How to configure Tomcat to support SSL or https

A guide to show you how to configure Tomcat 6.0 to support SSL or https connection.

1. Generate Keystore

First, uses “keytool” command to create a self-signed certificate. During the keystore creation process, you need to assign a password and fill in the certificate’s detail.


$Tomcat\bin>keytool -genkey -alias mkyong -keyalg RSA -keystore c:\mkyongkeystore
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  yong mook kim
What is the name of your organizational unit?
  //omitted to save space
  [no]:  yes

Enter key password for <mkyong>
        (RETURN if same as keystore password):
Re-enter new password:

$Tomcat\bin>

Here, you just created a certificate named “mkyongkeystore“, which locate at “c:\“.

Certificate Details
You can use same “keytool” command to list the existing certificate’s detail


$Tomcat\bin>keytool -list -keystore c:\mkyongkeystore
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

mkyong, 14 Disember 2010, PrivateKeyEntry,
Certificate fingerprint (MD5): C8:DD:A1:AF:9F:55:A0:7F:6E:98:10:DE:8C:63:1B:A5

$Tomcat\bin>

2. Connector in server.xml

Next, locate your Tomcat’s server configuration file at $Tomcat\conf\server.xml, modify it by adding a connector element to support for SSL or https connection.

File : $Tomcat\conf\server.xml


 //...
 <!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the 
         connector should be using the OpenSSL style configuration
         described in the APR documentation -->

 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
	       keystoreFile="c:\mkyongkeystore"
	       keystorePass="password" />
  //...
Note
keystorePass="password" is the password you assigned to your keystore via “keytool” command.

3. Done

Saved it and restart Tomcat, access to https://localhost:8443/

tomcat-ssl-configuration

In this example, we are using Google Chrome to access the Tomcat configured SSL site, and you may notice a crossed icon appear before the https protocol :), this is caused by the self-signed certificate and Google chrome just do not trust it.

In production environment, you should consider buy a signed certificate from trusted SSL service provider like verisign or sign it with your own CA server

Reference

  1. Tomcat 6 : SSL configuration HOW-TO
author image

mkyong

Founder of Mkyong.com, love Java and open source stuff. Follow him on Twitter. If you like my tutorials, consider make a donation to these charities. Read all published posts by

Comments

avatar
newest oldest most voted
trackback
Tomcat : java.io.IOException: Keystore was tampered with, or password was incorrect

[…] Make Tomcat support SSL and https connection Oracle Magazine – Free! […]

trackback
java.security.cert.CertificateException: No name matching localhost found

[…] Tomcat to support SSL and deployed this simple hello world web service. And use following client connect to the deployed […]

trackback
SunCertPathBuilderException: unable to find valid certification path to requested target

[…] Tomcat to support SSL and deployed this web service on a development Tomcat server. While connect to the deployed web […]

trackback
Deploy JAX-WS web services on Tomcat + SSL connection

[…] For detail, see this guide – Make Tomcat to support SSL or https connection. […]

trackback
Tomcat – Container Authentication with JAX-WS

[…] See this article – Make Tomcat to support SSL or https connection […]

Levan
Guest
Levan

Thanks again.

gopala krishna
Guest
gopala krishna

please help me out

I have done successfully creation of certificate
Incorporate in Server.xml file

But i am unable to connect with https:\\localhost:8443
i can with http:\\localhost:8080

Priyatham
Guest
Priyatham

Your keystore and key passwords could be different. Change your key’s password to be the same as that of the keystore. It should work.

gopala krishna
Guest
gopala krishna

Unable to connect https:\\localhost:8443

I have done successfully creation of certificate
Incorporate in Server.xml file

But i am unable to connect with https:\\localhost:8443
i can with http:\\localhost:8080

ravi
Guest
ravi

step-1: i have a create war file of my project, the web.xml entry is Ganesha index.html index.htm index.jsp default.html default.htm default.jsp securedapp /* CONFIDENTIAL step-2: i have generate the key using keytool -genkey -alias server -keypass changeit -keystore server.keystore -storepass changet and put this file in C:\server.keystore step-3: server.xml entry is step-4: i deploy my war file in tomcat and start server, when i click to my project in tomcat manager my project url is:https://localhost:8443/Ganesha/ but the browser says: This webpage is not available The webpage at https://localhost:8443/Ganesha/ might be temporarily down or it may have moved permanently to a… Read more »

SnowFab
Guest
SnowFab

Hi, thanks for this post, it helped me a lot. My problem now is, that the https connection is only addressable through the intern network and not by using the extern IP(although I did a port-forwarding in the router settings for 8443 to my local IP). Any idea what this might cause? Thanks!

ravi
Guest
ravi

i have a create war file of my project, the web.xml entry is Ganesha index.html index.htm index.jsp default.html default.htm default.jsp securedapp /* CONFIDENTIAL i have generate the key using keytool -genkey -alias server -keypass changeit -keystore server.keystore -storepass changet and put this file in C:\server.keystore server.xml entry is i deploy my war file in tomcat and start server, when i click to my project in tomcat manager my project url is:https://localhost:8443/Ganesha/ but the browser says: This webpage is not available The webpage at https://localhost:8443/Ganesha/ might be temporarily down or it may have moved permanently to a new web address. Here… Read more »

Alaba
Guest
Alaba

I installed tomcat v7 and Eclipse but in testing the installation the error i have is

“Server Tomcat v 7 at local host refused to start”
“Server instaces is not configured”

kindly help

Haris
Guest
Haris

Hi Mkyong,

tnx for the sample, it was very help full,

And i got a issue in tomcat7, when i used in windows7

error in server start up-
SEVERE: Failed to initialize end point associated with ProtocolHandler [“http-apr-8443”]

this was resolved by commenting as following-

Haris
Guest
Haris

this was resolved by commenting as following line-

Haris
Guest
Haris

this was resolved by commenting as following line-

Listener className=”org.apache.catalina.core.AprLifecycleListener” SSLEngine=”on”

vikram
Guest
vikram

Hi, i have an application and i can access it using http://localhost:8080/myApp and https://localhost:8443/myApp. However, i want to get rid of specifying 8080 or 8443 for http and https respectively. Especially for https, i want https://localhost/myApp to work and access myApp under securely (using 8443) with out showing the port in the url. How can i achieve this. I am using tomcat 5.5.31. Please help.

