In order to configure your Tomcat for HTTPS, you must first generate a server certificate for your web site. To do this, you can use th...
C:\> set JAVA_HOME=C:\Program Files\Java\jdk1.6.0_16
C:\> set PATH=%JAVA_HOME%\bin;%PATH%
or, if you have a JRE, type these commands:
C:\> set JAVA_HOME=C:\Program Files\Java\jdk1.6.0_16
C:\> set PATH=%JAVA_HOME%\bin;%PATH%
On Linux, it's very similar. For the JDK (as root):
# export JAVA_HOME=/usr/java/latest
# export PATH=$JAVA_HOME/bin:$PATH
# export JRE_HOME=/usr/java/latest
Then, test it by running:
keytool
You should see the keytool command's help text. If not, you probably have the wrong path to your Java runtime, or it is not installed properly.
Next, type these commands to generate a self-signed server certificate:
keytool -genkeypair -alias tomcat -keyalg RSA -keysize 1024 -dname "CN=localhost,
OU=Organization, O=Company Name, L=City, S=State, C=US" -validity 365 -keystore keystore
Enter keystore password: <enter a new password here> Enter key password for <tomcat> (RETURN if same as keystore password): <just hit enter here>
The password you enter in the first password prompt will be the password for the keystore where your server certificate is stored.
Next, edit your Tomcat's conf/server.xml to enable the HTTPS connector. Look for a connector that looks like this
:<!-- <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> -->
By default, it is commented out. To uncomment it, remove the line just before theelement, and also the line just after it. Then, add the attributes keystoreFile and keystorePass, so that it looks like this:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="conf/keystore" keystorePass="your password" />
If you're running Tomcat on Windows, you may set the port number to 443, which is the default HTTPS port number. On non-Windows operating systems you can only do that if you run Tomcat as root, which we don't recommend.
Once you've completed the steps above, restart Tomcat, and try connecting to Tomcat over HTTPS with a URL such as https://localhost:8443 (you have to specify both "https" and port 8443 if you have configured it to listen on port 8443). Your web browser will warn you about the self-signed certificate, but otherwise it should work.
To fix that warning you'll need to purchase a commercial HTTPS certificate and install it. See the instructions on how to do this in Chapter 6: Security of the book Tomcat: The Definitive Guide (O'Reilly).
Once you've completed the steps above, restart Tomcat, and try connecting to Tomcat over HTTPS with a URL such as https://localhost:8443 (you have to specify both "https" and port 8443 if you have configured it to listen on port 8443). Your web browser will warn you about the self-signed certificate, but otherwise it should work.
To fix that warning you'll need to purchase a commercial HTTPS certificate and install it. See the instructions on how to do this in Chapter 6: Security of the book Tomcat: The Definitive Guide (O'Reilly).
No comments
Post a Comment