How to setup secure access via SSL
Follow the steps below to generate, install and configure your server for SSL access
You will need to generate a Certificate Signing Request ( CSR ) for your instance of Tomcat
Keystore and CSR generation
Generate a private key with the following command from the command prompt in windows:
C:/RanFab/JDK/bin/keytool -genkey -alias <your_alias_name> -keyalg RSA -keystore <your_keystore_filename> -keysize 2048
You will be prompted for a password. Tomcat uses a default password of “changeit”. If you use a different password, you will need to specify a custom password in the server.xml configuration file.
The next field that you will be prompted for is “What is your first and last name?” At this prompt, you must specify the common name (FQDN) of your web site( this would we the URL used) .
You will then be prompted for your organizational unit, organization, etc.
Generate the Certificate Signing Request (CSR):
C:/RanFab/JDKbin/keytool -certreq -keyalg RSA -alias <your_alias_name> -file certreq.csr -keystore <your_keystore_filename>
You will now be prompted for the common name, organization, etc. The keytool will use the values that you specify when generating the private key
Create a copy of the keystore file. Having a backup file of the keystore at this point can help resolve installation issues that can occur when importing the certificate into the original keystore file.
Generate a certificate with your chosen SSL provide using the request above
Paste the CSR into the Certificate Signing Request field provided by your SSL provider
Note: Be sure to include —–BEGIN NEW CERTIFICATE REQUEST—– and —–END NEW CERTIFICATE REQUEST—–
Each provider follows its own method of identification. Follow your instructions which could be a combination of email and phone confirmations. At the end of the process, you should receive the requested certificate. Download the certificate in the PKCS7 format or convert to this format.
Install the certificate on your server
Note: Save the certificate extension as .p7b (e.g., certificate.p7b)
Step 1: Install the SSL certificate
Import the SSL certificate into the Java keystore using the following keytool command:
keytool -import -alias your_alias_name -trustcacerts -file certificate.p7b -keystore [keystorename]
Note: The alias name in this command must be the same as the alias name used during the generation of the keystore and CSR.
Modify your Tomcat server.xml file to use your certificate
Shutdown RanFab, if it is running. Changes to the file C:/RanFab/Tomcat/conf/server.xml are read by Tomcat when it is started.
Open the file C:/RanFab/Tomcat/conf/server.xml in a text editor.
Find the following section of code in the file (try searching for SSL Connector). Remove comment tags around the Connector entry. The comment tags that are to be removed are shown in blue below.
<!– SSL Connector on Port 8443 –> <!– <Connector className=”org.apache.coyote.tomcat4.CoyoteConnector” (NOTE: tomcat4 is the tomcat version here) port=”8443″ minProcessors=”5″ maxProcessors=”75″ enableLookups=”false” acceptCount=”10″ connectionTimeout=”60000″ debug=”0″scheme=”https” secure=”true”> <Factory className=”org.apache.coyote.tomcat4.CoyoteServerSocketFactory” clientAuth=”false” protocol=”TLS” keystoreFile=”insert path to the keystore here”> keystorePass=”insert keystore password here”/> </Connector> –>
Save and close the file.
Note: Tomcat runs SSL over port 8443. Make sure that this port is enabled on the Tomcat server and any firewalls/proxies this server may lie behind.