DTT

How to Set up HTTPS SSL on Tomcat

Published: September 29, 2018 (Updated: Sep 29, 2018)
#Tomcat #Java #SSL/TLS

Enjoying this content? Subscribe to the Channel!

Secure Your Web Apps: A Step-by-Step Guide to Enabling HTTPS/SSL on Apache Tomcat

Hello tech enthusiasts, and welcome back to Darren’s Tech Tutorials!

Apache Tomcat is the powerhouse open-source Java Servlet container that helps bring Java web applications to life. But running your application over standard HTTP leaves you vulnerable. To ensure data integrity, user trust, and overall security, we need to activate SSL/TLS, which gives us that crucial HTTPS connection.

In this comprehensive guide, we’re going to walk you through the surprisingly straightforward process of setting up HTTPS on your Tomcat server using a self-signed certificate. While we are demonstrating this tutorial on Windows, the commands and configuration steps are nearly identical if your Tomcat installation is running on Linux.

Let’s dive in and secure that server!

Why HTTPS on Tomcat Matters

Tomcat implements critical Java EE specifications (like Java Servlet and JSP), acting as a pure Java HTTP web server. By default, it runs on port 8080 (HTTP). When you implement SSL (Secure Sockets Layer), you encrypt the communication channel between the user’s browser and your Tomcat server. This is essential for protecting sensitive data like passwords and session tokens.

Using a self-signed certificate is perfect for development, testing, and internal environments where a commercial certificate isn’t necessary.

Step 1: Generating the Self-Signed Certificate using Java Keytool

The first step involves generating a secure certificate and storing it in a Java Keystore file. We use Java’s built-in utility, keytool, which is essential for managing cryptographic keys and certificates.

1. Navigate to the Java Bin Directory

To use the keytool utility, you must first navigate to the directory where the Java executable files reside. This is usually located within your JAVA_HOME environment variable.

# For Windows
cd %JAVA_HOME%\bin

# For Linux/macOS
cd $JAVA_HOME/bin

2. Run the Keytool Command

We will execute the following command to generate a new key pair (public and private keys) and store it in a file named tomcat.keystore. When prompted, remember the password you set, as you will need it later in the server.xml configuration!

Note: We recommend placing the resulting keystore file in a safe location, such as Tomcat’s conf directory, after generation.

keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -keystore "C:\path\to\tomcat\conf\tomcat.keystore"

When you run this command, the utility will ask you several questions, including:

  • The password for the keystore (e.g., changeit).
  • Your first and last name (usually the server domain name, e.g., localhost).
  • Your organizational unit, organization, city, state, and country code.

Once complete, your tomcat.keystore file is ready to secure your server!

Step 2: Configuring Tomcat Server for SSL

Now that we have our certificate, we need to tell Tomcat exactly where to find it and which port to use for secure connections. This configuration happens inside the main configuration file, server.xml.

1. Locate and Open server.xml

Navigate to your Tomcat installation directory and open the conf/server.xml file in a text editor.

2. Add the SSL Connector Configuration

Scroll down until you find the commented-out section for the SSL/TLS connector (usually configured to listen on port 8443).

You need to uncomment this block or add the following new <Connector> element. This configuration tells Tomcat to listen for HTTPS traffic on port 8443 and specifies the location and password for the keystore we just created.

Important: Make sure the keystoreFile path points exactly to where you saved the tomcat.keystore, and the keystorePass matches the password you set in Step 1.

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="conf/tomcat.keystore"
           keystorePass="your_keystore_password" />

Pro Tip: While HTTP/1.1 is the default protocol, specifying org.apache.coyote.http11.Http11NioProtocol is often recommended for better performance with SSL on modern Tomcat versions.

Step 3: Restarting and Verifying the HTTPS Connection

With the configuration saved, we are just one step away from running securely!

1. Restart Tomcat

You must restart your Tomcat service for the changes in server.xml to take effect. If you are running Tomcat via the command line, simply stop the process and restart it. If you are running it as a service, use the Windows Services manager or your Linux service management tools (systemctl restart tomcat).

2. Test the Secure Connection

Once Tomcat is back up, open your web browser and navigate to the HTTPS address using port 8443:

https://localhost:8443

Because we are using a self-signed certificate (one not issued by a globally trusted Certificate Authority), your browser will display a security warning (e.g., “Your connection is not private”). This is normal! Simply click through the warning to proceed. You will now see your Tomcat landing page, confirming that your secure connection is active. Look for the padlock icon (or lack thereof, depending on the browser’s warning about the untrusted cert) and verify you are communicating over port 8443.

Need all the commands in one place? You can find all the code snippets and detailed commands used in this tutorial on Darren’s website: https://darrenoneill.eu/?p=772

Wrapping Up and Securing the Future

And there you have it! You’ve successfully configured Apache Tomcat to use HTTPS with a self-signed certificate. This is a crucial skill for any developer or administrator managing Java web applications, ensuring your development environment is as secure as possible.

Remember, while a self-signed certificate is perfect for testing, you must transition to a CA-issued certificate (like those from Let’s Encrypt or commercial vendors) when moving to a production environment.

If this guide helped you secure your server, make sure to like this blog post and subscribe to the Darren’s Tech Tutorials YouTube channel for more clear, actionable guides on development and system administration! We love hearing from you, so leave a comment below with your questions or successes! Happy coding!