Adding SSL to Tomcat (Windows)

  • Document ID:7020291
  • Creation Date:21-Apr-2010
  • Modified Date:07-Aug-2017
    • Micro Focus Products:
      Retain Unified Archiving

Environment


Retain (All versions)
Windows

Situation

How to enable SSL on Tomcat?

Resolution



There are three steps required to enable SSL on Tomcat:

1) Generation of 2048 bit Key.

Run a command prompt, from Start->Run->cmd

Then change to the directory containing tomcat\retain\win32

Then run OpenSSL

Type (without quotes) "genrsa -des3 -out tomcatkey.pem 2048"

This will generate the RSA 2048-bit Key needed to create the certificate. Enter a password when prompted, this will be needed again in further steps.

2) Generation of Certificate (Generation of 2048 bit Key).  If you already have certificates skip to step 3.

With OpenSSL still open type (without quotes) "req -new -x509 -key tomcatkey.pem -out tomcatcert.pem -days 3650", you will need to re-enter the password from the last step.

You will need to enter in information that is valid for your company. For Example:


Once this is complete type quit to exit OpenSSL.

3) Modification of Tomcat Configuration.

A)  Copy the 2 pem (cert) files to the tomcat folder.  (Default location: C:\Program Files\Beginfinite\Retain\Tomcat 7.0)

B)  Open the file server.xml under the tomcat\conf directory.

a)  (Optional) If you want to disable non-SSL access find the lines

   <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
   <Connector port="48080" maxHttpHeaderSize="8192"

Change the second line to:
   <!-- <Connector port="48080" maxHttpHeaderSize="8192"

and add --> to the end of this line

   connectionTimeout="20000" disableUploadTimeout="true" />

It should look like this when you're done:

   connectionTimeout="20000" disableUploadTimeout="true" /> -->

This comments out that section, so the non-SSL version will not be activated.

b)  To Enable SSL Configuration find the following lines (Required)

     <!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
     <!-- <Connector port="48443" maxHttpHeaderSize="8192"


remove the "<!--" from the begining of the second line so that it looks like
      <Connector port="48443" maxHttpHeaderSize="8192"
Then find the line
     clientAuth="false" sslProtocol="TLS" />
Remove the /> from the end
     clientAuth="false" sslProtocol="TLS"

And add these new lines, including the password entered earlier

    SSLEngine="on"
    SSLCertificateFile="${catalina.home}/tomcatcert.pem"
    SSLCertificateKeyFile="${catalina.home}/tomcatkey.pem"
    SSLPassword="password" />

Save the file and restart Tomcat from the Control Panel->Administrative Tools-> Services

Additional Information

This article was originally published in the GWAVA knowledgebase as article ID 1692.