How to install and configure Tomcat 9.0 container with TLS enabled protocol
Pre-requisites –
CentOS 7
Apache Tomcat 9.0 and Later Package
TLS (Transport Layer Security) and SSL (Secure Socket Layer) are the protocol which enable for Secure encrypted communication between Web Browser and Tomcat Container. The data that is transmitted either way from Tomcat to web browser or from web browser to Tomcat is encrypted. Currently TLS1.2 is the latest version of protocol which should be used to mitigate any vulnerabilities. It is highly recommended not to user SSLv2 and SSLv3 versions
Procedure –
Step1: Download, Extract and Install the Tomcat 9.0 version
I have downloaded the Tomcat 9.0 version and placed at the following location
[root@centos15 Downloads]# pwd
/root/Downloads
[root@centos15 Downloads]# ls -ltr
total 9212
-rw-r–r–. 1 root root 9431475 Jan 13 16:13 apache-tomcat-9.0.2.tar.gz
[root@centos15 Downloads]# gunzip apache-tomcat-9.0.2.tar.gz
[root@centos15 Downloads]# ls
apache-tomcat-9.0.2.tar
[root@centos15 Downloads]# tar -xvf apache-tomcat-9.0.2.tar -C /opt/
[root@centos15 opt]# pwd
/opt
[root@centos15 opt]# ls -ltr
total 0
drwxr-xr-x. 9 root root 160 Jan 13 16:23 apache-tomcat-9.0.2
As you can see above, i have extracted the Tomcat package at location /opt
Step2: Create a JKS keystore with self signed certificate
For this step we are going to create a ssl directory and create the keystore at that location as shown below
[root@centos15 conf]# which keytool
/usr/bin/keytool
[root@centos15 conf]# pwd
/opt/apache-tomcat-9.0.2/conf
[root@centos15 conf]# mkdir ssl
[root@centos15 conf]# cd ssl/
[root@centos15 ssl]# /usr/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/apache-tomcat-9.0.2/conf/ssl/keystore.jks
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Imageit Coorperation
What is the name of your organizational unit?
[Unknown]: Imageit
What is the name of your organization?
[Unknown]: Imageit
What is the name of your City or Locality?
[Unknown]: Mumbai
What is the name of your State or Province?
[Unknown]: Maharashtra
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN=Imageit Coorperation, OU=Imageit, O=Imageit, L=Mumbai, ST=Maharashtra, C=IN correct?
[no]: yes
Enter key password for <tomcat>
(RETURN if same as keystore password):
[root@centos15 ssl]# ls -ltr
total 4
-rw-r–r–. 1 root root 2266 Jan 13 16:32 keystore.jks
As you can see we have generated a JKS keystore with a self signed certificate
Step3: List the Certificate from the keystore and verify
[root@centos15 ssl]# /usr/bin/keytool -list -keystore keystore.jks -storepass key@12 -alias tomcat
tomcat, Jan 13, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): 0B:7C:4E:60:A2:9F:14:E5:3B:24:1E:59:1B:58:91:6B:56:FA:B8:09
Step4: Configure Tomcat to enable SSL communication
Here we are going to edit the server.xml to refer to our self signed certificate and enable tomcat to listen on SSL channel at port 8443
Uncomment the below section and edit as show below
<Connector port=”8443″ protocol=”org.apache.coyote.http11.Http11NioProtocol”
maxThreads=”150″ secure=”true” SSLEnabled=”true”>
<SSLHostConfig>
<Certificate certificateKeystoreFile=”/opt/apache-tomcat-9.0.2/conf/ssl/keystore.jks” type=”RSA” certificateKeystorePassword=”key@12″/>
</SSLHostConfig>
</Connector>
Also as you can see we are using the NIO protocol for setting up the connector
Step5: Start the Tomcat instance and verify the setup
[root@centos15 bin]# pwd
/opt/apache-tomcat-9.0.2/bin
[root@centos15 bin]# ./startup.sh
Using CATALINA_BASE: /opt/apache-tomcat-9.0.2
Using CATALINA_HOME: /opt/apache-tomcat-9.0.2
Using CATALINA_TMPDIR: /opt/apache-tomcat-9.0.2/temp
Using JRE_HOME: /usr
Using CLASSPATH: /opt/apache-tomcat-9.0.2/bin/bootstrap.jar:/opt/apache-tomcat-9.0.2/bin/tomcat-juli.jar
Tomcat started.
[root@centos15 logs]# pwd
/opt/apache-tomcat-9.0.2/logs
[root@centos15 logs]# grep nio catalina.out
13-Jan-2018 16:49:47.704 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler [“http-nio-8080”]
13-Jan-2018 16:49:47.870 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler [“https-jsse-nio-8443”]
13-Jan-2018 16:49:49.784 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler [“ajp-nio-8009”]
13-Jan-2018 16:49:56.026 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler [“http-nio-8080”]
13-Jan-2018 16:49:56.131 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler [“ajp-nio-8009”]
Now, you can access your Tomcat instance on a secure channel as show below
https://192.168.0.103:8443
Here we have seen how to enable SSL in Tomcat using a self signed certificate. You can further tweak the configuration to make Tomcat accept only particular version of SSL protocol or only use Strong Cipher algorithms as per your requirements.
Hope you enjoyed reading this article. Thank you.
Leave a Reply
You must be logged in to post a comment.