Securing your Tomcat server with a SSL Certificate
Security is key in todays world, so also your Tomcat server. We have a couple of SAAS services where we run Tomcat service to offer the web services. Of course we needed get a certificate on that server so that we can provide our customers with a secure environment. A SSL certificate on a Tomcat server is not as easy as on an Microsoft Internet Information Server. So today I, again, had to do the same trick. Today I thought about documenting it as every time I’m thinking where to start. and that procedure I share with you.
Tomcat SSL Certificate
There are a couple of steps to follow;
- Create Certificate request
- Create KeyStore for Tomcat
- Request certificate from provider
- Add certificate + root / intermediate to KeyStore
- Add the Server.XML
- Restart the tomcat service
Create SSL Certificate
To start you need to create a SSL Certificate, the easiest way to do this is by going to the following website Create SSL CSR and fill in the details.
After you will in the details you click on “Generate” and the script is copied to the box on the right side. Copy the contents of this box and run in on the Tomcat server to create the Certificate request. i copied the script here so you can also just copy it here and change with your settings. I coloured the settings you need to change
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore my_url_com.jks -dname “CN=my.url.com,OU=ICT, O=Your company, L=Location, ST=NBR, C=NL” && keytool -certreq -alias server -file my_url_com.csr -keystore my_url_com.jks.
When running this script you need to enter a password for the keystore, doesn’t have to be difficult but something you can enter more often. You need to enter it a few times so make sure you remember it. And when you are done, the files are created, the JKS file is the keystore, the CSR is your certificate request.
Next you request the certificate from you provider with the CSR file. In return they will provide you with a certificate and some certificates.
As you see with Comodo you get a ROOT certificate, a INTERMEDIATE certificate and a DOMAIN validation certificate. This and the certifcate you requested of course. These four files (it might be different with other providers) need to be added to the KeyStore. I will show you the GUI way, it’s the easiest way and you keep an overview.
Prepare keystore editing
To add the files to the keystore you need either the Command prompt or you need a GUI based tool. A simple GUI based tool is Keystore Explorer. You can download it right here Keystore explorer. Make sure you find version 1.5. download it and unzip it. It wil require JRE version 1.6 or above.
When you installed it and start it you wil get the following message. You need to download the Java Cryptography Strength.
So click on the “Download Unlimited Strength Jurisdiction Policy ZIP” so that the program opens a browsers and takes you to the following site. JCE Policy 8, here you download the files and you unpack them.
Select the files called Local_Policy and US_Export_Policy and copy them.
Now you start the keystore explorer again and you click on the option “Browser to Unlimited Strength Jurisdiction Policy ZIP” and select the US Export policy file. It wil upgrade and restart and your done.
So now you can open the Keystore and and get those files in. Let’s get this thing on the road.
Open the keystore Explorer and choose “Open an existing keystore” and browse for the keysore you created in the first step. When you open it you are required to type the password you created.
First we will add the certificates we got from the provider, the root, intermediate(s) and domain validation.
So when you are in the JKS keystore you see the keystore you created. This entry is waiting for the reply file. First we add the certificates in a specific order.
First we add the root certificate, next the intermediate and last the domain validation. If you have more than one intermediate add it before the domain validation.
The process is simple, right click in the field and click on “Import Trusted Certifcate” you will get some messages if you trust it but as you do say you do. You will repeat this for all the files you got but not for the certificate itself. Don’t import it here right now, it will work but the certificate will appear as self signed.
Next we will connect the certificate with the server entry in the keystore.
Right click on the Server entry and pick “Import CA Reply” and enter the password you created in the first step. Next you can browse to the certificate you got from the provider. It will be included and it is not visible anymore in this screen. So the last step is to save the file and the keystore is ready for use. Copy it somewhere you want it stored.
Next edit the certificate chain and add the certificates from bottom to top, root as last.
The last step is editing the Server.XML. The server.XML is the heart of the tomcat server. It is located in the \Manager\Tomcat\conf folder on your server. if you have a certain software installation that might be the root folder before you will see the manager folder.
Copy the server.xml and paste it to create a backup, you need to be able to revert your action in case something went wrong. Open the server.xml with your favourite editor and find the following entry. The entry has the connector for port 8443.
Enter the path to the keystore file, so KeyStoreFile=”C:\….\file.jks” KeystorePass=”yourpassword” Server=”<application server name>”.
Save the file and restart the tomcat service or the application service and your done. now when you browse to the site you wil see the lock and the site is SSL certified. so not that much work and now I got it documented.
Have a good weekend