{"id":530,"date":"2018-10-09T03:00:15","date_gmt":"2018-10-09T03:00:15","guid":{"rendered":"http:\/\/www.asianux.org.vn\/?p=530"},"modified":"2018-10-09T03:00:15","modified_gmt":"2018-10-09T03:00:15","slug":"step-by-step-instructions-on-self-signed-certificate-and-tomcat-over-ssl","status":"publish","type":"post","link":"https:\/\/www.asianux.org.vn\/index.php\/2018\/10\/09\/step-by-step-instructions-on-self-signed-certificate-and-tomcat-over-ssl\/","title":{"rendered":"Step by step instructions on self-signed certificate and Tomcat over SSL"},"content":{"rendered":"

Creating a self-signed certificate to test Tomcat https is easy, and this article gives you the step-by-step instructions on the following parts:<\/p>\n

1. Create a self-signed host certificate using openSSL<\/p>\n

2. Create a PKCS12 keystore and convert it to java keystore<\/p>\n

3. Configure Tomcat 6 to use https, and redirect http to https<\/p>\n

4. Create a Java client to talk to the Tomcat over SSL with the self-signed certificates<\/p>\n

Part 1. \u00a0Create a self-signed host certificate using openSSL<\/strong><\/h2>\n

There are different ways of creating a self-signed certificate, such as using Java keytool. \u00a0But I prefer openSSL because the keys and certificates generated this way are more standardized and can be used for other purposes. \u00a0The\u00a0openSSL HOWTO page<\/a>\u00a0gives you a lot of details and other information.<\/p>\n

1.1 Create a pair of PKI keys<\/h3>\n

PKI stands for Public Key Infrastructure, which is also known as Asymmetric key pair, where you have a private key and a public key. \u00a0The private key is a secret you guard with your honor and life, and the public key is something you give out freely. \u00a0Messages encrypted with one can be decrypted with the other. \u00a0While generally speaking, given one key, it should be infeasible to derive the other. \u00a0However, openSSL makes it so that given a private key, you can easily derive the public key (but not vice versa, otherwise the security is broken). \u00a0For this reason, when you generate a key using openSSL, it only gives you a private key.<\/p>\n

As a side note, the word\u00a0asymmetric\u00a0is really a poor choice. \u00a0Once, a security expert was giving a presentation to a roomful of students on PKI, and one of his slides was supposed to have the title \u201cAsymmetric key scheme\u201d, but perhaps it was the fonts he used, or perhaps he made a last-minute typo,\u00a0\u00a0it looked like there was a space between the letter \u201cA\u201d and the rest of the letter. \u00a0After that presentation, quite a few naive students began to think that \u00a0PKI is a\u00a0symmetric\u00a0<\/em><\/del>(WRONG!)<\/em>\u00a0key scheme where it should be exactly the opposite \u2014 this is probably a less forgivable mistake than blowing up the chemistry lab because someone thinks inflammable means not flammable.<\/p>\n

1.1.1 Create a host private key using openSSL<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n<\/td>\n
\n
\n
openssl genrsa -out HOSTNAME-private.pem 2048<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

This private key is 2048 bits long, generated using RSA algorithm, and we choose not to protect it with an additional passphrase because the key will be used with a server certificate. \u00a0The name of the private key is HOSTNAME-private.pem where HOSTNAME should be replaced by the name of the machine you intend to host Tomcat.<\/p>\n

1.1.2 Derive the public key using openSSL. \u00a0This step is not necessary, unless \u00a0you want to distribute the public key to others.<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n<\/td>\n
\n
\n
openssl rsa -<\/code>in<\/code> HOSTNAME-private.pem -pubout \u00a0> HOSTNAME-public.pem<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

1.2 Create a self-signed X509 certificate<\/h3>\n
\n
\n\n\n\n
\n
1<\/div>\n<\/td>\n
\n
\n
openssl req -new -x509 -key HOSTNAME-private.pem -out HOSTNAME-certificate.pem -days 365<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Then you will be prompted to enter a few pieces of information, use \u201c.\u201d if you wish to leave the field blank<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n<\/td>\n
\n
\n
-----<\/code><\/div>\n
Country Name (2 letter code) [AU]:US<\/code><\/div>\n
State or Province Name (full name) [Some-State]:Indiana<\/code><\/div>\n
Locality Name (eg, city) []:Bloomington<\/code><\/div>\n
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cool Org<\/code><\/div>\n
Organizational Unit Name (eg, section) []:Cool IT<\/code><\/div>\n
Common Name (eg, YOUR name) []:Cool Node<\/code><\/div>\n
Email Address []:.<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

