Apache Tomcat over TLS/SSL
Russell Bateman
July 2022
|
|
Apache Tomcat over TLS/SSLRussell Bateman |
Just to get oriented a little, what version of Java (and keytool) am I using.
$ java -version
openjdk version "11.0.15" 2022-04-19
OpenJDK Runtime Environment (build 11.0.15+10-Ubuntu-0ubuntu0.20.04.1)
OpenJDK 64-Bit Server VM (build 11.0.15+10-Ubuntu-0ubuntu0.20.04.1, mixed mode, sharing)
I have Tomcat installed as a service on /opt/tomcat. To see how I did this, contemplate my notes on Apache Tomcat installation on Linux as a service.
Create a key.
$ keytool -genkeypair -alias tomcat -keyalg RSA -keystore tomcat.jks Enter keystore password: changeit Re-enter new password: changeit What is your first and last name? [Unknown]: windofkeltia.com What is the name of your organizational unit? [Unknown]: ⏎ What is the name of your organization? [Unknown]: Wind of Keltia What is the name of your City or Locality? [Unknown]: Provo What is the name of your State or Province? [Unknown]: UT What is the two-letter country code for this unit? [Unknown]: US Is CN=windofkeltia.com, OU=Unknown, O=Wind of Keltia, L=Provo, ST=UT, C=US correct? [no]: yes
Move the artifact (keystore) to Tomcat. That's where we'll be using it from.
$ sudo mv tomcat.jks /opt/tomcat/conf $ sudo ls -alg /opt/tomcat/conf/tomcat.jks -rw-rw-r-- 1 russ 2729 Jul 12 10:23 /opt/tomcat/conf/tomcat.jks
We're going to tweak Tomcat's configuration (properly so, in fact). Open /opt/tomcat/conf/server.xml in an editor.
$ sudo vim /opt/tomcat/conf/server/xml
Look for <Connector port="8080" protocol="HTTP/1.1" ... in the file opened in step 3.
Open a new line just below it (after its XML element close), add the following line, then exit the editor (with update).
<Connector port="8443" protocol="HTTP/1.1" schema="https" secure="true" SSLEnabled="true" maxThreads="200" keystoreFile="conf/tomcat.jks" keystorePass="changeit" clientAuth="false" # client authentication (log-in) is a whole other ball of wax! sslProtocol="TLS" />
You will note that this leaves the http option defined for Tomcat that was originally there.
Restart Tomcat for the configuration changes to become effective.
$ sudo systemctl restart tomcat $ sudo systemctl status tomcat ● tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/etc/systemd/system/tomcat.service; disabled; vendor preset: enabled) Active: active (running) since Tue 2022-07-12 10:41:02 MDT; 10s ago Process: 1194212 ExecStart=/opt/tomcat/bin/startup.sh (code=exited, status=0/SUCCESS) Main PID: 1194234 (java) Tasks: 47 (limit: 18968) Memory: 221.2M CGroup: /system.slice/tomcat.service └─1194234 /usr/lib/jvm/java-1.11.0-openjdk-amd64/bin/java -Dnop -Djava.util.logging.manag> Jul 12 10:41:02 nargothrond systemd[1]: Starting Apache Tomcat Web Application Container... Jul 12 10:41:02 nargothrond startup.sh[1194212]: Tomcat started. Jul 12 10:41:02 nargothrond systemd[1]: Started Apache Tomcat Web Application Container.
Open a browser on this URL:
https://localhost:8443/
You will see "Your connection is not private" with a button, Advanced. Click that button.
Then, you will see a message and an explanation, something like, "This server could not prove that it is localhost; its security certificate is not trusted by your computer's operating system..."
This happens because the key and certificate you created in step 1 above are not properly (commercially) "authorized." They will still work, but not without answering these two caveats.
To finish, click the link whose wording depends on the browser you have, but it's something like "Continue to this website (not recommended)."
Finally, you land on Tomcat's splash- or landing page. If you had deployed a genuine application to Tomcat, your URL would be something like, https://localhost:8443/application, you'd still go through the caveats, but would land on your application.
As already noted,
http://localhost:8080/
...continues to work because of its configuration persisting in /opt/tomcat/conf/server.xml. If this is not what you want, remove that instead of adding the TLS protocol to this file.
The steps in this tutorial came originally from a Windows version thereof, its implicit goal being to reduce the instructions to the smallest possible number of steps—which I thought it did admirably.