Forums/Troubleshooting

SSL for Tomcat (HTTPS and LDAPS)

Sean Tong
posted this on October 23, 2009 10:17 am

Steps for configuring SSL for Tomcat and enabling HTTPS access

1. Generate a self signed KeyPair
keytool -genkey -alias tomcat -keyalg RSA  -keystore c:\crert\tomcat

2. Configure the conf\server.xml file in Tomcat:

Tomcat 5.5:
<Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="c:\cert\tomcat"
               keystorePass="changeit"
 />

Tomcat 6:
 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
             maxThreads="150" scheme="https" secure="true"
             clientAuth="false" sslProtocol="TLS"
             keystoreFile="c:\cert\tomcat.store"
             keystorePass="changeit"
  />

3. Restart Tomcat

To set up SSL with a certificate from a certificate authority,  please see these documents:

Tomcat 5.5

http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

Tomcat 6:

http://tomcat.apache.org/tomcat-6.0-doc/proxy-howto.html

--------------------------------------------------------------------------------------------------

To setup LDAPS for Tomcat, your JDK will need to have the security key from your LDAPS server.  These steps will show you how:

1)    Copy the CA cert from your LDAPS server to a new location to edit.  Use a program such as Notepad++ to open it.
Make sure the CA cert only contains the sections between "BEGIN CERTIFICATE" and "END CERTIFICATE" similar to:
-----BEGIN CERTIFICATE-----
aksjdflkajsd;flkaj;lfkj
Asdf;kljasd;lfkja;sdjf
A;sdlfkja;sdlkfja;dslkfj
-----END CERTIFICATE-----

*I.E. delete any extraneous content that might be before ----BEGIN CERTIFICATE----

Make sure to save this file as a .pem

2)    To import your CA certificate, run the following from the command line (as administrator) –
keytool -import -alias root -keystore C:\Program Files\Java\jdk1.6.0_23\jre\lib\security\cacerts -trustcacerts -file C:\Cacert.pem

*Change the paths to what you are using on your server.
*The default password for keytool should be “changeit”
 

Comments

User photo
Rick Kile
Intel

Thanks for the quick response.  I'll have our systems guys look this over.  - Rick

June 27, 2011 01:58 pm.
Add a comment