You will now see your host certificate file HOSTNAME-certificate.pem<\/p>\n

UPDATE<\/strong>: The field Common Name is quite important here. \u00a0It is the\u00a0hostname<\/strong>\u00a0of the machine you are trying to certify with the certificate, which is the name in the DNS entry corresponding to your machine IP.<\/p>\n

If your machine does not have a valid DNS entry (in other words, doing a nslookup on the IP of your machine doesn\u2019t give you anything), the host certificate probably won\u2019t work too well for you. \u00a0If you are only doing some very minimalistic https connection using only the HttpsURLConnection provided by Java, you can probably get by by disabling the certificate validation as outline towards the end of this article; however, if you use other third-party software packages, you will probably get an exception look like the following:<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n<\/td>\n
\n
\n
java.io.IOException: HTTPS hostname wrong: \u00a0should be <xxx.yyy.zzz><\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

This is because many security packages would check for things such as URL Spoofing, and when they do a reverse lookup of the machine IP, \u00a0but do not yield the same hostname as what is in the certificate, they think something is fishy and throws the exception.<\/p>\n

Part 2. Create a PKCS12 keystore and convert it to a Java keystore<\/p>\n

Java keytool does not allow the direct import of x509 certificates with an existing private key, and here is a\u00a0Java import key utility<\/a>\u00a0Agent Bob created to get around that. \u00a0However, we can still get it to work even without this utility. \u00a0The trick is to import the certificate into a PKCS12 keystore, which Java keytool also supports, and then convert it to the Java keystore format<\/p>\n

2.1 Create a PKCS12 keystore and import (or export depending on how you look at it) the host certificate we just created<\/h3>\n
\n
\n\n\n\n
\n
1<\/div>\n<\/td>\n
\n
\n
openssl pkcs12 -<\/code>export<\/code> -out keystore.pkcs12 -<\/code>in<\/code> HOSTNAME-certificate.pem -inkey HOSTNAME-private.pem<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

It will ask you for the export password, and it is recommended to provide a password.<\/p>\n

2.2 Convert the PKCS12 keystore to Java keystore using Java keytool.<\/h3>\n
\n
\n\n\n\n
\n
1<\/div>\n<\/td>\n
\n
\n
keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Keytool will first ask you for the new password for the JKS keystore twice, and it will also ask you for the password you set for the PKCS12 keystore created earlier.<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n<\/td>\n
\n
\n
Enter destination keystore password:<\/code><\/div>\n
Re-enter new password:<\/code><\/div>\n
Enter <\/code>source<\/code> keystore password:<\/code><\/div>\n
Entry <\/code>for<\/code> alias<\/code> 1 successfully imported.<\/code><\/div>\n
Import <\/code>command<\/code> completed: 1 entries successfully imported, 0 entries failed or cancelled<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

It will output the number of entries successfully imported, failed, and cancelled. \u00a0If nothing went wrong, you should have another keystore file: keystore.jks<\/p>\n

Part 3. Configure Tomcat to use HTTPS<\/h2>\n

With the keystore in place, we can now configure Tomcat to communicate via SSL using the certificate.<\/p>\n

3.1 Configure Tomcat HTTPS Connector.<\/h3>\n

Edit CATALINA_HOME\/conf\/server.xml, where CATALINA_HOME is the base directory of Tomcat. \u00a0By default, the HTTPS Connector configuration is commented out. \u00a0We can search for \u201c8443\u201d which is the default port number for HTTPS connector, and then either replace the configuration block, or add another block just below. \u00a0We are going to use the Coyote blocking connector:<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n<\/td>\n
\n
\n
<!--<\/code><\/div>\n
\u00a0<\/code><Connector port=\"8443\" protocol=\"HTTP\/1.1\" SSLEnabled=\"true\"<\/code><\/div>\n
\u00a0<\/code>maxThreads=\"150\" scheme=\"https\" secure=\"true\"<\/code><\/div>\n
\u00a0<\/code>clientAuth=\"false\" sslProtocol=\"TLS\" \/><\/code><\/div>\n
\u00a0<\/code>--><\/code><\/div>\n
<\/div>\n
<<\/code>Connector<\/code> port<\/code>=<\/code>\"8443\"<\/code> protocol<\/code>=<\/code>\"org.apache.coyote.http11.Http11Protocol\"<\/code> SSLEnabled<\/code>=<\/code>\"true\"<\/code> maxThreads<\/code>=<\/code>\"150\"<\/code> secure<\/code>=<\/code>\"true\"<\/code> scheme<\/code>=<\/code>\"https\"<\/code> keystoreFile<\/code>=<\/code>\"PATH\/TO\/keystore.jks\"<\/code> keystorePass<\/code>=<\/code>\"JKS_KEYSTORE_PASSWORD\"<\/code> clientAuth<\/code>=<\/code>\"false\"<\/code> sslProtocol<\/code>=<\/code>\"TLS\"<\/code> \/><\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

