Adding SSL to Tomcat (Linux)

  • Document ID:7020293
  • Creation Date:04-Nov-2010
  • Modified Date:07-Aug-2017
    • Micro Focus Products:
      Retain Unified Archiving

Environment


Retain (All versions)
Linux

Situation

How to enable SSL on Tomcat?

Resolution



There are three steps required to enable SSL on Tomcat:
1) Generation of 2048 bit Key.
The OpenSSL utility is usually included with SLES, if not you will need to install it through YAST.

Open up a terminal session  as root and run openssl

Type (without quotes) "genrsa -des3 -out tomcatkey.pem 2048"

This will generate the RSA 2048-bit Key needed to create the certificate. Enter a password when prompted, this will be needed again in further steps.

2) Generation of Certificate.
With OpenSSL still open type (without quotes) "req -new -x509 -key tomcatkey.pem -out tomcatcert.pem -days 3650", you will need to re-enter the password from the last step.

You will need to enter in information that is valid for your company. For Example:


Once this is complete type quit to exit OpenSSL.

Copy the 2 pem files to the tomcat folder.
3) Modification of Configuration Generation of 2048 bit Key.
Open the file server.xml under the tomcat\conf directory.
If you want to disable non-SSL access find the lines (Optional)
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<Connector port="48080" maxHttpHeaderSize="8192"

Then change the second line to
<!-- <Connector port="48080" maxHttpHeaderSize="8192"

and add --> to the end of this line

connectionTimeout="20000" disableUploadTimeout="true" /> -->

This comments out that section, so the non-SSL version will not be activated.
To Enable SSL Configuration find the following lines (Required)
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<!-- <Connector port="48443" maxHttpHeaderSize="8192"

and remove the "<!--" from the begining of the second line so that it looks like
 <Connector port="48443" maxHttpHeaderSize="8192"
Then find the line
clientAuth="false" sslProtocol="TLS" />
Remove the /> from the end
clientAuth="false" sslProtocol="TLS"
And add these new lines, including the password entered earlier
    SSLEngine="on"
    SSLCertificateFile="${catalina.home}/tomcatcert.pem"
    SSLCertificateKeyFile="${catalina.home}/tomcatkey.pem"
    SSLPassword="password" />
Save the file and restart Tomcat by typing (without quotes) "rcretain-tomcat5 restart" into the terminal

Additional Information

This article was originally published in the GWAVA knowledgebase as article ID 1890.