We Keep Coding

Create ssl certificate for java website running on Tomcat server

I have recently signed up on Cloudflare.com for ssl connection. But I don’t have any idea how to install ssl certificate on my java website running on Tomcat server.
So can anyone please show me step by step how to activate ssl on my java website.

Use keytool to create a keystore
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore your_site_name.jks
this will prompt you to create a password, do not forget it.
Install the certificate
keytool -import -trustcacerts -alias server -file cert.p7b -keystore your_site_name.jks
If asked to trust the certificate, choose yes (y).
Configure your SSL connector
open server.xml in a text editor. This file is commonly located in the conf folder of the Tomcat server's home directory.
Locate the connector with port 443 and uncomment it.
Specify the keystore file name and password.
It should look something like this:
<Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keyAlias="server" keystoreFile="/home/user_name/your_site_name.jks" keystorePass="your_keystore_password" />
Now save your changes and restart tomcat!

Configuring Tomcat with SSL on server

I am trying to configure tomcat with the SSL on server (Because i need to make a request through https).
I followed these steps-:
1). generating a keystore
$Tomcat\bin>keytool -genkey -alias mkyong -keyalg RSA -keystore
c:\mkyongkeystore
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: yong mook kim
What is the name of your organizational unit?
//omitted to save space
[no]: yes
Enter key password for <mkyong>
(RETURN if same as keystore password):
Re-enter new password:
$Tomcat\bin>
2). configuring tomcat with keystore by adding a connector In server.xml
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/var/lib/tomcat7/webapps/key/mykeystore"
keystorePass="password" />
then I tried to open the https://[host]:8443/
But its still shows This page can’t be displayed
But when I tried the same method for localhost then it worked.
Why its not working on server

Here are some quotes from Tomcat documentation on setting HTTPS:
Tomcat can use two different implementations of SSL:
the JSSE implementation provided as part of the Java runtime (since 1.4)
the APR implementation, which uses the OpenSSL engine by default....
As configuration attributes for SSL support significantly differ between APR vs. JSSE implementations, it is recommended to avoid auto-selection of implementation. It is done by specifying a classname in the protocol attribute of the Connector.
To define a Java (JSSE) connector, regardless of whether the APR library is loaded or not, use one of the following:
<!-- Define a HTTP/1.1 Connector on port 8443, JSSE NIO implementation -->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" .../>
My understanding on that is that you should try to use a classname for the protocol attribute:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/var/lib/tomcat7/webapps/key/mykeystore"
keystorePass="password" />

I think better you can redirect the tomcat port to IIS,in IIS you can easily enable HTTPS.
https://tomcat.apache.org/connectors-doc/webserver_howto/apache.html

Configuring Tomcat to use Windows Certificate Store for SSL

I've deployed a number of SSL configurations, including both Tomcat (cacerts + keytool) and IIS (Windows Certificate Store + netsh http sslcert) so I'm familiar with these procedures.
Has anyone come up with a way to point Tomcat's SSL connector to a Windows Store (i.e. configuration, extension, plugin, etc.)? Just looking to centralize management of SSL deployments to one store, vs. having multiple stores.

According to the answer on "SSL enabling in Tomcat Windows server" you can specify keystore type as "Windows-My" in configuration of connector in server.xml, it worked for me on Tomcat 8.0.22 as well
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
keyAlias="<alias of the cert>"
keystoreFile=""
keystoreType="Windows-My"
clientAuth="false"
sslProtocol="TLS"
keepAliveTimeout="200000" />

<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
keyAlias="<alias of the cert>"
keystoreFile=""
keystorePass=""
keystoreType="Windows-My"
clientAuth="false"
sslProtocol="TLS"
keepAliveTimeout="200000" />
keystoreFile and keystorePass has to be set to empty string. see my comment at bz.apache.org "BUG 56021"
If not set they will default to values that causes trouble.
keyAlias should be either the friendly name (if it has one) or the common name of the certificate.

It seems not possible. From tomcat 8 documentation https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores.
Windows Store would require an specific connector similar to the 'WINDOWS-MY' of JSSE.
There is no reference in documentation to any plugin or connector to Windows Certificate Store.

While Dmitry's solution works on Tomcat 8.0, from Tomcat 8.5 onward there is a small caveat: you need to explicitly set JSSE as SSLImplementation. Hence the configuration becomes (considering also the new structure introduced in Tomcat 8.5):
<Connector port="8443"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
scheme="https" secure="true" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreType="Windows-MY"
certificateKeystoreFile=""
certificateKeyAlias="tomcat" />
</SSLHostConfig>
</Connector>
Alternatively, one can also set useOpenSSL="false" on the AprLifecycleListener.

Tomcat server in eclipse does not support TSL/SSL

I am trying to get self signed certificate for my website. I created a certificate using "Keytool" and then made following changes in conf/server.xml
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1"
redirectPort="8443" />
<Connector SSLEnabled="true" clientAuth="false"
keystoreFile="c:\tomcat\keystore\.keystore" keystorePass="changeit"
maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https"
secure="true" sslProtocol="TLS" />
When i run the tomcat server externally and type the URL https://"localhost":8443 (No quotes around localhost) it works but when i run the tomcat server in Eclipse i get 404 error.
Can anyone please help me with this. Thanks in advance.
I referred to the below sites for help.
http://technology-for-human.blogspot.com/2011/08/ssl-in-tomcat-under-eclipse-part-1-self.html
Eclipse WTP: How do I enable SSL on Tomcat?

According to https://tomcat.apache.org/tomcat-7.0-doc/config/http.html
the sslProtocol property should be one of the followings: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, all.
Try putting "TLSv1+TLSv1.1+TLSv1.2".
Be sure there's no exceptions regarding the keystore's path or password.
And last but not least, remove the redirectPort property from others Connectors.

Eclipse tomcat https configuration for localhost

I am implementing https project.So i just tried ssl connection with tomcat
i created the key and certificates using the following commands from the following site.
http://mircwiki.rsna.org/index.php?title=Configuring_Tomcat_to_Support_SSL
genrsa –des3 –out tomcatkey.pem 2048
req –new –x509 –key tomcatkey.pem –out tomcatcert.pem –days 1095 -config "c:/openssl/tomcatkey.pem"
So i got the certificate and key from the openssl commands.(i used the key as "pratap")
i put these 2 files in tomcat folder.
i changed the connector element 8443
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="c:/tomcat7/tomcatcert.pem"
SSLCertificateKeyFile="c:/tomcat7/tomcatkey.pem"
clientAuth="optional" SSLProtocol="TLSv1" SSLPassword="pratap" />
when i run https://localhost:8443 it is running fine.
Now in eclipse i created the server of this and try to run from the eclipse
But it is showing the following error.
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(Unknown Source)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(Unknown Source)
at java.security.KeyStore.load(Unknown Source)
i did not use keystore command at any where.
could any body give some light on this..Thank you..

You should read http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html#Configuration.
BTW: "Keystore was tampered with, or password was incorrect" - this error means your keystore is crashed or you have used wrong password. If you use selfsigned cert remeber to create truststore.

You need to pass the keystore password into your connector configuration. Here is an example:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystorePass="qwerty"
clientAuth="false" sslProtocol="TLS" />
If you want to use another keystore you need to create one:
keytool -genkey -alias tomcat -keyalg RSA -keystore /home/user/.keystore2
and use it in your configuration:
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore2" keystorePass="qwerty"
clientAuth="false" sslProtocol="TLS"/>