My linux world » Tomcat SSL Survival Guide

Tomcat SSL Survival Guide


Secure Sockets Layer (SSL), is a cryptographic protocol that provide communication security over the Internet. SSL encrypt the segments of network connections at the Application Layer for the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for confidentiality and message authentication codes for message integrity.

Wikipedia


The following process describe how to generate a certificate SSL for Tomcat 5.5.x.
The generate certificate is named ”keystore”.

The trusted organism used here is RapidSSL.

Important: Steps have to be followed in the order

Contents

Before starting…

Let’s set the vars for all the document:

$JAVA_HOME : path to the jvm
 
$KEYSTORENAME: myname.kdb
$CSR_FILE_NAME : myname.csr
 
$X509_FILE_NAME: certificate get from the trusted organism.
$X509_INTERMEDIATE_FILE_NAME: intermédiate certificate recieved from the certification organism.

Important : keep the same $KEYSTORENAME for all the process.

Private key generation

Enter the following command:

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore $KEYSTORENAME -keysize 2048

And use the answers to questions:

Tapez le mot de passe du Keystore :  changeit
Quels sont vos prénom et nom ? *.myname
Quel est le nom de votre unité organisationnelle ? myOU
Quelle est le nom de votre organisation ? *.myname
Quel est le nom de votre ville de résidence ? Paris
Quel est le nom de votre État ou province ? France
Quel est le code de pays à deux lettres pour cette unité ? FR
 
Est-ce CN=*.myname, OU=myOU, O=*.myname, L=Paris
ST=France, C=FR ?
  [non] : oui
 
Spécifiez le mot de passe de la clé pour 
        (appuyez sur Entrée s'il s'agit du mot de passe du Keystore) : (taper )

==> We just obtained the private key ”$KEYSTORENAME”

Génération of Certificate Signing Request (CSR)

Enter the following command:

$JAVA_HOME/bin/keytool -certreq -alias tomcat -keystore $KEYSTORENAME -file $CSR_FILE_NAME

And use the answers to questions:

Tapez le mot de passe du Keystore :  changeit

==> We just get the CSR: ”$CSR_FILE_NAME”

Send the CSR to RapidSSL

Sending the CSR takes place in one of these two steps:

  - when purchasing the certificate
  - when reissiue.
        * go here : https://products.geotrust.com/orders/orderinformation/authentication.do
              Fully qualified domain name or common name: *.myname
              Email address: myemail@gmail.com
        * an email is sent to myemail@gmail.com and contains a link.
        * after opening the link in the email, click on "Reissue Certificate" et paste the contents of '$CSR_FILE_NAME'

=> An email is sent and RapidSSL certificate contains the X509 format as well as the intermediate certificate (X509 format as well).

Certificates will be called:
* Format X509: $ X509_FILE_NAME
* The intermediate certificate: $ X509_INTERMEDIATE_FILE_NAME

Importation of CER

To import the CER, it is necessary to run the following commands.

For each order, the answer to the question:

Tapez le mot de passe du Keystore :  changeit
Réponse de certificat installée dans le Keystore
  # importation of the intermédiate key:
  $JAVA_HOME/bin/keytool -import -alias rapidtrustca -trustcacerts -file $X509_INTERMEDIATE_FILE_NAME -keystore $KEYSTORENAME
  $JAVA_HOME/bin/keytool -import -alias Intermediate -trustcacerts -file $X509_INTERMEDIATE_FILE_NAME -keystore $KEYSTORENAME
 
  # importation of the certificate X509:
  $JAVA_HOME%/bin/keytool -import -alias tomcat -trustcacerts -file $X509_FILE_NAME -keystore $KEYSTORENAME

=> We obtained ”$KEYSTORENAME” containing the CER importation.

Setup in Tomcat

* copy/paste ”$KEYSTORENAME” on the server.
* place it ”~” (home directory)
* in serveur.xml add the attribute ”keystoreFile” and set the full path to ”$KEYSTORENAME”

Exemple of connector SSL:

<Connector port="443" 
               maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" 
 
               scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
 
               keystoreFile="${user.home}/$KEYSTORENAME"
               />

* Restart Tomcat

Test

* Check the tomcat logs and verify it manage to startup.
* Vérify the certificate :
** click (or double click depending on the browser) on the lock to view the certificate.
** compare the information entered in step 1 of the procedure and the date of validity.


Copyright © 2023 My linux world - by Marc RABAHI
Design by Marc RABAHI and encelades.

Fork me on GitHub