Last Updated on

Introduction

This wiki explains the process to enable SSL/TLS authentication on Tomcat.

Pre-requisites

  1. In case the user has access to a trusted Certificate Authority (CA), then the user should go through the CA process to get a CA certificate, server certificate and server private key. In case user does not have a trusted Certificate Authority (CA), then they can create dummy CA certificates to test the set up in a LAB/TEST Environment. In an ideal scenario, the user should have a trusted Certificate Authority (CA)
  2. The user must have OpenSSL (in case trusted CA is not available)
  3. The user must have Perl

Creating Self-Signed Certificates Using OpenSSL

If you already have the cacert.pem, servercert.pem and serverkey.pem files, then you can directly proceed to Section 2 below.

    1. Locate OpenSSL CA.pl file as this file is required to create dummy CA certificate file. This will be inside the bin directory within the OpenSSL directory.
    2. Create a temporary directory to store certificates the certificates and navigate to it in the command line
    3. Linux users: Execute the following command (You might need to edit the path accordingly)
      /usr/lib/ssl/misc/CA.pl -newca

      Windows users: Execute the following command (You might need to edit the path accordingly)

       C:\OpenSSL-Win32\bin\CA.pl -newca

      This creates demoCA/cacert.pem (CA Certificate) and demoCA/private/cakey.pem (private key)

    4. Make a server certificate signing request (CSR) using the following command:
 openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem

Note: Make sure to use same name/value in Common Name as that of servername/hostname. Otherwise, the browser may complain while accessing that name does not match the hostname of the server. Adding to this make sure to access the server with the same hostname as mentioned here

      1. Linux users: Execute the following command (You might need to edit the path accordingly)
        /usr/lib/ssl/misc/CA.pl -sign

        Windows users: Execute the following command (You might need to edit the path accordingly)

         C:\OpenSSL-Win32\bin\CA.pl -sign

        After the above steps have been followed, you will have the 3 following files: cacert.pem, newreq.pem and newcert.pem.

      2. Rename newreq.pem to serverkey.pem and newcert.pem to servercert.pem.

    Section 2

    1. Convert the servercert.pem file to PKC12 format (*.p12) using the following command:
openssl pkcs12 -export -in servercert.pem -inkey serverkey.pem -out servercert.p12 -name servercertificate

Note: The converted file (servercert.p12) acts as a server certificate and is used to generate keystore. When prompted for Export Password, enter a password and keep the password safe.

    1. Create a java keystore file by converting the servercert.p12 file to Java Keytool format by using the following command:
 keytool -importkeystore -destkeystore servercert.jks -srckeystore servercert.p12 -srcstoretype PKCS12 -alias servercertificate

Note: When prompted for destination keystore password, enter a password and keep it safe. It will be used as keystore password in server.xml file. Also, when prompted for source keystore password, enter the export password for input servercert.p12 file created in the previous step (Step 7).

    1. Navigate to the demoCA directory (cd demoCA) and create a java truststore file by converting the cacert.pem file to Java Keytool format by using the following command:
 keytool -import -keystore cacerts.jks -alias cacert -file cacert.pem

Note: When prompted for keystore password, enter a password and keep the password safe. It will be used as truststore password in server.xml

Generating a CSR if you have a Certificate Authority

    1. Create a new key-CSR pairing
keytool -genkey -alias servercertificate -keyalg RSA -keysize 2048 -keystore servercert.jks
    1. Enter your DN information and confirm it with a “yes” when prompted
    2. Create a new Certificate Signing Request (CSR)
keytool -certreq -alias servercertificate -keyalg RSA -file yourdomain.csr -keystore servercert.jks
    1. Enter your keystore password
    2. Send the CSR to your Certificate Authority(CA)
    3. Make a copy of servercert.jks and rename the copy file as cacerts.jks
    4. Once you have received cacert.pem and servercert.pem from your CA , execute below steps to import the certificates.
    5. Importing cacert.pem in cacerts.jks and servercert.pem in servercert.jks files as below.
keytool -import -keystore cacerts.jks -alias cacert -file cacert.pem

keytool -import -keystore servercert.jks -alias servercertificate -file servercert.pem

Configuring SSL/TLS on Ephesoft JavaAppServer (Tomcat) Using Generated Certificates

server.xml changes

  1. Place the recently created cacerts.jks and servercert.jks in a permanent directory, e.g. Ephesoft/certs.
  2. Take a backup of existing server.xml file located at Ephesoft/JavaAppServer/conf folder
  3. Open server.xml in edit mode, and locate the existing HTTP/HTTPS connector as shown in the following snapshot

Comment the existing connector (default port 8080) and create a new connector by uncommenting the commented PIV/CAC HTTPS connector (shown in snapshot above)

Note the following important properties must be edited appropriately, according to the path:

  • truststoreFile: cacerts.jks (specify path of the file, e.g Ephesoft/certs/cacerts.jks)
  • truststorePass: Generated before
  • keystoreFile: servercert.jks (specify path of the file, e.g Ephesoft/certs/servercert.jks)
  • keystorePass: Generated before

You may or may not change the port from the default 8080. If you change the port, remember this for the following sections.

dcma-batch.properties changes

  1. Take a backup of the existing dcma-batch.properties file located at Ephesoft/Application/WEB-INF/classes/META-INF
  2. Update the base url (batch.base_http_url) to use https and update the port if you are not using 8080

dcma-workflows.properties changes

  1. Take a backup of the existing dcma-workflows.properties file located at Ephesoft/Application/WEB-INF/classes/META-INF
  2. Update wb.hostURL to use https and update the port if you are not using 8080

web.xml changes

  1. This step is only necessary if you have changed the port from the default 8080
  2. Take a backup of the existing web.xml file located at located at Ephesoft/Application/WEB-INF
  3. Edit the following property

Was this article helpful to you?

Ignacio de Castro Perez