore under the conf folder within the Tomcat system. To do this, run the keytool command as shown below, leaving the storepass and keypass values both equal to changeit. This command may take a long time to complete, so be patient. After generating the keystore file, move it into the conf folder.

The caret symbol (^) and backslash (\) at the end of each line in the following commands indicates line continuation for Windows and Linux, respectively. Can can omit the line continuation character by entering all the command parameters on a single line. To run the command, you need to be at an operating system command prompt.

The keytool command is part of the Java SDK. If your system only contains the Java JRE, then you will need to install the JDK to get access to this command.

Running keytool under Windows

keytool -genkey ^
        -keystore keystore ^
        -alias tomcat ^
        -keyalg RSA ^
        -keysize 2048 ^
        -dname CN=localhost ^
        -storepass changeit ^
        -keypass changeit

If you get a message that the command is unknown, then you need to provide the full pathname to the keytool executable (or add the bin folder in your jdk installation to the path variable in your environment).

Also, if you are using Windows Vista, you probably need to be administrator to write the keystore file into the conf folder.

Running keytool under Linux and Mac OS X

keytool -genkey \
        -keystore keystore \
        -alias tomcat \
        -keyalg RSA \
        -keysize 2048 \
        -dname CN=localhost \
        -storepass changeit \
        -keypass changeit

The CN variable in the certificate should contain the domain name of your server. Because you are running Tomcat and your browser from the same machine, setting the CN variable to localhost as done above is OK. However, if you wanted to access Tomcat from a remote machine, you would need to replace localhost with the domain name of the machine on which Tomcat is running.

Configuring Tomcat

After creating the file keystore, move it into the conf folder under ${TOMCAT_HOME}.

Uncomment the Connector element in ${TOMCAT_HOME}\conf\server.xml that has a port attribute set to 8443. Also, add a keystoreFile attribute to this element as follows.

keystoreFile="conf/keystore"

The following is an example Connector element that sets up HTTPS on port 8443.

<Connector port="8443"
           maxThreads="200" 
           minSpareThreads="5" 
           maxSpareThreads="75"
           enableLookups="true" 
           disableUploadTimeout="true"
           acceptCount="100"
           scheme="https"
           secure="true"
           SSLEnabled="true"
           clientAuth="false"
           sslProtocol="TLS"
           keystorePass="changeit"
           keystoreFile="conf/keystore" />

If the above configuration fails for you, it may be that you changed the passwords from changeit to some other value when you ran keytool. In this case, add the following attribute to the above connector element.

truststorepass="storepass-value"
keystorePass="keypass-value" 

If you are running Windows Vista, regular users may not have the privileges to modify server.xml. In this case, you need to edit server.xml as adminstrator. To do this, right click on wordpad in the Windows start menu and select run as adminstrator.

Test

Test your configuration by starting (or restarting) Tomcat and pointing your browser to https://localhost:8443/publisher/home. A security alert is presented to you because the browser you are using does not contain in its trust store the certificate you generated for Tomcat, nor does it contain a certificate that was used to sign your certificate.

Note that if you want to change the port number used for HTTPS, make sure you change the redirect attribute of the unencrypted connector element in server.xml to your new value.

back next

Copyright 2007-2009 David Turner and Jinseok Chae. All rights reserved.