Overview
At some point, you may wish to add SSL (HTTPS) security to your production Tomcat. If so, you may follow these high level steps that are outlined in this tech blog post.
Keep in mind that the instructions that follow below may vary slightly depending on the CA and your version of Tomcat. As such, Tomcat provides extensive documentation on how to install SSL. Your CA may also provide helpful step-by-step instructions.
Steps
1. Create Keystore
Run the following command from a CMD prompt on your m-Power server:
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystoreFollow the on-screen prompts.
Note: When prompted for you first and last name, enter your FQDN [hostname]).
2. Create CSR
Run the following command to generate your CSR:
keytool -certreq -alias tomcat -file csr.txt -keystore tomcat.keystore3. Send CSR to your CSA
This step depends on who your CA is but typically you will have to log in to their website and purchase an SSL certificate. Choose your deployment as Apache Tomcat and follow the prompts to send your CSR to them.
4. CA will send you the certificates
This can sometimes take up to an hour. Your CA will send you (most likely) a root certificate, an intermediate certificate, and a tomcat certificate. All of these are important.
Note: Please check your CA’s instructions to verify accuracy
5. Combine certificates with keystore
Combine certificates with keystore — First of all, copy all new certificates into the same folder as your keystore. Also, make a backup of your keystore for safekeeping.
Run the following three commands to load the certificates to the keystore:
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file [name of the root certificate]
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file [name of the intermediate certificate]
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file [name of the certificate]6. Install keystore
Copy tomcat.keystore to C:\Program Files\mrc\production\m-power\tomcat\conf
7. Finalize configuration
Edit the c:\program files\mrc\production\m-power\tomcat\conf\server.xml file
Find the section that references port 8443 and make it look like this:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" maxParameterCount="1000">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeystoreFile="C:/Program Files/mrc/production/m-power/tomcat/conf/tomcat.keystore" certificateKeystorePass="changeit" />
</SSLHostConfig>
</Connector>Next find the line referencing the lifecycleListener and comment it out.
<!--<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />-->
Editor’s Note: If you are configuring SSL for both development and production (on the same server), you can use port 443 for production and 8443 for development.
Once finished, restart Tomcat and test your connection by going to https://YOUR_SERVER_NAME_HERE:port
Additional Notes
If you would like mrc’s assistance with setting up SSL on your Tomcat server, this may be done via a consulting engagement. Our experienced consultants have plenty of experience with configuring SSL and are ready to assist. For more information, please email support@mrc-productivity.com.
c:\program files\mrc\production\tomcat\conf\server.xml does not have any reference to port 443.
Hi Adam. I believe the line you are looking for in Step 7 will have a reference to a Connector port using ‘8443’, and having an attribute of ‘SSLEnabled=”true”‘.