{"id":460,"date":"2013-03-05T21:30:14","date_gmt":"2013-03-05T20:30:14","guid":{"rendered":"http:\/\/blog.rabahi.net\/?page_id=460"},"modified":"2014-01-12T22:58:49","modified_gmt":"2014-01-12T21:58:49","slug":"tomcat-ssl","status":"publish","type":"page","link":"https:\/\/blog.rabahi.net\/?page_id=460","title":{"rendered":"Tomcat SSL Survival Guide"},"content":{"rendered":"<blockquote><p>Secure Sockets Layer (SSL), is a cryptographic protocol that provide communication security over the Internet. SSL encrypt the segments of network connections at the Application Layer for the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for confidentiality and message authentication codes for message integrity.<\/p><\/blockquote>\n<p style=\"text-align: right;\">Wikipedia<\/p>\n<hr>\n<p>The following process describe how to generate a certificate SSL for Tomcat 5.5.x.<br \/>\nThe generate certificate is named &#8221;keystore&#8221;.<\/p>\n<p>The trusted organism used here is RapidSSL.<\/p>\n<p><span style=\"color: red; font-weight: bold;\">Important: Steps have to be followed in the order<\/span><\/p>\n<div id=\"toc_container\" class=\"no_bullets\"><p class=\"toc_title\">Contents<\/p><ul class=\"toc_list\"><li><a href=\"#Before_starting8230\"><span class=\"toc_number toc_depth_1\">1<\/span> Before starting&#8230;<\/a><\/li><li><a href=\"#Private_key_generation\"><span class=\"toc_number toc_depth_1\">2<\/span> Private key generation<\/a><\/li><li><a href=\"#Generation_of_Certificate_Signing_Request_CSR\"><span class=\"toc_number toc_depth_1\">3<\/span> G\u00e9n\u00e9ration of Certificate Signing Request (CSR)<\/a><\/li><li><a href=\"#Send_the_CSR_to_RapidSSL\"><span class=\"toc_number toc_depth_1\">4<\/span> Send the CSR to RapidSSL<\/a><\/li><li><a href=\"#Importation_of_CER\"><span class=\"toc_number toc_depth_1\">5<\/span> Importation of CER<\/a><\/li><li><a href=\"#Setup_in_Tomcat\"><span class=\"toc_number toc_depth_1\">6<\/span> Setup in Tomcat<\/a><\/li><li><a href=\"#Test\"><span class=\"toc_number toc_depth_1\">7<\/span> Test<\/a><\/li><\/ul><\/div>\n<h1><span id=\"Before_starting8230\">Before starting&#8230;<\/span><\/h1>\n<p>Let&#8217;s set the vars for all the document:<\/p>\n<pre lang=\"bash\">$JAVA_HOME : path to the jvm\r\n\r\n$KEYSTORENAME: myname.kdb\r\n$CSR_FILE_NAME : myname.csr\r\n\r\n$X509_FILE_NAME: certificate get from the trusted organism.\r\n$X509_INTERMEDIATE_FILE_NAME: interm\u00e9diate certificate recieved from the certification organism.<\/pre>\n<p><span style=\"color: red; font-weight: bold;\">Important :<\/span> keep the same $KEYSTORENAME for all the process.<\/p>\n<h1><span id=\"Private_key_generation\">Private key generation<\/span><\/h1>\n<p>Enter the following command:<\/p>\n<pre lang=\"bash\">$JAVA_HOME\/bin\/keytool -genkey -alias tomcat -keyalg RSA -keystore $KEYSTORENAME -keysize 2048<\/pre>\n<p>And use the answers to questions:<\/p>\n<pre lang=\"bash\">Tapez le mot de passe du Keystore :  changeit\r\nQuels sont vos pr\u00e9nom et nom ? *.myname\r\nQuel est le nom de votre unit\u00e9 organisationnelle ? myOU\r\nQuelle est le nom de votre organisation ? *.myname\r\nQuel est le nom de votre ville de r\u00e9sidence ? Paris\r\nQuel est le nom de votre \u00c9tat ou province ? France\r\nQuel est le code de pays \u00e0 deux lettres pour cette unit\u00e9 ? FR\r\n\r\nEst-ce CN=*.myname, OU=myOU, O=*.myname, L=Paris\r\nST=France, C=FR ?\r\n  [non] : oui\r\n\r\nSp\u00e9cifiez le mot de passe de la cl\u00e9 pour \r\n        (appuyez sur Entr\u00e9e s'il s'agit du mot de passe du Keystore) : (taper )<\/pre>\n<p>==&gt; We just obtained the private key &#8221;$KEYSTORENAME&#8221;<\/p>\n<h1><span id=\"Generation_of_Certificate_Signing_Request_CSR\">G\u00e9n\u00e9ration of Certificate Signing Request (CSR)<\/span><\/h1>\n<p>Enter the following command:<\/p>\n<pre lang=\"bash\">$JAVA_HOME\/bin\/keytool -certreq -alias tomcat -keystore $KEYSTORENAME -file $CSR_FILE_NAME<\/pre>\n<p>And use the answers to questions:<\/p>\n<pre lang=\"bash\">Tapez le mot de passe du Keystore :  changeit<\/pre>\n<p>==&gt; We just get the CSR: &#8221;$CSR_FILE_NAME&#8221;<\/p>\n<h1><span id=\"Send_the_CSR_to_RapidSSL\">Send the CSR to RapidSSL<\/span><\/h1>\n<p>Sending the CSR takes place in one of these two steps:<\/p>\n<pre lang=\"ini\">  - when purchasing the certificate\r\n  - when reissiue.