Introduction

This wiki explains the process to enable SSL/TLS authentication on Tomcat.

Pre-requisites

  1. In case the user has access to a trusted Certificate Authority (CA), then the user should go through the CA process to get a CA certificate, server certificate and server private key. In case user does not have a trusted Certificate Authority (CA), then they can create dummy CA certificates to test the set up in a LAB/TEST Environment. In an ideal scenario, the user should have a trusted Certificate Authority (CA)
  2. The user must have OpenSSL (in case trusted CA is not available)
  3. The user must have Perl

Creating Self-Signed Certificates Using OpenSSL

If you already have the cacert.pem, servercert.pem and serverkey.pem files, then you can directly proceed to Step 7 below.

  1. Locate OpenSSL CA.pl file as this file is required to create dummy CA certificate file. This will be inside the bin directory within the OpenSSL directory.
  2. Create a temporary directory to store certificates the certificates and navigate to it in the command line
  3. Linux users: Execute the following command (You might need to edit the path accordingly)
    /usr/lib/ssl/misc/CA.pl -newca 

    Windows users: Execute the following command (You might need to edit the path accordingly)

     C:\OpenSSL-Win32\bin\CA.pl -newca 

    This creates demoCA/cacert.pem (CA Certificate) and demoCA/private/cakey.pem (private key)

  4. Make a server certificate signing request (CSR) using the following command:
  5.  openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem 

    Note: Make sure to use same name/value in Common Name as that of servername/hostname. Otherwise, the browser may complain while accessing that name does not match the hostname of the server. Adding to this make sure to access the server with the same hostname as mentioned here

  6. Linux users: Execute the following command (You might need to edit the path accordingly)
    /usr/lib/ssl/misc/CA.pl -sign 

    Windows users: Execute the following command (You might need to edit the path accordingly)

     C:\OpenSSL-Win32\bin\CA.pl -sign 

    After the above steps have been followed, you will have the 3 following files: cacert.pem, newreq.pem and newcert.pem.

  7. Rename newreq.pem to serverkey.pem and newcert.pem to servercert.pem.
  8. Convert the servercert.pem file to PKC12 format (*.p12) using the following command:
  9. openssl pkcs12 -export -in servercert.pem -inkey serverkey.pem -out servercert.p12 -name servercertificate 

    Note: The converted file (servercert.p12) acts as a server certificate and is used to generate keystore. When prompted for Export Password, enter a password and keep the password safe.

  10. Create a java keystore file by converting the servercert.p12 file to Java Keytool format by using the following command:
  11.  keytool -importkeystore -destkeystore servercert.jks -srckeystore servercert.p12 -srcstoretype PKCS12 -alias servercertificate 

    Note: When prompted for destination keystore password, enter a password and keep it safe. It will be used as keystore password in server.xml file. Also, when prompted for source keystore password, enter the export password for input servercert.p12 file created in the previous step (Step 7).

  12. Navigate to the demoCA directory (cd demoCA) and create a java truststore file by converting the cacert.pem file to Java Keytool format by using the following command:
  13.  keytool -import -keystore cacerts.jks -alias cacert -file cacert.pem 

Note: When prompted for keystore password, enter a password and keep the password safe. It will be used as truststore password in server.xml

Configuring SSL/TLS on Ephesoft JavaAppServer (Tomcat) Using Generated Certificates

server.xml changes

  1. Place the recently created cacerts.jks and servercert.jks in a permanent directory, e.g. Ephesoft/certs.
  2. Take a backup of existing server.xml file located at Ephesoft/JavaAppServer/conf folder
  3. Open server.xml in edit mode, and locate the existing HTTP/HTTPS connector as shown in the following snapshot

Comment the existing connector (default port 8080) and create a new connector by uncommenting the commented PIV/CAC HTTPS connector (shown in snapshot above)

Note the following important properties must be edited appropriately, according to the path:

  • truststoreFile: cacerts.jks (specify path of the file, e.g Ephesoft/certs/cacerts.jks)
  • truststorePass: Generated before
  • keystoreFile: servercert.jks (specify path of the file, e.g Ephesoft/certs/servercert.jks)
  • keystorePass: Generated before

You may or may not change the port from the default 8080. If you change the port, remember this for the following sections.

dcma-batch.properties changes

  1. Take a backup of the existing dcma-batch.properties file located at Ephesoft/Application/WEB-INF/classes/META-INF
  2. Update the base url (batch.base_http_url) to use https and update the port if you are not using 8080

dcma-workflows.properties changes

  1. Take a backup of the existing dcma-workflows.properties file located at Ephesoft/Application/WEB-INF/classes/META-INF
  2. Update wb.hostURL to use https and update the port if you are not using 8080

web.xml changes

  1. This step is only necessary if you have changed the port from the default 8080
  2. Take a backup of the existing web.xml file located at located at Ephesoft/Application/WEB-INF
  3. Edit the following property

Was this article helpful to you?

Ignacio de Castro Perez