SSL enabling in Tomcat Windows server - windows

I want to enable https on my website which is on a Windows Server 2008 and tomcat 7.
I have the following files from a certificate website: .ca, .crt, .pem, .csr, .pkcs
I know that i have to add in tomcat's server.xml the following:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/path/to/Tomcat/keystore.jks"
keystorePass="password" />
How to get that .jks from those files ?

Convert your .pem to a .jks: see https://docs.oracle.com/cd/E35976_01/server.740/es_admin/src/tadm_ssl_convert_pem_to_jks.html

If your using tomcat 7 newest version you can install the certificate to the windows secure keystore (cert manager) and refer it in the server.xml. In this way you don't need to worry about having the SSL certificate and the passphrase on the physical disk.
To install the cert to cert manager double click the certificate pfx file and follow the wizard steps. You can extract the pfx (refer https://www.sslshopper.com/article-most-common-openssl-commands.html?jn554906de).
This feature is available on tomcat version 7.0.52 or above.
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
keyAlias="<common name of the cert>"
keystoreFile=""
keystoreType="Windows-My"
clientAuth="false"
sslProtocol="TLS"
keepAliveTimeout="200000" />

Related

How to configure tomcat for https when you already setup https in application level

There are thousands of articles on how to set up HTTPS in either tomcat or at the application level in your spring boot application. But I didn't find a way to configure tomcat for an application that already has configured HTTPS.
I've already set up my spring boot application to run on HTTPS by configuring these properties:
server.port=7070
server.ssl.enabled=true
server.ssl.key-store-password=my_password
server.ssl.key-store-type=PKCS12
server.ssl.key-store=keystore-path
server.ssl.key-alias=key_alias
And it perfectly works when I run my IDE(Intellij) and serves on https://localhost:7070 on my machine.
On the other hand, When I deploy my app into the tomcat. it runs on the port of tomcat which is defined on server.xml connector. for instance :
<Connector port="7071" protocol="HTTP/1.1" connectionTimeout="20000" />
By doing so, The connector port in tomcat overrides the port number on the application.properties.
So if I want to run my application in HTTPS in tomcat, Documents says I need to define a new connector, for example :
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
or
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
But these ways, I have to configure my Keystore, password, alias, and ... again in my tomcat.
I'm wondering is there any other way around not configuring again my Keystore, password and .. again in tomcat?
No, there is no other way around it. server.* properties are only applied when running the application in an embedded container. When deploying to an existing Tomcat instance, they are not used.

GZIP not working for Apache tomcat

apache tomcat(8.0.36)
1.I have added .htaccess file in root then also its not working
2.I have added following code in server.xml
<Connector connectionTimeout="20000" port="80" protocol="HTTP/1.1"
disableUploadTimeout="true"
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,
text/xml,text/plain,text/javascript,text/css,application/json"/>

Clarification in configuring OCSP in tomcat

We can configure OCSP in tomcat using,
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
secure="true" scheme="https"
SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
SSLCertificateKeyFile="/path/to/ocsp-cert.key"
SSLCACertificateFile="/path/to/ca.pem"
SSLVerifyClient="require"
SSLVerifyDepth="10"
clientAuth="true"/>
As mentioned in tomcat documentation, https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Using_OCSP_Certificates
But from that documentation I didn't get where OCSP is performed whether on server side(For revocating client certificate) or client side(for revocating server certificate) ?

mod_jk utf-8 character set setup

I am running httpd + mod_jk + 2 tomcat servers in Ubuntu. When I submit a form in a non-Latin language I get garbage in the DB.
If I submit the same form through Tomcat directly bypassing httpd everything looks good.
following is my configuration:
/etc/apache2/conf.d/charset:
AddDefaultCharset UTF-8
tomcat1:
< Connector port="8080" protocol="AJP/1.3" connectionTimeout="20000" redirectPort="8443" URIEncoding="UTF-8" />
tomcat2:
< Connector port="9080" protocol="AJP/1.3" connectionTimeout="20000" redirectPort="9443" URIEncoding="UTF-8" />
JDBC connection:
jdbc:mysql://localhost:3306/myapp?useEncoding=true&characterEncoding=UTF-8
/etc/apache2/mods-available/jk.conf (the same file I set up my loadbalancer)
JkOptions +ForwardURICompatUnparsed
Am I missing something?
Thank You!
I found my problem, I mixed up the HTTP connector with the AJP connector which was declared twice in Tomcat's server.xml . The second declaration did not even include the attribute URIEncoding.
<Connector URIEncoding="UTF-8" port="8009" protocol="AJP/1.3" connectionTimeout="10000" keepAliveTimeout="10000" redirectPort="8443"/>
work fine for me

Edit tomcats server.xml using ksh?

I'm wondering whats the easiest way to change some settings in tomcats conf/server.xml configuration file through a ksh script?
For example, I want to change the default ports on these 2 snippets:
Replace this:
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
With this:
<Connector port="8081" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
And,
Replace this:
<Server port="8005" shutdown="SHUTDOWN">
With this:
<Server port="8006" shutdown="SHUTDOWN">
Many thanks!
I guess you want to change this in the config? This would be a simple sed, you can make it a bit safer by adding more than just the number:
sed -i 's/8005/8006' server.xml

Resources