By default, HTTPS / SSL is not configured and enabled in Tomcat Web server. SSL setup is required to make your web application accessible over HTTPS protocol. This post will guide you to configure SSL in Tomcat 7 Web server.

Tools and Technologies used in this article :

  1. Tomcat 7.0.47
  2. JDK 7

Note : Here, I have used apache-tomcat-7.0.47.tar.gz binary distribution. Settings will be different for Tomcat native library (APR).

1. Create Keystore and Self-signed Certificate

Open command prompt and go to %JAVA_HOME%\bin. Use keytool to create JKS (Java KeyStore) format keystore and a self-signed certificate.

C:\jdk\bin>keytool -genkey -alias srccodes -keyalg RSA -keystore c:\tomcat7\conf\srccodes.jks
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  SrcCodes Dot Com
What is the name of your organizational unit?
  [Unknown]:  SrcCodes.com
What is the name of your organization?
  [Unknown]:  SrcCodes Pvt. Ltd.
What is the name of your City or Locality?
  [Unknown]:  Kolkata
What is the name of your State or Province?
  [Unknown]:  WB
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=SrcCodes Dot Com, OU=SrcCodes.com, O=SrcCodes Pvt. Ltd., L=Kolkata, ST=WB, C=IN correct?
  [no]:  yes
 
Enter key password for <srccodes>
        (RETURN if same as keystore password):
Re-enter new password:
-keystore Filepath (say "c:\tomcat7\conf\srccodes.jks") where keystore file will be generated.
keystore password Password of the keystore to be used by Tomcat. If not provided, then default is "changeit".
key password Password of the self-signed certificate generated in the keystore. If not provided, then it'll be same as keystore password.

2. Configure Tomcat

a. Open /conf/server.xml in a text editor.
b. Search for "Define a SSL HTTP/1.1 Connector on port 8443". Connector configuration will be commented there. Uncomment it.

<!-- Define a SSL HTTP/1.1 Connector on port 8443
     This connector uses the JSSE configuration, when using APR, the
     connector should be using the OpenSSL style configuration
     described in the APR documentation -->
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" />
-->

c. Provide keystoreFile, keystorePass and keyPass values as given in Step#1.

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="conf/srccodes.jks"
           keystoreType="JKS"
           keystorePass="pass4keystore"
           keyPass="pass4key" />

3. Check SSL / HTTPS setup

a. Start the Tomcat server. Otherwise restart if already started.
b. Open https://localhost:8443 in browser.
c. In Firefox browser, you will get "This Connection is Untrusted" message.
This Connection is Untrusted

To proceed click "Add Exception..." button.
Add Exception...

You can view the generated certificate details in "Certificate Viewer" on clicking the "View" button available in the "Add Security Exception" window.
Certificate Viewer

On clicking "Confirm Security Exception" button, Tomcat's home page will be displayed.
Confirm Security Exception

Note: For production application, obtain certificate from certificate authority (like GeoTrust, Verisign, Thawte etc.) and import the same in local keystore.

Download SrcCodes

GitHub: <tomcat-installation-directory>/conf/server.xml

References

, Apache Tomcat , SSL , HTTPS , Keystore , certificate , classic , Self-signed Certificate , ADT , Tomcat native library , server.xml , SSL HTTP/1.1 Connector , SSLEnabled , keystoreFile , keystorePass , secure