To set SSL on Tomcat, we need a digital certificate that can be created using Java keytool for the development environment. For the production environment, you should get a certificate from trusted providers such as Lets’ Encrypt.
Create SSL Certificate
To generate an SSL certificate run the following command:
keytool -genkey -alias tomcat -keyalg RSA -keystore mycertificate.cert
Then fill in the required information as shown in this example:
Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: Stefan Pejcic What is the name of your organizational unit? [Unknown]: Servis What is the name of your organization? [Unknown]: Mega What is the name of your City or Locality? [Unknown]: Belgrade What is the name of your State or Province? [Unknown]: Serbia What is the two-letter country code for this unit? [Unknown]: RS Is CN=Stefan Pejcic, OU=Servis, O=Mega, L=Belgrade, ST=Serbia, C=RS correct? [no]: Yes Enter key password for <tomcat> (RETURN if same as keystore password): Re-enter new password:
After doing that the certificate is generated and we can now add it to Tomcat’s server.xml file.
TIP: To avoid any misplacement of the certificate, put it in the tomcat conf directory.
Enable SSL in Tomcat
To enable SSL in Tomcat you need to edit this file: ~Tomcat_Installation/conf/server.xml and add the following code:
<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" keystoreFile="/Users/Stefan/tomcat/conf/mycertificate.cert" clientAuth="false" sslProtocol="TLS" />
After saving changes to the server.xml file you should restart Tomcat.
Redirect HTTP to HTTPS
This step is optional and you should do it only if you want to redirect all HTTP requests to HTTPS.
Open the following file ~Tomcat_Installation/conf/server.xml and add the following code:
<Connector port="8090" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" />
And in ~Tomcat_Installation/conf/web.xml file add the following code just after all the servlet-mapping tags:
<security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>