Thursday, 3 January 2013

Using self-signed certificate in Tomcat for secure connection

For one of our in-house applications (running on Tomcat), I had to implement SSL. All the communications to that application must be secure, as the application will store some sensitive information. As we are going to use this application inside our organization, so I had decided to deploy self-signed certificate instead of paying money and buying certificate from some CA.

Step 1: Generate self-signed certificate

Creating self-signed certificate is very easy, and I am going to use the keytool program which comes with JDK. Using keytool I will create a keystore file to store the server's private key and self-signed certificate.
root@pranabs:~# keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/local/tomcat/conf/.keystore -validity 365
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  MY CA
What is the name of your organizational unit?
  [Unknown]:  Development
What is the name of your organization?
  [Unknown]:  M Ltd.
What is the name of your City or Locality?
  [Unknown]:  Pune
What is the name of your State or Province?
  [Unknown]:  Maharashtra
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=MY CA, OU=Development, O=M Ltd., L=Pune, ST=Maharashtra, C=IN correct?
  [no]:  yes

Enter key password for <tomcat>
        (RETURN if same as keystore password):

-genkey: Generates a key pair (a public key and associated private key). Wraps the public key into an X.509 v1 self-signed certificate, which is stored as a single-element certificate chain. This certificate chain and the private key are stored in a new keystore entry identified by alias.
-alias: All keystore entries (key and trusted certificate entries) are accessed via unique aliases.
-keyalg: specifies the algorithm to be used to generate the key pair.
-keystore: keytool command creates a new keystore file, in the home directory of the user under which the command was run, and named it as .keystore. To specify a different location or filename, the –keystore parameter is used.
-validity: It specifies the number of days for which the certificate should be considered valid.
When we run the command, we will first be prompted for the keystore password. Enter the password for the keystore. This password we have to specify in tomcat’s server.xml file.
Next we have to enter general information about the Certificate, such as company, contact name, and so on. Later if somebody access some secure page, he/she can view these information of the certificate. Here we have to make sure that the information that we entered are acceptable by our users.
Finally, we have to enter the key password, this password is for the certificate that we are generating. Here we must enter the same password as we entered for the keystore password (this is a tomcat restriction).

Step 2: Edit tomcat configuration file

Here we are going to configure tomcat’s https connector. Open tomcat’s server.xml configuration file. In my config file tomcat is configured to use port 80 (tomcat default 8080) for http connection and port 443 (tomcat default 8443) for https connection. In https connector, specify the keystoreFile and keystorePass attributes.
# pico /usr/local/tomcat/conf/server.xml
<Connector port="80" protocol="HTTP/1.1"
               redirectPort="443" />

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="/usr/local/tomcat/conf/.keystore"  keystorePass="xxxxxxxx"    />

Save the file.

Step 3: Configure Tomcat to redirect HTTP requests to HTTPS.

Edit the web.xml file of the application
#pico /usr/local/tomcat/webapps/myapp/WEB-INF/web.xml
and add the following lines:

<web-app ……….>


Save the file and restart tomcat. That’s it and we are done, our application is now secured Smile.