I have recently signed up on Cloudflare.com for ssl connection. But I don’t have any idea how to install ssl certificate on my java website running on Tomcat server.
So can anyone please show me step by step how to activate ssl on my java website.
Use keytool to create a keystore
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore your_site_name.jks
this will prompt you to create a password, do not forget it.
Install the certificate
keytool -import -trustcacerts -alias server -file cert.p7b -keystore your_site_name.jks
If asked to trust the certificate, choose yes (y).
Configure your SSL connector
open server.xml in a text editor. This file is commonly located in the conf folder of the Tomcat server's home directory.
Locate the connector with port 443 and uncomment it.
Specify the keystore file name and password.
It should look something like this:
<Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keyAlias="server" keystoreFile="/home/user_name/your_site_name.jks" keystorePass="your_keystore_password" />
Now save your changes and restart tomcat!
Related
I had followed the instruction to generate the key and certificate. I was able to import the certificate successfully. I can't get the connector correctly.
Here are the steps and the messages.
Generating Key
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore myKey.jks -dname "CN=dnsName.com
Generate Certificate Signing Request.
keytool -certreq -alias server -file myCSR.csr -keystore myKey.jks
Download certificate from CA: copy myCSR content, past into goDaddy, and download 3 files: serialNumber-root.crt, bundle-intermediate.crt, *.pem
Tomcat Web Server SSL Certificate Installation:
keytool -import -alias root -keystore myKey.jks -trustcacerts -file serialNumber-root.crt
keytool -import -alias intermed -keystore myKey.jks -trustcacerts -file bundle-intermediate.crt
keytool -import -alias tomcat -keystore myKey.jks -trustcacerts -file serialNumber-root.crt
Everything is successful at this point.
Modify tomcat/conf/server.xml
a. gives me java.lang.Exception: Unable to load certificate key E:\tomcat\certificate\myKey.jks (error:0906D06C:PEM routines:PEM_read_bio:no start line)
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="E:\tomcat\certificate\myKey.jks"
certificateFile="E:\tomcat\certificate\serialNumber-root.crt"
certificateChainFile="E:\tomcat\certificate\serialNumber-root.crt"
type="RSA" />
</SSLHostConfig>
</Connector>
OR
<Connector port="8443" scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="E:\tomcat\certificate\serialNumber-root.crt"
SSLCertificateKeyFile="myKey.jks"
SSLPassword="password"
SSLCertificateChainFile="E:\tomcat\certificate\serialNumber-root.crt"
keyAlias="server" SSLProtocol="TLSv1"/>
b. gives me java.lang.IllegalArgumentException: java.io.IOException: Alias name [server] does not identify a key entry
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="E:\tomcat\certificate\myKey.jks"
keystorePass="password"
keyAlias="server"
clientAuth="false" sslProtocol="TLS"
/>
c. java.lang.IllegalArgumentException: Illegal character in opaque part at index 2: c:\certificate\myKey.jks
<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
maxSpareThreads="150" scheme="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS" keyAlias="server"
keystoreFile="c:\certificate\myKey.jks"
keystorePass="password" />
have you tried using "org.apache.coyote.http11.Http11NioProtocol" instead of "org.apache.coyote.http11.Http11AprProtocol" ?
<Connector executor="tomcatThreadPool"
port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<Connector
port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="mySSL.jks"
keystorePass="changeit" />
Now, I got SSL certificate installed and start up tomcat successfully, but I can't http://localhost:8443.
I get page
can not be display message
•Make sure the web address http://localhost:443 is correct.
http://localhost:8080/ still works
Any suggestion is sincerely appreciated.
<Connector port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="E:/tomcat/certificate/mykey.jks" keystorePass="mypassword" keyAlias="server" clientAuth="false" sslProtocol="TLS"/>
end of tomcat log:
02-May-2018 09:06:14.192 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
02-May-2018 09:06:14.207 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-openssl-nio-8443"]
02-May-2018 09:06:14.207 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-8009"]
I created a .jks file with this command
keytool -genkey -alias TeamCity -keyalg RSA -keystore KeyStoreTC.jks -keysize 2048
after that I moved the .jsk file to my directory but I am receiving this error
Failed to load keystore type JKS with path
file:///C:/integrationProces/TeamCityDeploy/KeyStoreTC.jks due to
C:\integrationProces\TeamCityDeploy\KeyStoreTC.jks (The system cannot
find the path specified) java.io.FileNotFoundException:
C:\integrationProces\TeamCityDeploy\KeyStoreTC.jks (The system cannot
find the path specified)
The file is in that directory but I have no idea why the java.io.FileNotFoundException exception
I am using catalina(tomcat) and TeamCity and I am trying to enable https and this is my configuration in server.xml
<Connector port="8099" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="file:///C:/integrationProces/TeamCityDeploy/KeyStoreTC.jks"
keystorePass="mypass" />
I also commented this line of code in server.xml as a recommendation that I found in a forum
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
I appreciate any help
I have a SSL Certificate (Cert1.cer file)
I created a keystore file using
keytool -import -alias es-staging.cdac.in -keystore key2 -file Cert1.cer
I updated my server.xml with
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/var/lib/tomcat7/webapps/key/key2"
keystorePass="changeit"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
/>
Then I Restarted the tomcat server
And tried to access https://52.39.134.231:8443/
My Browser(Mozilla FireFox) is showing
I tried to access "(Not secure) Try loading 52.39.134.231 using outdated security "
But its still redirecting me to same page
Where am I going wrong?
