Documente Academic
Documente Profesional
Documente Cultură
GENERAL
Secure connection can be provided through https protocol with secure certificate.
INTRODUCTION TO SSL
SSL, or Secure Sockets Layer, is a technology which allows web browsers and web servers to
communicate over a secured connection. This means that the data being sent is encrypted by one
side, transmitted, then decrypted by the other side prior to any processing. This is a two-way
process, meaning that both the server and the browser encrypt all traffic before sending out data.
Another important aspect of the SSL protocol is Authentication. This means that during your
initial attempt to communicate with a web server over a secure connection, that server will
present your web browser with a set of credentials, in the form of a Certificate, as proof that the
site is who and what it claims to be. In certain cases, the server may also request a certificate
from your web browser, asking for proof that you are who you claim to be. This is known as
Client Authentication, although in practice it is used primarily for business-to-business (B2B)
transactions rather than with typical site users. Most SSL-enabled web servers do not request
Client Authentication.
1. Self-generated and self-signed certificates. The service provider using Tomcat Server can
create self-signed certificate using JAVA tools (keytool.exe program). In this case the
issuer of the certificate must be added to the list of trusted authorities on the server, and on
every client during the first use. This has to be done using an Internet Browser.
2. Certificate from a known authority (Comodo, Verisign, Thawte, etc.). Using this kind of
certificate does not require adding it to the list of trusted authorities.
SELF-SIGNED CERTIFICATE
When you have decided which JDK you are going to use under Windows 2k/XP/2k3/Vista/2k8,
then in a command-line (CMD) window type:
set JAVA_HOME=c:\jdk1.6.0_13
set JAVA_HOME=c:\Program Files\Java\jdk1.6.0_13
as appropriate.
1
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
C:\>echo %JAVA_HOME%
C:\Program Files\Java\jdk1.6.0_13
C:\>cd %JAVA_HOME%\bin
Which will store the key in the default directory. Alternatively, you can specify the location of
the keystore, as follows:
Follow the instructions. First and last name should be the exact site FQDN (e.g.,
www.example.com), localhost or IP address that you will use in Browser or an application to
connect to the Server.
Stop and start the tomcat server – for the above changes to take effect.
Note: The RSA algorithm should be preferred as a secure algorithm, and also to ensure general
compatibility with other servers and components such as Netscape and IIS.
To import your self-signed certificate to the list of trusted authorities it is necessary to export the
certificate out of the keystore that’ been previously created as follows.
%JAVA_HOME%\bin\keytool -export -alias tomcat -keystore
<path to the key> –file <desired certificate name>
After the certificate has been exported you can open your browser. Go to: Tools\Internet
Options\Content\Certificates\Trusted Root Certification Authorities.
Now you have a file called certreq.csr that you can submit to the Certificate Authority (look at
the documentation of the Certificate Authority website on how to do this). In return you get a
Certificate or a number of Certificates.
ii) Now you have to import those certificates into a keystore file that you have previously
created.
%JAVA_HOME%\bin\keytool -import -alias root -keystore <path to the key>
-trustcacerts -file <filename_of_the_chain_certificate>
3
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
https://localhost:8443
or
https://www.your-domain.com:8443
If all goes well you will be asked if you want to proceed using the Security Certificate. Click Yes,
and you should be in business, and you should see the usual Tomcat splash page. Henceforth, you
should be able to access any web application supported by Tomcat via SSL.
If this does not work, the following section contains some troubleshooting tips
NOTE: If you’re behind a router don’t forget to open its port to 8443 (or 433)!
REFERENCE:
1. Critical Steps to Secure Tomcat on Windows NT-2K-XP:
http://www.developer.com/java/ent/article.php/2241061
2. The Apache Tomcat 5_5 Servlet-JSP Container - SSL Configuration HOW-TO:
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
4
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
5
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada