SSL Support on Tomcat



System requirements:


-         Your primary web server is a stand-alone Tomcat server, default port 8080

-         You installed and configured Java 2 SDK 1.4.x properly.


An overview of SSL:


Web server requires Secure Socket Layer (SSL) support to have secure communication with Web browser. In such case, both server and browser encrypt all traffic before actually sending any data.


SSL also provides authentication. On your first attempt to communicate with a Web server over a secure connection (e.g. https://localhost: 8443/), that server will present your Web browser with a Server Certificate indicating its identification. The Web browser has to accept the server identification to start a secure communication. The server might ask client to present its identity to the server, which is not common and will not be required in your case as well.


Configuring SSL on Tomcat is needed when it runs as a stand-alone server. But if the primary web server were another type of server (e.g. Microsoft IIS, Apache) you would need to configure that server to handle SSL connections from users, instead of Tomcat. Furthermore, in typical e-commerce scenario, your web application could be distributed among several servers accessing each other on the Internet. In that case your will need to configure all the servers to provide SSL support. This document will describe how you will enable SSL on your Tomcat server.


Installing and configuring SSL on Tomcat:


You need the following basic things:

  1. Java Secure Socket Extension (JSSE)
  2. Setting up server certificate
  3. Configuring SSL connector
  4. Verifying SSL support



1. Java Secure Socket Extension (JSSE)


I assume it is already installed along with your java software. For more information on this, please refer to: http://java.sun.com/products/jsse/index-103.html


2. Setting up server certificate

To implement SSL, a server needs associated certificate for each external interface, or IP address with which it will be connected securely. The certificate is cryptographically signed by its owner. In case of e-commerce site, a certificate can be purchased from well-known certificate authority like Verisign. In your case, instead of purchasing certificate from CA, you will use self-signed certificate to authenticate your server.


Keystore: A keystore is a password-protected database that stores a private key and server certificates. The default keystore implementation implements the keystore as a file. It protects private keys with a password. To setup server certificate keystore, use the java keytool utility as follows:


a)         keytool -genkey -keyalg RSA -alias tomcat -keystore <keystore_filename>


The above command will generate a key pair and a self-signed certificate for the server. The <keystore_filename> should be a name with .keystore extension and is saved in the home directory <e.g. c:\tomcat4.1> of the machine where tomcat is installed.


b)         Provide the following information in response to the above command:

Keystore password--

Enter a password. You may want to use ‘changeit’ to be consistent with the default password of the J2SE SDK keystore

First and last name--


Enter the fully qualified name of your server. In your case it will be ‘localhost’

Organizational unit--

Enter ‘SITE’

Nam of organization--

Enter ‘University of Ottawa

City or locality--

Enter ‘Ottawa

Sate or province--

Enter ‘ON’

Two letter country code--

Enter ‘CA’ (that means Canada)

Review the information--

Enter ‘Yes’ if correct.

Enter key password--

Do not enter any password, press RETURN



3. Configuring SSL connector


An SSL HTTPS Connector is not enabled by default. You can enable and configure an SSL HTTPS Connector on port 8443 using any of the following methods (not both):


a)      Add SSL connector using admintool

b)      Configure SSL connector in server.xml



a)   Add SSL connector using admintool

First make sure that you followed the steps in Setting up Server Certificate above. Then follow the steps as outlined below:

-         Start Tomcat, if you haven't already done so.

-         Start admintool by entering http://localhost:8080/admin in a Web browser.

-         Enter a user name and password combination that is assigned the role of admin.

-         Select Service in the left pane

-         Select Create New Connector from the drop-down list in the top-right pane.

-         In the Type field, select HTTPS.

-         In the Port field, enter 8443 (or whatever port you require). This defines the TCP/IP port number on which Tomcat will listen for secure connections.

-         In the IP Address field type localhost

-         Enter the Keystore Name with file name extension.

-         Enter the Keystore Password that you gave when creating the key store.

-         Select Save to save the new Connector for this session

-         Select Commit Changes to write the new Connector information to the server.xml file so that it is available the next time Tomcat is started.


To view and/or edit the newly created Connector, expand the Service (Java Web Services Developer Pack) node, and select Connector (8443).




b)   Configure SSL connector in server.xml

An example Connector element for an SSL connector is included in the default server.xml. This Connector element is commented out by default. To enable the SSL Connector for Tomcat, remove the comment tags around the SSL Connector element. To do this, follow these steps:


-         Shutdown Tomcat, if it is running. Changes to the file <TOMCAT_HOME>/conf/server.xml are read by Tomcat when it is started.

-         Open the file <TOMCAT_HOME>/conf/server.xml in a text editor.

-         Find the following section of code in the file (try searching for SSL Connector). Remove comment tags around the Connector entry where the port is stated as 8443.

<!-- SSL Connector on Port 8443 -->
      port="8443" minProcessors="5" 
      connectionTimeout="60000" debug="0"
      scheme="https" secure="true">
      <Factory className="org.apache.coyote.tomcat4.
                            clientAuth="false" protocol="TLS" />

-         Save and close the file.

-         Start Tomcat.



4. Verifying SSL support


For testing purposes, and to verify that SSL support has been correctly installed on Tomcat, load the default Tomcat introduction page with the following URL:


https://localhost: 8443/


The https in this URL indicates that the browser should be using the SSL protocol. The port of 8443 is where the SSL Connector was created in the previous step


The first time a user loads this application, the New Site Certificate dialog displays. Select Next to move through the series of New Site Certificate dialogs; select Finish when you reach the last dialog


Last Updated: Oct 20, 2003