The error message says that Firefox and Tomcat don't have a mutual cipher they could agree on. Well, there are ciphers that both Tomcat and Firefox are supporting in your case, but those have been disabled in Firefox for security reasons.
The ciphers you configured are pretty strong and restricting. Are you sure that all of them are supported by the underlying JDK version?
I am trying to configure tomcat with the SSL on server (Because i need to make a request through https).
I followed these steps-:
1). generating a keystore
$Tomcat\bin>keytool -genkey -alias mkyong -keyalg RSA -keystore
c:\mkyongkeystore
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: yong mook kim
What is the name of your organizational unit?
//omitted to save space
[no]: yes
Enter key password for <mkyong>
(RETURN if same as keystore password):
Re-enter new password:
$Tomcat\bin>
2). configuring tomcat with keystore by adding a connector In server.xml
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/var/lib/tomcat7/webapps/key/mykeystore"
keystorePass="password" />
then I tried to open the https://[host]:8443/
But its still shows This page can’t be displayed
But when I tried the same method for localhost then it worked.
Why its not working on server
Here are some quotes from Tomcat documentation on setting HTTPS:
Tomcat can use two different implementations of SSL:
the JSSE implementation provided as part of the Java runtime (since 1.4)
the APR implementation, which uses the OpenSSL engine by default....
As configuration attributes for SSL support significantly differ between APR vs. JSSE implementations, it is recommended to avoid auto-selection of implementation. It is done by specifying a classname in the protocol attribute of the Connector.
To define a Java (JSSE) connector, regardless of whether the APR library is loaded or not, use one of the following:
<!-- Define a HTTP/1.1 Connector on port 8443, JSSE NIO implementation -->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" .../>
My understanding on that is that you should try to use a classname for the protocol attribute:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/var/lib/tomcat7/webapps/key/mykeystore"
keystorePass="password" />
I think better you can redirect the tomcat port to IIS,in IIS you can easily enable HTTPS.
https://tomcat.apache.org/connectors-doc/webserver_howto/apache.html
I am implementing https project.So i just tried ssl connection with tomcat
i created the key and certificates using the following commands from the following site.
http://mircwiki.rsna.org/index.php?title=Configuring_Tomcat_to_Support_SSL
genrsa –des3 –out tomcatkey.pem 2048
req –new –x509 –key tomcatkey.pem –out tomcatcert.pem –days 1095 -config "c:/openssl/tomcatkey.pem"
So i got the certificate and key from the openssl commands.(i used the key as "pratap")
i put these 2 files in tomcat folder.
i changed the connector element 8443
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="c:/tomcat7/tomcatcert.pem"
SSLCertificateKeyFile="c:/tomcat7/tomcatkey.pem"
clientAuth="optional" SSLProtocol="TLSv1" SSLPassword="pratap" />
when i run https://localhost:8443 it is running fine.
Now in eclipse i created the server of this and try to run from the eclipse
But it is showing the following error.
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(Unknown Source)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(Unknown Source)
at java.security.KeyStore.load(Unknown Source)
i did not use keystore command at any where.
could any body give some light on this..Thank you..
You should read http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html#Configuration.
BTW: "Keystore was tampered with, or password was incorrect" - this error means your keystore is crashed or you have used wrong password. If you use selfsigned cert remeber to create truststore.
You need to pass the keystore password into your connector configuration. Here is an example:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystorePass="qwerty"
clientAuth="false" sslProtocol="TLS" />
If you want to use another keystore you need to create one:
keytool -genkey -alias tomcat -keyalg RSA -keystore /home/user/.keystore2
and use it in your configuration:
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore2" keystorePass="qwerty"
clientAuth="false" sslProtocol="TLS"/>