Wednesday, May 5, 2010

Letting Tomcat handle SSL requests

Most people use the apache2/modJK approach to do SSL offload/redirection to Tomcat contexts, but Tomcat has matured and the benefits of not using modJK and a possibly memory hungry apache is appealing.

This is to show how to use an EXISTING ssl key and how to import it into tomcat.

Create a tomcat keyring first in /opt/csw/tomcat5/ssl (you'll need to mkdir ssl)

keytool -genkey -alias tomcat -keyalg RSA

use the password "changeit" this is the default tomcat one.

Put in any Information, this would only be used in the case of issuing a CSR request.

I'm using a Godaddy.com CA, but substitute whichever CA you have:

Download Godaddy CA Cert for Signing from https://certs.godaddy.com/anonymous/repository.seam;jsessionid=A3D2CC1A02748C7AD01654BD5ED6D777.web002?streamfilename=gd-class2-root.crt&actionMethod=anonymous%2Frepository.xhtml%3Arepository.streamFile%28%27%27%29&cid=212695 and save it as godaddy.crt

Get the original .crt .csr .key from the Apache2/modJK installation.

Then

Cat these files together in THIS order:

cat godaddy.crt www.website.com.key www.website.com.crt > ssl.pem

Then create a PKS12 key in the tomcat keyring

openssl pkcs12 -export -in ssl.pem -out ssl.p12 -name tomcat

Cert is now valid and signed correctly.

In Tomcat, change the SSL section in /opt/csw/tomcat5/conf/server.xml running on 8443 to this:

keystoreFile="/opt/csw/tomcat5/ssl/ssl.p12" keystorePass="changeit" keystoreType="PKCS12"
SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />

Restart Tomcat and test with https://server/manager/html

To stop Tomcat serving requests on https://server (which is a security risk in itself) delete the tomcat5/webapps/ROOT directory and all should be okay.

Remember to choose a complex password for the "manager" role in tomcat.

No comments:

Post a Comment