Ubuntu 12.04 and Tomcat 7 SSL implementation

Apache Tomcat is open source servlet container developed by Apache. Tomcat implements the Java Servlet and the JavaServer Pages(JSP) specifications, and provides a JAVA HTTP web server environment for Java code yo run. In this blog we will show you host how to quickly install Tomcat 7 on Ebuntu 12.04 vm or server and deploy ssl for secure connections.

Install Tomcat 7

First lets update package list:

$sudo apt-get update

Lets install and configure Tomcat 7:

$sudo apt-get install tomcat7
$sudo vim ~/.bashrc

add this at the end of file :

export JAVA_HOME=/usr/lib/jvm/default-java
export CATALINA_HOME=/usr/share/tomcat7

create directories for log files:

$sudo mkdir /usr/share/tomcat7/logs
$sudo chmod 777 /usr/share/tomcat7/logs

To install default version of JDK:

$sudo apt-get install default-jdk

At this point you should be able to connect to your tomcat server
on port 8080
http://localhost(you server ip):8080

Install Tomcat 7

Tomcat can use two different implementations of SSL:

  • the JSSE implementation provided as part of the Java runtime (since 1.4)
  • the APR implementation, which uses the OpenSSL engine by default.
  • JSSE

    By default Tomcat7 will use Java JSSE implementation. Here is how to
    configure
    it with self elf-signed certificates.

    1. Create a keystore file to store the server's private key and
    self-signed certificate
    by executing the following command:

    $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA 
     -keystore /usr/share/ssl/sslstore  # specify password
    

    2. Edit /etc/tomcat7/server.xml and add the following entry.
    There is many
    parameters that can be set here,
    this is just basic configuration to get ssl working.

    <Connector
               protocol="HTTP/1.1"
               port="8443" maxThreads="200"
               scheme="https" secure="true" SSLEnabled="true"
               keystoreFile="/usr/share/ssl/sslstore" keystorePass="your password"
               clientAuth="false" sslProtocol="TLS"/>
    

    3. Restart tomcat7

    $sudo service tomcat7 restart
    
    

    You now should be able to connect via SSL https://(you server ip):8443

    APR

    1. For APR to work the APR library must be available. It is very
    simple to install.

    $sudo apt-get install libtcnative-1
    
    

    2. Lets enable default listener in /etc/tomcat7/server.xml . This will
    use default

    OpenSSL engine. 
    <Listener className="org.apache.catalina.core.AprLifecycleListener"
              SSLEngine="on" SSLRandomSeed="builtin" />
    

    3. Generate self-sighned certificates with openssl tool to use for our ssl
    implementation.

    $sudo openssl genrsa -des3 -out server.key 1024
    $openssl req -new -key server.key -out server.csr         
    

    Watch for subject name - make sure it is correlates to your site name.

    $sudo openssl rsa -in server.key.org -out server.key  #remove passprase from key
    $openssl x509 -req -days 365 -in server.csr -signkey 
     server.key -out server.crt
    

    4. Specify connector as below and again there will be many
    configuration parameters available , this
    is just to get basic functionality.

    <Connector port="8443"  SSLEnabled="true" protocol="HTTP/1.1"
                   maxThreads="150" scheme="https" secure="true"
                   SSLCertificateFile="/usr/share/ssl/server.crt" 
                   SSLCertificateKeyFile="/usr/share/ssl/server.key"
    SSLProtocol="TLS"
    />
    

    5. Restart tomcat7

    $sudo service tomcat7 restart
    

    You now should be able to connect via SSL https://(you server ip):8443

    lets refresh bashrc

    
    $. ~/.bashrc
    
    start tomcat:
    $CATALINA_HOME/bin/startup.sh