To enable SSL one needs to specify a keystore with the keys to be used to secure connections. Several types of certificates and keystores exist. For Java applications the easiest option is Java keystore generated by the Java keytool. The setup of Java keystore is well documented in the Tomcat documentation. To import a .pfx certificate generated by Microsoft tools, one first needs convert it into a certificate acceptable by Java keystore. I do not do it routinely, so I make here a note that might be also useful for others.
- Generate a keystore in a new folder for it:
mkdir /data/keystore/ cd /data/keystore/ keytool -genkey -alias tomcat -keyalg RSA
- Upload a .pfx certificate (e.g lvn00021v.pfx) to the created folder
/data/keystore/
- Execute two commands to extract the certified keys (Note, you will need to enter the password for the source keystore):
openssl pkcs12 -in lvn00021v.pfx -nocerts -nodes -out key.pem openssl pkcs12 -in lvn00021v.pfx -nokeys -out cert.pem
- While executing the next command to export a keystore, enter the password for the new keystore changeit:
openssl pkcs12 -export -in cert.pem -inkey key.pem -out server.p12 -name tomcat -CAfile ca.crt -caname root
- Import the exported keystore using the same password changeit, which is default for Tomcat:
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass changeit –v
- To disable any not secured access to all the Tomcat hosted applications, add the following lines to the end of CATALINA_HOME/conf/web.xml:
<security-constraint> <web-resource-collection> <web-resource-name>Protected Context</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <!-- auth-constraint goes here if you requre authentication --> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
- Modify CATALINA_HOME/conf/server.xml:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" compressibleMimeType="application/javascript,text/css,application/json" compression="on"> <SSLHostConfig> <Certificate certificateKeystoreFile="/data/keystore/keystore" type="RSA" /> </SSLHostConfig> </Connector>
No comments:
Post a Comment