Configure 🔒 SSL on Apache Tomcat

To set SSL on Tomcat, we need a digital certificate that can be created using Java keytool for the development environment. For the production environment, you should get a certificate from trusted providers such as Lets’ Encrypt.

Create SSL Certificate

To generate an SSL certificate run the following command:

keytool -genkey -alias tomcat -keyalg RSA -keystore mycertificate.cert

Then fill in the required information as shown in this example:

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  Stefan Pejcic
What is the name of your organizational unit?
  [Unknown]:  Servis
What is the name of your organization?
  [Unknown]:  Mega
What is the name of your City or Locality?
  [Unknown]:  Belgrade
What is the name of your State or Province?
  [Unknown]:  Serbia
What is the two-letter country code for this unit?
  [Unknown]:  RS
Is CN=Stefan Pejcic, OU=Servis, O=Mega, L=Belgrade, ST=Serbia, C=RS correct?
  [no]:  Yes

Enter key password for <tomcat>
	(RETURN if same as keystore password):
Re-enter new password:

After doing that the certificate is generated and we can now add it to Tomcat’s server.xml file.

TIP: To avoid any misplacement of the certificate, put it in the tomcat conf directory.

Enable SSL in Tomcat

To enable SSL in Tomcat you need to edit this file: ~Tomcat_Installation/conf/server.xml and add the following code:

<Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               keystoreFile="/Users/Stefan/tomcat/conf/mycertificate.cert"
	       clientAuth="false" sslProtocol="TLS" />

After saving changes to the server.xml file you should restart Tomcat.

Redirect HTTP to HTTPS

This step is optional and you should do it only if you want to redirect all HTTP requests to HTTPS.

Open the following file ~Tomcat_Installation/conf/server.xml and add the following code:

<Connector port="8090" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" />

And in ~Tomcat_Installation/conf/web.xml file add the following code just after all the servlet-mapping tags:

<security-constraint>
        <web-resource-collection>
               <web-resource-name>Entire Application</web-resource-name>
               <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
               <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
</security-constraint>