≡ Menu

2 Easy Steps to Enable SSL / HTTPS on Tomcat Server

If you are running tomcat server that runs only on HTTP, follow the 2 easy steps mentioned below, to configure tomcat for SSL.

1. Create Keystore using Java keytool

First use the keytool to create a java keystore as shown below. Make sure to note down the password that you enter while creating the keystore.

# $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
Enter keystore password:
Re-enter new password:
What is your first and last name?
 [Unknown]:  Ramesh Natarajan
What is the name of your organizational unit?
 [Unknown]:  Development
What is the name of your organization?
 [Unknown]:
What is the name of your City or Locality?
 [Unknown]:  Los Angeles
What is the name of your State or Province?
 [Unknown]:  CA
What is the two-letter country code for this unit?
 [Unknown]:  US
Is CN=Ramesh, OU=Development, O=Unknown, L=Los Angeles, ST=CA, C=US correct?
 [no]:  yes

Enter key password for 
   (RETURN if same as keystore password):

This will create the .keystore file under the /root home directory as shown below.

# ls -l /root/.keystore
-rw-r--r-- 1 root root 1391 Apr  6 11:19 .keystore

2. Modify the server.xml file

Locate the conf/server.xml file located under the tomcat directory. If the Connector port=”8443″ is commented out, you should uncomment it first. Please note that the comments in the server.xml file are enclosed in <!– and –> as shown below. You should remove the 1st and last line from the following code snippet.

# vi server.xml
   <!--
   <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
              maxThreads="150" scheme="https" secure="true"
              clientAuth="false" sslProtocol="TLS" />
   -->

Now, add the keystore information to the server.xml as shown below. Replace the your-key-password with the password you provided in the step 1 while creating the keystore.

# vi server.xml
   <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
              maxThreads="150" scheme="https" secure="true"
              keystoreFile="/root/.keystore" keystorePass="your-key-password"
              clientAuth="false" sslProtocol="TLS" />

Finally, restart the tomcat server and access the application using https://{your-ip-address}:8443/

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 10 comments… add one }

  • saiju s george September 16, 2011, 3:10 am

    Thanks a lot for this new method ..

    But there is a easy way …., we can edit /etc/httpd/conf.d/ssl.conf

    we can add this line in default vhost configuration …

    ProxyRequests off

    ProxyPass / http://localhost:9090/
    ProxyPassReverse / http://localhost:9090/

    if you cannot find ssl.conf , you can install mod_ssl with yum ..

    Thanks & regds
    saiju

  • saiju s george September 16, 2011, 3:12 am

    on watever port tomcat is running …

    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

  • jalal hajigholamali September 16, 2011, 5:48 am

    Hi,

    Very useful article…

  • John February 16, 2012, 11:09 am

    How about a stupid question.
    How do you enable SSL with a SIGNED certificate? This is what I have:
    change server.xml:

    and that’s it. Right?

  • Sudhakara Atluri March 1, 2013, 2:44 pm

    Hi Ramesh,

    I tried to do this on my Windows machine. Where does it create the “.keystore” file?

    keytool -genkey -alias tomcat -keyalg RSA

    Thanks,
    Sudhakara Atluri.

  • Arpan January 2, 2014, 2:08 pm

    How do we remove 8443 from the URL for production site?

  • Gihan Sooriyasena August 31, 2014, 12:54 am

    Hi Ramesh,

    I have a question.

    I have crt file and key. So how should I configure tomcat for SSL with those two files.
    Please help me.

    Thanks,
    Gihan

  • faisal May 28, 2015, 12:15 am

    I tried it on ubuntu 12.04 after genrating key did the following changes in server.xml :
    described in the APR documentation –>

    but it did not work.

  • Borgy Manotoy March 20, 2017, 12:37 am

    I know that this thread or page is really old, but I am having an issue after following the steps.

    I have checked the following:

    1) .keystore is generated [OK].
    2) Updated server.xml properly with exact path in keyfile section, all case are proper [OK].
    3) No errors in catalina.out [OK].

    After restarting tomcat, I can still access the normal port 8080, but when I access 8443… the page loading is taking forever.

    Any idea?

    Thanks.

  • sandeep May 15, 2017, 12:50 pm

    Hello,

    Can I use different ports(not 8443 or 443) for ssl configuration in tomcat? I have 3 different applications running on same server. All 3 needs ssl configuration in tomcat. Any help is appreciated.

Leave a Comment