<h2>
1.&nbsp;&nbsp;SSL through Apache and mod_jk
</h2>

With this method Tomcat apps are accessed securely and directly without referencing a Tomcat port.


<pre class="brush: bash">
https://yourdomain.com
</pre>



Let us begin by installing mod_jk and enabling SSL modules.&nbsp;&nbsp;SSL module comes bundled with Apache2.


<pre class="brush: bash">
# installing jk will also enable it
apt-get install libapache2-mod-jk
a2enmod ssl
</pre>


<h3>
Create worker/connector
</h3>

This is the connector that Apache2 uses to communicate with Tomcat.



<pre class="brush: bash">
# Choose a name desired
vi /etc/apache2/workers.properties
</pre>



<pre class="brush: bash">
# Make sure this points to the correct path of Tomcat
# and your Java installations
# This corresponds to your JAVA_HOME and CATALINA_HOME

workers.tomcat_home=/opt/tomcat
workers.java_home=/opt/java7
ps=/

worker.list=default
worker.default.port=8009
worker.default.host=localhost
worker.default.type=ajp13
worker.default.lbfactor=1
</pre>



default in line 9 above is the name of the connector.&nbsp;&nbsp;This is the name used in our Virtual Host setup (we will come to this later). 



Edit/Create a global Apache2 jk configuration



<pre class="brush: bash">
vi /etc/apache2/conf.d/jk.conf
</pre>



<pre class="brush: bash">
&lt;ifmodule mod_jk.c>
 # This is the file workers file we created earlier
 JkWorkersFile /etc/apache2/workers.properties
 JkLogFile /var/log/apache2/mod_jk.log
 JkShmFile /var/log/apache2/mod_jk.shm
 JkLogLevel error
&lt;/ifmodule>
</pre>


<h3>
Create a virtual Host
</h3>

Here we will be using certificates that come with ssl-cert package from Debian.&nbsp;&nbsp;This is only for this demonstration.&nbsp;&nbsp;You can generate you own self-signed certificates by using openssl. There is quite a lot of online guides you can visit on using openssl. 


For now, we use a certificate that comes with ssl-cert, snakeoil.


We create 2 virtual hosts, one for unsecure and one for the secure https access. Both of them should mount our default jk connector we created in our workers.properties file.&nbsp;&nbsp;Here below is what it should look like.&nbsp;&nbsp;If you are already using mod_jk, you must have already created an unsecure virtual host, if you are, just copy them and insert the SSL sections/lines.



<pre class="brush: bash;highlight:[19,20,21,22,23]">
NameVirtualHost your-server-ip-address:80
NameVirtualHost your-server-ip-address:443
 
&lt;virtualhost ip-or-yourdomain.com:80>
 JkMount /* default
 ServerName yourdomain.com
 ServerAdmin admin@emil.com
 DocumentRoot /opt/tomcat/webapps
 ErrorLog /opt/tomcat/logs/error.log
 CustomLog /opt/tomcat/logs/access.log common
 &lt;directory /opt/tomcat/webapps>
 Options -Indexes
 &lt;/directory>

 # You other directives

&lt;/virtualhost>

&lt;virtualhost ip-or-yourdomain.com:443>
 SSLEngine on
 SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
 SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
 JkMount /* default
 ServerName yourdomain.com
 ServerAdmin admin@emil.com
 DocumentRoot /opt/tomcat/webapps
 ErrorLog /opt/tomcat/logs/error.log
 CustomLog /opt/tomcat/logs/access.log common
 &lt;directory /opt/tomcat/webapps>
 Options -Indexes
 &lt;/directory>
 
 # You other directives

&lt;/virtualhost>
</pre>



Now edit your Tomcat server.xml and uncomment the AJP connector. 



<pre class="brush: xml">
&lt;Connector port="8009" 
 protocol="AJP/1.3" 
 redirectPort="8443" />
</pre>



Please note that you use only one jk connector for both secure and unsecure connections.&nbsp;&nbsp;Connector port (8009) should match to the port 

defined earlier in the workers.properties file we created.



Restart apache2 and tomcat and test.



<pre class="brush: bash">
http://yourdomain.com
https://yourdomain.com
</pre>


Please be aware though that you will get a warning, from your browser, that you are using an untrusted certificate provider.&nbsp;&nbsp;Just ignore 

them.


<h2>
2.&nbsp;&nbsp;SSL over Tomcat direct
</h2>


In this setup you will have to specify the port to access Tomcat securely, like below. This bypasses Apache completely.



<pre class="brush: bash">
https://yourdomain:8443
</pre>



We begin by generating a keystore using Java's keytool. 



<pre class="brush: bash">
JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/tomcat7/keystore
</pre>


The above command asks a few questions. When prompted for "first and last name", enter your domain name.&nbsp;&nbsp;Passwords will also be asked for the keystore and the certificate.&nbsp;&nbsp;The actual keystore is created in 

/opt/tomcat7/keystore with 1 certificate.



Verify your keystore.


<pre class="brush: bash">
JAVA_HOME/bin/keytool -list -keystore /opt/tomcat7/keystore
</pre>



Change ownership and access permission to the file. 


<pre class="brush: bash">
chown tomcat:tomcat /opt/tomcat7/keystore
chmod 755 /opt/tomcat7/keystore
</pre>


We are assuming from the commands above that you have a user tomcat and group tomcat that owns the Tomcat process in your system. 



Edit you Tomcat server.xml and uncomment the 8443 connector and then add our keystore details.&nbsp;&nbsp;See below. 



<pre class="brush: xml;highlight:[7,8,9]">
&lt;Connector port="8443" 
 protocol="HTTP/1.1" 
 maxThreads="150"
 SSLEnabled="true" 
 scheme="https" 
 secure="true"
 keystoreFile="/opt/tomcat7/keystore"
 keystorePass="password"
 keyAlias="tomcat"
 clientAuth="false" 
 sslProtocol="TLS" />
</pre>



Save and restart Tomcat.



Like method #1, your browser will warn you of the untrusted certificate.&nbsp;&nbsp;Just ignore them.



That's it Good Luck.

2 ways to setup SSL on Tomcat 7