Enabling SSL in Tomcat

For people in hurry get the latest code and follow the steps mentioned in Github.

There are lots of documents on the web on how to configure SSL in Tomcat. Tomcat Server/Client Self-Signed SSL Certificate and Mutual Authentication with CLIENT-CERT, Tomcat 6, and HttpClient stand out. But there no simple example, where we can demonstrate Enabling SSL in Tomcat, I spent days pouring documents and Googling before I got the perfect solution. In this blog I have demonstrated using a simple Java Keystore to achieve 2 way handshake. In my next blog I will show you how to use security-constraint to achieve CLIENT-CERT based access control.

This sample only works with Tomcat 6.0. Download and unzip the zip file in a location and go to <tomcat-home>/conf location and copy the 2 batch files client1cert.bat and client2cert.bat. Run both the files in that order they will create all the necessary certificates required for 2 way handshake.

Open server.xml and replace the <Connector> tag with the one below,

<Connector
clientAuth="true" port="8443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${catalina.base}/conf/server.jks"
keystoreType="JKS" keystorePass="password"
truststoreFile="${catalina.base}/conf/server.jks"
truststoreType="JKS" truststorePass="password"
SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2" sslProtocol="TLS" />

If you notice the clientAuth=”true” enabled.

Copy the client0 folder to <tomcat-home>/webapp directory. Finally start the server. Now under the sourcecode folder, go to, client-cert-test open the file src/main/java/com/goSmarter/test/SecureHttpClient0Test.java file and change the below line to point to your <tomcat home>/conf location,


public static final String path = "D:/apache-tomcat-6.0.36/conf/";

Run “mvn test -Dtest=com.goSmarter.test.SecureHttpClient0Test”. You notice that 1 test succeeded. If testcase passed it means, 2 way SSL is working correctly. Please looks at the code and understand the flow. The JUnit test uses HttpUnit api to access the secure webserver. You will also notice when you run the test, there are lot of certificate related messages on the console. For this to appear, I have turned on Client side SSL debugging by putting the below code in SecureHttpClient0Test.java class,

static {
System.setProperty("javax.net.debug", "ssl");
}

I hope this blog helped you.

About these ads

8 thoughts on “Enabling SSL in Tomcat

  1. Pingback: Enabling CLIENT-CERT based authorization on Tomcat | GoSmarter Tech Blog

  2. Pingback: Enabling CLIENT-CERT based authorization on Tomcat – Part 2 | GoSmarter Tech Blog

  3. PD

    Hi Krishna, I religiously followed the steps mentioned above and the build failed with the below stack trace -

    D:\SSL\enable-ssl-in-tomcat-master\client-cert-test\src\test\java\com\goSmarter\test>cd D:\SSL\enable-ssl-in-tomcat-master\client-cert-test

    D:\SSL\enable-ssl-in-tomcat-master\client-cert-test>mvn test -Dtest=com.goSmarter.test.SecureHttpClient0Test
    [INFO] Scanning for projects…
    [INFO] ————————————————————————
    [INFO] Building Samples (Basic) – HTTP Demo
    [INFO] task-segment: [test]
    [INFO] ————————————————————————
    [INFO] [resources:resources {execution: default-resources}]
    [WARNING] Using platform encoding (Cp1252 actually) to copy filtered resources, i.e. build is platform dependent!
    [INFO] skip non existing resourceDirectory D:\SSL\enable-ssl-in-tomcat-master\client-cert-test\src\main\resources
    [INFO] [compiler:compile {execution: default-compile}]
    [INFO] No sources to compile
    [INFO] [resources:testResources {execution: default-testResources}]
    [WARNING] Using platform encoding (Cp1252 actually) to copy filtered resources, i.e. build is platform dependent!
    [INFO] Copying 1 resource
    [INFO] [compiler:testCompile {execution: default-testCompile}]
    [INFO] Compiling 3 source files to D:\SSL\enable-ssl-in-tomcat-master\client-cert-test\target\test-classes
    [INFO] [surefire:test {execution: default-test}]
    [INFO] Surefire report directory: D:\SSL\enable-ssl-in-tomcat-master\client-cert-test\target\surefire-reports

    ——————————————————-
    T E S T S
    ——————————————————-
    Running com.goSmarter.test.SecureHttpClient0Test
    Keystore has 2 keys
    ***
    found key for : client1key
    chain [0] = [
    [
    Version: V3
    Subject: CN=client1, OU=Application Development, O=GoSmarter, L=Bangalore, ST=KA, C=IN
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

