2 ways to setup SSL on Tomcat 7

Thursday March 14, 2013 ()

Today we will demonstrate how to setup SSL on Tomcat 7 with and without Apache2 in Debian servers using self-signed certificates. This should work with Debian Squeeze and Wheezy servers.  We assume you already have existing Apache 2 and Tomcat 7 installations.

1.  SSL through Apache and mod_jk

With this method Tomcat apps are accessed securely and directly without referencing a Tomcat port.

https://yourdomain.com

Let us begin by installing mod_jk and enabling SSL modules.  SSL module comes bundled with Apache2.

# installing jk will also enable it
apt-get install libapache2-mod-jk
a2enmod ssl

Create worker/connector

This is the connector that Apache2 uses to communicate with Tomcat.

# Choose a name desired
vi /etc/apache2/workers.properties

# Make sure this points to the correct path of Tomcat
# and your Java installations
# This corresponds to your JAVA_HOME and CATALINA_HOME

workers.tomcat_home=/opt/tomcat
workers.java_home=/opt/java7
ps=/

worker.list=default
worker.default.port=8009
worker.default.host=localhost
worker.default.type=ajp13
worker.default.lbfactor=1

default in line 9 above is the name of the connector.  This is the name used in our Virtual Host setup (we will come to this later).

Edit/Create a global Apache2 jk configuration

vi /etc/apache2/conf.d/jk.conf

<ifmodule mod_jk.c>
    # This is the file workers file we created earlier
    JkWorkersFile /etc/apache2/workers.properties
    JkLogFile /var/log/apache2/mod_jk.log
    JkShmFile /var/log/apache2/mod_jk.shm
    JkLogLevel error
</ifmodule>

Create a virtual Host

Here we will be using certificates that come with ssl-cert package from Debian.  This is only for this demonstration.  You can generate you own self-signed certificates by using openssl. There is quite a lot of online guides you can visit on using openssl.

For now, we use a certificate that comes with ssl-cert, snakeoil.

We create 2 virtual hosts, one for unsecure and one for the secure https access. Both of them should mount our default jk connector we created in our workers.properties file.  Here below is what it should look like.  If you are already using mod_jk, you must have already created an unsecure virtual host, if you are, just copy them and insert the SSL sections/lines.

NameVirtualHost your-server-ip-address:80
NameVirtualHost your-server-ip-address:443
 
<virtualhost ip-or-yourdomain.com:80>
    JkMount /* default
    ServerName yourdomain.com
    ServerAdmin admin@emil.com
    DocumentRoot /opt/tomcat/webapps
    ErrorLog /opt/tomcat/logs/error.log
    CustomLog /opt/tomcat/logs/access.log common
    <directory /opt/tomcat/webapps>
        Options -Indexes
    </directory>

    # You other directives

</virtualhost>

<virtualhost ip-or-yourdomain.com:443>
    SSLEngine on
    SSLCertificateFile  /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
    JkMount /* default
    ServerName yourdomain.com
    ServerAdmin admin@emil.com
    DocumentRoot /opt/tomcat/webapps
    ErrorLog /opt/tomcat/logs/error.log
    CustomLog /opt/tomcat/logs/access.log common
    <directory /opt/tomcat/webapps>
        Options -Indexes
    </directory>
    
    # You other directives

</virtualhost>

Now edit your Tomcat server.xml and uncomment the AJP connector.

<Connector port="8009" 
      protocol="AJP/1.3" 
      redirectPort="8443" />

Please note that you use only one jk connector for both secure and unsecure connections.  Connector port (8009) should match to the port defined earlier in the workers.properties file we created.

Restart apache2 and tomcat and test.

http://yourdomain.com
https://yourdomain.com

Please be aware though that you will get a warning, from your browser, that you are using an untrusted certificate provider.  Just ignore them.

2.  SSL over Tomcat direct

In this setup you will have to specify the port to access Tomcat securely, like below. This bypasses Apache completely.

https://yourdomain:8443

We begin by generating a keystore using Java's keytool.

JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/tomcat7/keystore

The above command asks a few questions. When prompted for "first and last name", enter your domain name.  Passwords will also be asked for the keystore and the certificate.  The actual keystore is created in /opt/tomcat7/keystore with 1 certificate.

Verify your keystore.

JAVA_HOME/bin/keytool -list -keystore  /opt/tomcat7/keystore

Change ownership and access permission to the file.

chown tomcat:tomcat /opt/tomcat7/keystore
chmod 755 /opt/tomcat7/keystore

We are assuming from the commands above that you have a user tomcat and group tomcat that owns the Tomcat process in your system.

Edit you Tomcat server.xml and uncomment the 8443 connector and then add our keystore details.  See below.

<Connector port="8443" 
    protocol="HTTP/1.1" 
    maxThreads="150"
    SSLEnabled="true" 
    scheme="https" 
    secure="true"
    keystoreFile="/opt/tomcat7/keystore"
    keystorePass="password"
    keyAlias="tomcat"
    clientAuth="false" 
    sslProtocol="TLS" />

Save and restart Tomcat.

Like method #1, your browser will warn you of the untrusted certificate.  Just ignore them.

That's it Good Luck.


6,009

Comments (2 ways to setup SSL on Tomcat 7)