In the snippet above, PATH\/TO\/keystore.jks is the path to the Java Keystore we created earlier, and I recommend using the absolute path to eliminate any confusion. \u00a0Also provide the keystore password \u2013 it is in plain text, so protect server.xml using the correct permission (700).<\/p>\n

The\u00a0Tomcat SSL configuration instruction<\/a>\u00a0is a bit misleading and may let us believe both blocking and non-blocking should be configured. \u00a0This is not true because the port number can only be used by one connector type.<\/p>\n

This configuration enables Tomcat to communicate HTTPS on port 8443. \u00a0At this point, it is a good idea to fire up Tomcat and make sure the configuration works using a web browser.<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n<\/td>\n
\n
\n
cd CATALINA_HOME<\/code><\/div>\n
bin\/startup.sh<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

And point your web browser to\u00a0https:\/\/HOSTNAME:8443<\/a>\u00a0to see if Tomcat\u2019s front page shows up. \u00a0Since we are using a self-signed certificate, your browser may complain about the certificate being not secure. \u00a0Accept the certificate so your browser can display the page.<\/p>\n

3.2 Configure Tomcat to redirect HTTP to HTTPS<\/h3>\n

However, so far, Tomcat still supports HTTP (default port is 8443, but it may have been changed in your situation). \u00a0It would be desirable to automatically redirect any requests to the HTTP over to the HTTPS. \u00a0The first thing to do is edit CATALINA_HOME\/conf\/server.xml again, and this time, locate the Connector configuration for HTTP, and modify it so that the \u201credirectPort\u201d attribute points to the HTTPS port (8443 by default).<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n<\/td>\n
\n
\n
<<\/code>Connector<\/code> port<\/code>=<\/code>\"8080\"<\/code> protocol<\/code>=<\/code>\"HTTP\/1.1\"<\/code><\/div>\n
\u00a0<\/code>connectionTimeout<\/code>=<\/code>\"20000\"<\/code><\/div>\n
\u00a0<\/code>redirectPort<\/code>=<\/code>\"8443\"<\/code> \/><\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Now save server.xml, and edit web.xml, and add the following block to the end of the file, just before the <\/web-app> tag (in other words, the security-constraint section must be added AFTER the servlet-mapping sections:<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n<\/td>\n
\n
\n
<<\/code>web-app<\/code> ...><\/code><\/div>\n
<\/div>\n
...<\/code><\/div>\n
<\/div>\n
\u00a0\u00a0<\/code><<\/code>security-constraint<\/code>><\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code><<\/code>web-resource-collection<\/code>><\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><<\/code>web-resource-name<\/code>>All Apps<\/<\/code>web-resource-name<\/code>><\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><<\/code>url-pattern<\/code>>\/*<\/<\/code>url-pattern<\/code>><\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code><\/<\/code>web-resource-collection<\/code>><\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code><<\/code>user-data-constraint<\/code>><\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code><<\/code>transport-guarantee<\/code>>CONFIDENTIAL<\/<\/code>transport-guarantee<\/code>><\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code><\/<\/code>user-data-constraint<\/code>><\/code><\/div>\n
\u00a0\u00a0<\/code><\/<\/code>security-constraint<\/code>><\/code><\/div>\n
<\/<\/code>web-app<\/code>><\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Save this file, restart Tomcat again. This time, open a browser and enter the URL to the normal HTTP port, and see if Tomcat redirects to the HTTPS port.<\/p>\n

Part 4. Create a test Java client to talk to Tomcat over SSL<\/h2>\n

Since we created our own self-signed certificate, if we just use a Java HttpsURLConnection client trying to connect to the Tomcat over SSL, it will not honor the certificate and throw an exception like the following:<\/p>\n","protected":false},"excerpt":{"rendered":"

Creating a self-signed certificate to test Tomcat https is easy, and this article gives you the step-by-step instructions on the following parts: 1. Create a self-signed host certificate using openSSL 2. Create a PKCS12 keystore…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-530","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts\/530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/comments?post=530"}],"version-history":[{"count":1,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts\/530\/revisions"}],"predecessor-version":[{"id":531,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts\/530\/revisions\/531"}],"wp:attachment":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/media?parent=530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/categories?post=530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/tags?post=530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}