Skip to main content

Declare secured connector on Tomcat for https connections

To access your tomcat threw https, you have to declare a secured connector. There are two parts to do that :


  1. modify your server.xml with the new connector configuration
  2. generate a java keystore the connector will refer to

Step 1 : Modify your serveur.xml like this


<Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="${ssl.port}" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="${java.home}/lib/security/tomcat_java.keystore" keystorePass="changeit"
           clientAuth="false" sslProtocol="TLSv1.1" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_RC4_128_SHA" />

Step 2 : generate the keystore which contains the certificate used to secure connections

To generate your keystore, you need openssl and keytool (%JAVA_HOME%/jre/bin/keytool). 

If you use an existing certificate in PEM format (cer or pem files) , you will need to convert it to PKCS#12 format (p12 file). To acheive that, you need :
  • your private key which was used to generate the certificate
  • your certificate
  • the root certificate form your Certificate Authority (Verisign, GoDaddy, Symantec, etc...)

Convert it with :

openssl pkcs12 -export -in [your_certificate].cer -inkey [your private key].key -out result-certificate.p12 -name tomcat -CAfile [Veridign certificate].cer -caname root

Then generate your keystore (NOTE -->  'tomcat' alias is important) :

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore tomcat_java.keystore -srckeystore result-certificate.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias tomcat

Restart Tomcat and check logs to see if connector is started.


PS : many thanks to John Willis. His post (http://www.johnwillis.com/2015/07/tomcat-errsslversionorciphermismatch.html) really helped me.


Comments

Abiya Carol said…
Truely a very good article on how to handle the future technology. After reading your post,thanks for taking the time to discuss this,I feel happy about and I love learning more about this topic. keep sharing your information regularly for my future reference.


Hadoop Training in Chennai

Dot Net Training in Chennai

Popular posts from this blog

DCcduino usb drivers (CH340 / CH341 chipset)

I've just received my first arduino platform. It's a DCcduino board (a clone of Arduino Uno). As I had some difficulties to have it recognised by my MacBook, I decided to share its drivers. This card has a CH340 USB-to-serial chip. You can find drivers for this chip on the web site of the chinese manufacturer, here :

http://www.wch.cn/downloads.php?name=pro&proid=5

Or download it directly from my Google Drive. The archive contains drivers for Mac, Linux and Windows platforms.

https://drive.google.com/file/d/0B5okZr5AW4gaX2pZaWt6dVNaSFU/edit?usp=sharing

I hope this will help somebody.

UPDATE for Mac users with Yosemite :

Please, follow this extra instructions :
Install the CH340 driverRun the command in Terminal: sudo nvram boot-args="kext-dev-mode=1"Reboot

The great alternative to JRebel

I'm an old user and addict of JRebel. I started to use it on open source projects and in professional contexts. From the beginning, I've been convinced that the licensing mode was wrong because of its lifetime. Asking for license renewal each year is boring. So, I decided to look for FREE alternative solutions and finally I recently found one.

This solution is efficient for maven projects developed with Eclipse. It is base on :

Hotswap Agent project : http://hotswapagent.org/Dynamic Source Lookup plugin for Eclipse : https://github.com/ifedorenko/com.ifedorenko.m2e.sourcelookup
I tested it with Java 7 & Java 8. I work on web applications that run on Tomcat. I developed wih Spring (IoC), sometimes Hibernate and Vaadin



Hotswap Agent installation consists on the deployment of a patch for your JVM. You just have to download the corresponding patch here : https://github.com/dcevm/dcevm/releases Then, download the hotswap-agent.jar from here : https://github.com/HotswapProjects…

How to secure REST services exposed with Jersey (JAX-RS) using Spring Security

This is the challenge I had to perform. I have to open services to business partners and I want to secure them. I use a Java based application with Jersey API (JAX-RS).

The first thing to consider is : what kind of solution offers the best compromise between security and the effort I'll have to provide to maintain this solution?
After some discussions with developers and experts, the conclusion is : expose your services over https and use Basic authentication (Digest authentication and certificate based authentication are too complex for partners)

So, how to implement that? I delegate "https" to my Apache http servers. But I still need to handle authentication (and authorization of course). After long hours on Google, I understood that it is possible to manage security with Jersey by many many ways. Here is a short list :

Delegate simple authentication and authorization to your container (Tomcat) or to your frontend (Apache)Delegate authentication to your container or fro…