By default Tomcat gets installed with HTTP only and a number of default applications. Previously I linked documents on how to secure Tomcat. But put simply just delete the folders under
webapps that you don’t need for your application. So you pretty much get left with
manager in there.
My next step was to try to figure out how to get the connection changed from HTTP to HTTPS and apply a valid certificate to the connection.
In order to run Tomcat you need to have a Java JDK installed (not just the JRE). You can install this using the defaults but you must then have a
%JAVA_HOME% environment variable set to point to the JDK location (not the JRE).
Rather than running an installer I copied the zip file to my server and extracted the files into
c:\tomcat. This way I can control access to that location more directly and alter the service as required.
Install the Tomcat service by using
bin/service install and this will create the default Tomcat service. After the service is installed I then created a ‘Local’ user called
tomcatsvc and changed the service permissions to run as this new user and make sure the user has read write access to
c:\tomcat. This way at least if my Tomcat service is compromised it should only have local user permissions and not be an administrator.
Make sure this service starts before you continue changing the config. At least at this point you should have a known good and working system.
As Tomcat uses Java for its certificate handling there is one tool you need to get your head around, and that is
keytool you’ll find it under the
bin folder of your
%JAVA_HOME%. This keytool allows you to create certificate stores and create keys, import and export certificates, and create csr’s etc.
One important thing to realise is Java has it’s own keystore, it doesn’t use the Windows keystore and it doesn’t use the Linux keystore*. Java comes with a public keystore that contains all the known good CA certificates. This is in a single file called
cacerts. that resides in
- Not strictly true, but for the point of this post less assume not.
You can list the contents of the
cacerts file using:
c:\> %JAVA_HOME%\bin\keytool -list -keystore %JAVA_HOME%\lib\security\cacerts
You’ll need to specify the default password for the file which is
We could use this file for Tomcat and add our own keys and certificates to it, but let’s create our own file and secure it using our own password. Also put it in a place we know is going to remain constant rather than the ever changing
%JAVA_HOME% which is subject to change based on updates.
If you ever tear down Tomcat and Java eg. to install new versions at least you’d still have the necessary certificates if you keep them in a separate folder!
Create a New Store with a New Private Key
First thing to do is create a private key:
c:\> keytool -genkey -keyalg RSA -keysize 2048 -alias [myserver] -keystore [c:\certs\keystore.jks]
Specify your own password for the file and give all the details for the certificate as per other certificates. Note the
-ext san= part. This is so we can end up with a certificate that has both a valid alias AND a valid FQDN.
Generate a CSR to Submit to the CA
In order to get a valid certificate we need to send a CSR to the CA server so we get back a signed certificate.
c:\> keytool -certreq -alias [myserver] -keystore [c:\certs\keystore.jks] -file [c:\certs\myserver.csr] -san=dns:[myserver.domain.local],dns:[myserver]
Then submit your csr file to the CA server. If you’re using a Windows CA you can visit
https://caserver/certsrv and process and download your new certificate in Base64 format. Download the key chain as a p7b.
Import your Certificate into the Keystore
c:\> keytool -import -alias [myserver] -keystore [c:\certs\keystore.jks] -file [certnew.p7b]
By importing the p7b you should have the entire chain in the keystore. So it’ll include your CA server certificate.
Configuring Tomcat to use HTTPS
By default your Tomcat install will be listening on TCP port 8080. Now we want HTTPS we’ll be adding TCP port 8443 to the server. Most of the config is already done for you and just needs uncommenting from the config file.
conf/server.xml file and search for the
Connector port="8443" section. Remove the xml/html comment markers from around the section and make changes so it has these settings:
keystoreFile="[C:/certs/keystore.jks]" keyAlias="[myserver]" keystorePass="[password]" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
Note the additions for keystoreFile, keyAlias and keystorePass. For the keystoreFile with Windows you must reverse the slashes, replace back slashes with forward slashes.
One other thing to add into this could be the ciphers you want to use.
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256"
Note: There are some subtle differences between Tomcat 7 and 8. The examples above are for Tomcat 7. For Tomcat 8 the SSL Protocol case changes and becomes only
sslProtocol="TLS". Also the ciphers list becomes the openssl style like
Make sure your Tomcat service user (
tomcatsvc) has permission to at least read from the certificate directory (
Restart the Tomcat service and you should now find you can access Tomcat using HTTP from your browser using
Using the Windows Keystore
Not tested, but it looks like you can use the Windows keystore. However, the certificate and key must reside in the “Personal” store of the user account running Tomcat. Which may not be much help if you’re using Machine certificates.
keyAlias="[myserver]" keystoreFile="" keystoreType="Windows-My"
By default the