SB
Guest
SB

Hi Vikram,

I am sure you would have figured it by now. You can achieve this through Apache – Tomcat integration, Apache being the HTTP Web Server, which is accessible on port 80 (HTTP) or 443 (HTTPS). Internally, Apache will route the request to http://:8080/ or https:/// as the case may be.

vivek
Guest
vivek

It works file when i start server mannualy, but in eclipse if i run any project it gives error data not found. Any help.

SB
Guest
SB

For the Eclipse Tomcat integration, try modifying the server.xml in the Eclipse Servers folder, and not in $TOMCAT_HOME/conf/server.xml

Eshan
Guest
Eshan

It gives me exception when I use protocol=”HTTP/1.1″ but works fine for protocol=”org.apache.coyote.http11.Http11NioProtocol”.

Also I am getting the Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error when I try to use the cacerts from the security directory of jre but works fine for the self-signed certificate.

darwine
Guest
darwine

Hi, i have the same problem, have you solve this error?

Eshan
Guest
Eshan

Yes I solved the problem by adding my certificate to the cacerts using the IBM KeyManager tool.

Muazzam
Guest
Muazzam

Hi everyone,
I have a typical case where tomcat is running and i run the batch for stopping it.But the cammand promt shows ‘stopping catalina services’ it the port is not yet free and when i run the tomcat ‘Socket bind failed’ exception occurs.
Note : the stopping and starting of tomcat is done programatically through java.

pallavi
Guest
pallavi

i am getting invalid server certificate even if i have given correct keystore password in tomcat ssl configuration.

Tony
Guest
Tony

Can one server have multiple instances of Tomcat running that are both configured for SSL? how does the second (or 3rd, or 4th) get configured?

SB
Guest
SB

Excellent Article! Thanks to the author for taking the time out to compose it.

Very intuitive, and it has demystified essential SSL setup by using good old Tomcat. It has also worked fine on Tomcat 5.5.

Daniel Robertus
Guest
Daniel Robertus

protocol=”HTTP/1.1″ didnt work. i change to protocol=”org.apache.coyote.http11.Http11Protocol” and it works

guest
Guest
guest

This doesnot work

Puri Jagan
Guest
Puri Jagan

For which tomcat version…?

Denis
Guest
Denis

+1

trackback
How to Enable SSL/HTTPS on Tomcat 7 on RHEL | BlogoSfera
Sambhav
Guest
Sambhav

How can I restrict HTTPS to some applications / URL patterns hosted on my tomcat server?

Sambhav
Guest
Sambhav

http://www.mulesoft.com/tomcat-ssl

another good reference

Jack
Guest
Jack

I have built an Web Application on struts 1.3.x and deployed in Tomcat 7. Single Sign On is also deployed on top of apache and for communication mod_jk is also installed. I had set the timeout in Tomcat for 30 mins. SSL is also enabled.

Sometimes when users were working then the application automatically logs out. Can you suggest me what may be the solution. If you need any info then please do let me know.

I don’t want this post to be published any where.

Ashabasa
Guest
Ashabasa

Hello

When I try to generate the key using : keytool -genkey -alias Myalias-keyalg RSA -keystore c:\Myfolder, I get to fill all needed information, but when I arrive to this part :
** Is CN=Loiane Groner, OU=home, O=home, L=Sao Paulo, ST=SP, C=BR correct?
[no]: yes **
they send me back to filling user full name, and it’s the same thing all over again.
Do you happen to know where the problem is ?
Thank you !!

saurabh
Guest
saurabh

great thanks!!
your tutorials are really cool, simple and works out very well 🙂
keep posting !

Himanshu Modi
Guest
Himanshu Modi

Thanks it was helpful.

To make https work with above settings, below line needs to be commented out

in server.xml

Himanshu Modi
Guest
Himanshu Modi

Thanks it was helpful.

To make https work with above settings, below line needs to be commented out

in server.xml

Himanshu Modi
Guest
Himanshu Modi

The listener tag which need to be commented out in server.xml is as follows-

Listener className=”org.apache.catalina.core.AprLifecycleListener” SSLEngine=”on”

Alex K
Guest
Alex K

Storing keystore password in server.xml looks wrong. What would be more secure way to set it up?

Elio
Guest
Elio

Try using correct permissions on your filesystem, preventing other users from reading the file.

Bhaskar
Guest
Bhaskar

Hi,

Will the application deployed in the tomcat will still be accessible in tomcat’s non https port?. By default the http port is 8080. So if we configure tomcat for https in 8443 port,will the application be still available in the http port 8080?

sagar borage
Guest
sagar borage

yes for sure check it….

trackback
Raspberry Pi Powered, Android Controlled, Tomcat Serviced, Remote Garage Door Opener | SainSmart

[…] Configure Tomcat to use a self-signed SSL certificate for the web app. […]