    Key: Sun RSA public key, 1024 bits
    modulus: 9008540499622588468645298745695637721577833548992778368069893647723214107834525569722374622706237565505127649417875088886020078895828694736
    599728685038373765438062867521602303276229182101102165107741351486836684387670401183929229168896194436634186394122546913931989107464994493112129569775
    6073274446865824497
    public exponent: 65537
    Validity: [From: Mon Jan 28 16:18:18 IST 2013,
    To: Sun Apr 28 16:18:18 IST 2013]
    Issuer: CN=client1, OU=Application Development, O=GoSmarter, L=Bangalore, ST=KA, C=IN
    SerialNumber: [ 51065772]

    ]
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 31 5B 7D DC A3 06 74 49 48 6A 61 72 02 E4 73 28 1[....tIHjar..s(
    0010: 18 B6 A4 B6 C8 15 EF 4D 94 6E 7B 6F F2 AD 63 12 .......M.n.o..c.
    0020: 3C 42 2B 30 F1 7C 65 71 A4 CA 3E 8C 0D D5 65 43 ...eC
    0030: 0D A2 52 CC E9 23 A4 BF 02 7E AA 09 E6 4B 47 06 ..R..#.......KG.
    0040: C1 39 D8 99 FA FF 67 C6 A5 33 DE F5 CA 96 AE 17 .9....g..3......
    0050: 52 FF E1 4F 12 98 E2 10 57 4C 6F 1F 46 E7 3C C6 R..O....WLo.F.https://localhost:8443
    16:40:02.832 DEBUG [main][org.apache.http.impl.conn.DefaultClientConnectionOperator] Connecting to localhost:8443
    main, setSoTimeout(0) called
    16:40:03.846 DEBUG [main][org.apache.http.impl.conn.DefaultClientConnectionOperator] Connect to localhost:8443 timed out. Connection will be retried u
    sing another IP address
    16:40:03.846 DEBUG [main][org.apache.http.impl.conn.DefaultClientConnectionOperator] Connecting to localhost:8443
    main, setSoTimeout(0) called
    16:40:04.875 DEBUG [main][org.apache.http.impl.conn.DefaultClientConnection] Connection org.apache.http.impl.conn.DefaultClientConnection@c3014 closed

    16:40:04.875 DEBUG [main][org.apache.http.impl.conn.DefaultClientConnection] Connection org.apache.http.impl.conn.DefaultClientConnection@c3014 shut d
    own
    main, called close()
    main, called closeInternal(true)
    16:40:04.875 DEBUG [main][org.apache.http.impl.conn.SingleClientConnManager] Releasing connection org.apache.http.impl.conn.SingleClientConnManager$Co
    nnAdapter@6754d6
    Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 2.543 sec <<< FAILURE!

    Results :

    Tests in error:
    testMainPage(com.goSmarter.test.SecureHttpClient0Test)

    Tests run: 1, Failures: 0, Errors: 1, Skipped: 0

    [INFO] ————————————————————————
    [ERROR] BUILD FAILURE
    [INFO] ————————————————————————
    [INFO] There are test failures.

    Please refer to D:\SSL\enable-ssl-in-tomcat-master\client-cert-test\target\surefire-reports for the individual test results.
    [INFO] ————————————————————————
    [INFO] For more information, run Maven with the -e switch
    [INFO] ————————————————————————
    [INFO] Total time: 5 seconds
    [INFO] Finished at: Mon Jan 28 16:40:05 IST 2013
    [INFO] Final Memory: 12M/22M
    [INFO] ————————————————————————

    Reply
    1. Nagendran A

      HI PD,

      You should deploy this application into server by enabling ssl and after that you run this test case.

      Please follow the steps mentioned in this blog:
      Copy the client0 folder to /webapp directory. Finally start the server. Now under the sourcecode folder, go to, client-cert-test open the file src/main/java/com/goSmarter/test/SecureHttpClient0Test.java file and change the below line to point to your /conf location

      Build this component by skipping the testcases
      mvn clean install -DskipTests=true

      Reply
      1. PD

        Hi Nagendran,
        Thanks for the reply. The issue is resolved.
        The tomcat version was the problem, changed it and it worked as a charm :)

  4. Pingback: Sample of Spring Security and CAS (Single Signon) | Krishna's Blog

  5. Keith Lehman

    Hi Krishna.
    Thanks for this. Do you have an example with Tomcat 7? I am attempting to deploy Tomcat 7 in a Windows environment, but have not had any success yet getting SSL to work.

    Thanks!

    - Keith

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s