How To Enable SSL or HTTPS In Apache Tomcat 8
In this article we are going to see how to enable SSL in Apache Tomcat Server 8 and automatic redirect http to https. All we need is a Self-Signed-Certificate and do some configurations. There are many tools/utilities available to generate the certificate. We will be using KEYTOOL which comes along with JDK installation. Let us know few terminologies first.
- A certificate that is signed by itself rather than a trusted authority.
- Generally used for testing purpose only.
SSL (Secure Sockets Layer):
- A standard way of establishing an encrypted link between a web server and a browser.
- Ensures that all data passed between the web server and browsers remain private and integral.
Hyper Text Transfer Protocol Secure (HTTPS):
- HTTPS is the secure version of HTTP.
- The protocol over which data is sent between your browser and the website that you are connected to.
Generate Self-Signed-Certificate with java keytool
We will use keytool command to generate the self-signed-certificate. When invoking the command on cmd, you will be asked to fill different details related to certificate. Following keytool command will generate the certificate in currently logged in user’s directory. (say: C:\Users\Chandra Mani\keystore.jks).
keytool -genkey -alias tomcatssl -keyalg RSA -keysize 2048 -keystore keystore.jks -validity 3650
You can check the details of the certificate generated using following keytool command. Enter keystore password: 123456
keytool -list -keystore keystore.jks
Add Connector tag in conf/server.xml
Copy the generated certificate keystore.jks in conf folder (It is completely optional). Now, add a Connector tag for HTTPS scheme with PORT 8443 in server.xml file inside conf folder of your tomcat installation.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="D:\Tomcat8\conf\keystore.jks" keystorePass="123456" keyAlias="tomcatssl" />
Remember “tomcatssl” is a alias name and “123456” is the password we entered while generating the certificate.
Override the following Connector tag for default PORT 8080.
<Connector port="8080" maxHttpHeaderSize="8192" protocol="HTTP/1.1" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" />
With the above configuration, you will be able to access any web application deployed both in
HTTP and HTTPS scheme. Run your tomcat server and hit the following url.
Automatic Redirect HTTP to HTTPS in Tomcat
Sometimes we only want to make our web application accessible on HTTPS port. One thing we can do is to disable Connector for PORT 8080 or redirect HTTP to HTTPS automatically. To achieve the later on, we have to add security constraint related tag in web.xml file inside conf folder of your tomcat installation. Make sure to add it after all the servlet mapping tags just before closing </web-app>
<security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
Now try to access any web application on HTTP PORT and you will be automatically redirected to HTTPS PORT.
I hope you enjoyed this article. In case of any difficulties, ping me in the comment section below.