\r\n        * go here : https:\/\/products.geotrust.com\/orders\/orderinformation\/authentication.do\r\n              Fully qualified domain name or common name: *.myname\r\n              Email address: myemail@gmail.com\r\n        * an email is sent to myemail@gmail.com and contains a link.\r\n        * after opening the link in the email, click on \"Reissue Certificate\" et paste the contents of '$CSR_FILE_NAME'<\/pre>\n<p>=&gt; An email is sent and RapidSSL certificate contains the X509 format as well as the intermediate certificate (X509 format as well).<\/p>\n<p>Certificates will be called:<br \/>\n* Format X509: $ X509_FILE_NAME<br \/>\n* The intermediate certificate: $ X509_INTERMEDIATE_FILE_NAME<\/p>\n<h1><span id=\"Importation_of_CER\">Importation of CER<\/span><\/h1>\n<p>To import the CER, it is necessary to run the following commands.<\/p>\n<p>For each order, the answer to the question:<\/p>\n<pre lang=\"ini\">Tapez le mot de passe du Keystore :  changeit\r\nR\u00e9ponse de certificat install\u00e9e dans le Keystore<\/pre>\n<pre lang=\"bash\">  # importation of the interm\u00e9diate key:\r\n  $JAVA_HOME\/bin\/keytool -import -alias rapidtrustca -trustcacerts -file $X509_INTERMEDIATE_FILE_NAME -keystore $KEYSTORENAME\r\n  $JAVA_HOME\/bin\/keytool -import -alias Intermediate -trustcacerts -file $X509_INTERMEDIATE_FILE_NAME -keystore $KEYSTORENAME\r\n\r\n  # importation of the certificate X509:\r\n  $JAVA_HOME%\/bin\/keytool -import -alias tomcat -trustcacerts -file $X509_FILE_NAME -keystore $KEYSTORENAME<\/pre>\n<p>=&gt; We obtained &#8221;$KEYSTORENAME&#8221; containing the CER importation.<\/p>\n<h1><span id=\"Setup_in_Tomcat\">Setup in Tomcat<\/span><\/h1>\n<p>* copy\/paste &#8221;$KEYSTORENAME&#8221; on the server.<br \/>\n* place it &#8221;~&#8221; (home directory)<br \/>\n* in serveur.xml add the attribute &#8221;keystoreFile&#8221; and set the full path to &#8221;$KEYSTORENAME&#8221;<\/p>\n<p>Exemple of connector SSL:<\/p>\n<pre lang=\"xml\">\r\n<Connector port=\"443\" \r\n               maxHttpHeaderSize=\"8192\"\r\n               maxThreads=\"150\" minSpareThreads=\"25\" maxSpareThreads=\"75\"\r\n               enableLookups=\"false\" disableUploadTimeout=\"true\"\r\n               acceptCount=\"100\" \r\n \r\n               scheme=\"https\" secure=\"true\"\r\n               clientAuth=\"false\" sslProtocol=\"TLS\" \r\n \r\n               keystoreFile=\"${user.home}\/$KEYSTORENAME\"\r\n               \/>\r\n<\/pre>\n<p>* Restart Tomcat<\/p>\n<h1><span id=\"Test\">Test<\/span><\/h1>\n<p>* Check the tomcat logs and verify it manage to startup.<br \/>\n* V\u00e9rify the certificate :<br \/>\n** click (or double click depending on the browser) on the lock to view the certificate.<br \/>\n** compare the information entered in step 1 of the procedure and the date of validity.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Secure Sockets Layer (SSL), is a cryptographic protocol that provide communication security over the Internet. SSL encrypt the segments of network connections at the Application Layer for the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for confidentiality and message authentication codes for message integrity. Wikipedia The following process describe how to generate [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":863,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-460","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages\/460","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=460"}],"version-history":[{"count":16,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages\/460\/revisions"}],"predecessor-version":[{"id":923,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages\/460\/revisions\/923"}],"up":[{"embeddable":true,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages\/863"}],"wp:attachment":[{"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=460"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}