A Step-By-Step Guide to Securing a Tomcat Server With LetsEncrypt SSL Certificate
by CIRT Team
Secure Socket Layer (SSL) is a protocol that provides security for communications between client and server by implementing encrypted data and certificate-based authentication.
If you’re using Apache Tomcat as a Server for your web-application , chances are that at least some of the data you’re handling is sensitive, and SSL is an easy way to offer your users security. But the configuration process and SSL itself can be a little confusing for first-time users.
There are many CA from which you can get a certificate, but almost all of them will cost you money. But, with Let’s Encrypt you can get a valid SSL certificate for your domain at no cost.
This guide will break down the messy process of installing a SSL certificate for tomcat server into easily understandable pieces:
Step 1 — Prerequisites
Before starting work on this task, I assume you already have:
- Running Centos system with sudo privileges shell access.
- A domain name registered and pointed to your server’s public IP address. For this tutorial, we use example.com and www.example.com, which is pointed to our server.
- Recent version of JAVA installed.
- Recent version of tomcat server installed in your .
- Have port 80 and 8443 open in your firewall.
- Have Openssl installed.
Step 2— Install Certbot
The certbot package is provided by EPEL. If the EPEL repository is not installed on your system, you can install it using the following command:
sudo yum install epel-release
Once the EPEL repository is enabled, install the certbot package by typing:
sudo yum install certbot
If you have an active firewall, e.g firewalld, open https port on the firewall.
# firewall-cmd --add-service https --permanent
# firewall-cmd --reload
Step 3—Generate keypair and get certificate against the domain using Certbot
Once the LetsEncrypt (CA) verifies the authenticity of your domain, SSL certificate will be issued. For generating keypair and getting a SSL certificate against that keypair for your domain we need to type the following command:
sudo certbot certonly --standalone -d www.example.com
If everything goes fine. A new ssl will be issued at below location. Navigate to below directory and view files.
cd /etc/letsencrypt/live/example.com
ls
Files List:
cert.pem
chain.pem
fullchain.pem
privkey.pem
Step 4 — Convert keypair + certificate to Java Keystore
At first create a PKCS12 that contains both your full chain and the private key. You need to have openssl installed for that.
openssl pkcs12 -export -out /tmp/example.com_fullchain_and_key.p12 \
-in /etc/letsencrypt/live/example.com/fullchain.pem \
-inkey /etc/letsencrypt/live/example.com/privkey.pem \
-name tomcat
Then convert that PKCS12 to a JKS, using java`s keytool
keytool -importkeystore \
-deststorepass samplePassword -destkeypass samplePassword -destkeystore /tmp/example.com.jks \
-srckeystore /tmp/example.com_fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass samplePassword \
-alias tomcat
Replace samplePassword
with your password
Step 5— Configure Tomcat with the Java Keystore
Now go to your tomcat application and open your server.xml file
# vim /etc/tomcat/conf/server.xml
Ensure the following section is commented out
<!---
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
Configure connector to use a shared thread pool
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
Next is to define SSL HTTP/1.1 Connector on port 8443
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/tmp/example.com.jks"
keystorePass="samplePassword"
clientAuth="false" sslProtocol="TLS" />
With above configuration, http to https redirect will be done automatically for the application.
Now just Stop and Start Apache Tomcat and you are done.
Your tomcat server along with all the application that runs on it is ssl secured.
———————————————————————-
Mahdi Mashrur Matin, CA Manager, BGD e-GOV CIRT