in Resources

How to Implement SSL in Apache Tomcat (An In-Depth Guide)

default image

Securing web applications with SSL/TLS certificates is one of the most crucial steps any developer or admin can take to protect sensitive user data. Apache Tomcat powers some of the most widely used Java web apps from companies like Netflix, AT&T, and Spotify, making it a prime target for hackers. That‘s why learning how to properly configure SSL in Tomcat is so important.

In this comprehensive 3000+ word guide, I‘ll cover everything you need to know as a budding geek or seasoned Tomcat veteran to enable bulletproof SSL support. Follow along as we:

  • Dive into the nitty-gritty on how SSL/TLS works to encrypt your data
  • Generate a Certificate Signing Request using Java‘s handy keytool
  • Submit the CSR and obtain a signed certificate from a Certificate Authority
  • Import and configure the SSL certificates in Tomcat‘s keystore
  • Modify Tomcat‘s connector to enable encryption and specify the keystore
  • Switch to using the standard HTTPS port 443
  • Test the implementation for vulnerabilities using SSL Labs
  • Bonus pro-tips for performance, troubleshooting, and additional hardening steps!

So brew a fresh cup of coffee, cozy up to your laptop, and let‘s get securing!

Why Bother with SSL Encryption?

Before we dig into how to configure SSL in Tomcat, it‘s important to understand what exactly SSL/TLS is and why it matters when securing web applications.

SSL stands for Secure Sockets Layer, which was the predecessor to TLS – Transport Layer Security. Both SSL and TLS provide encryption between a client (like your web browser) and a server (like Apache Tomcat).

This encryption prevents hackers from intercepting or modifying data during transmission over the internet. Without it, all data is sent in plain unencrypted text. All someone needs is access to the network traffic to easily read sensitive information like passwords, credit cards, chat messages, and more. No bueno!

According to [Cloudflare], over 80% of web traffic is now encrypted with SSL/TLS. Enabling it in your web apps is crucial for any company handling user accounts, transactions, or personal data. Honestly, there‘s no good reason not to use encryption nowadays.

Some key benefits of SSL include:

  • Data confidentiality – Encryption prevents prying eyes from reading traffic
  • Data integrity – Any changes made over the wire are detected
  • User trust – The little padlock inspires confidence in your website
  • SEO benefits – Google boosts HTTPS sites in search rankings
  • Compliance – PCI and regulations often require encryption

Now that you see the immense value and importance of SSL, let‘s get it configured properly in Apache Tomcat!

Generating a Certificate Signing Request (CSR)

The first step to enabling SSL is obtaining an SSL certificate for your domain, such as example.com. This certificate proves your site‘s identity and allows encrypting traffic with the public/private keys it contains.

Paid certificates must be signed by a trusted Certificate Authority (CA) like Digicert or LetsEncrypt. The CA will only sign your certificate after validating you actually own the domain.

To kick off the validation process, you first need to generate a Certificate Signing Request (CSR). Think of this like an SSL certificate application. It contains your public key and domain information to be signed.

On the server running Tomcat, use Java‘s keytool command to generate the CSR:

$ mkdir /opt/tomcat/ssl 
$ cd /opt/tomcat/ssl
$ keytool -genkeypair -alias example.com -keyalg RSA -keysize 2048 -keystore example.jks
$ keytool -certreq -alias example.com -file example.csr -keystore example.jks

Let‘s break down what‘s happening:

  • A new keystore file example.jks is created to hold certificates
  • A public/private key pair is generated for the domain
  • The -keysize 2048 makes a secure 2048-bit key
  • A example.com.csr file is derived from the key pair

The CSR file can then be submitted to the Certificate Authority to sign and validate ownership of the example.com domain.

Once approved, you‘ll receive three files from the CA:

  • Certificate – The SSL cert for your domain
  • Root CA certificate – The root CA‘s self-signed certificate
  • Intermediate CA cert – Any intermediate CA certificates in the chain

This full certificate chain needs to be imported into the keystore, which we‘ll cover next.

Importing Signed Certificate into Keystore

After obtaining the signed certificate from the CA, we need to install it along with the chain of trust.

The root and intermediate CA certificates establish trust in the domain certificate. Without them, browsers won‘t trust the certificate.

Use keytool to import the certificates into the keystore:

keytool -importcert -alias root -file rootCA.crt -keystore example.jks 
keytool -importcert -alias intermed -file interCA.crt -keystore example.jks
keytool -importcert -file example.crt -alias example.com -keystore example.jks

With the full chain of trust imported, the keystore is ready for use in Tomcat.

As a side note, you could also generate a self-signed certificate for testing purposes. However, web browsers will show scary warnings for self-signed certs since they are not trusted by any CA. I recommend using a free certificate from a trusted CA like Let‘s Encrypt instead.

Configuring Tomcat server.xml for SSL

Armed with an SSL certificate, we now need to configure Tomcat to use it. This is done by editing Tomcat‘s server.xml config file.

Open up /opt/tomcat/conf/server.xml in your favorite text editor. Locate the main <Connector> element and add the following:

<Connector 
   SSLEnabled="true"
   scheme="https" 
   secure="true"
   keystoreFile="/opt/tomcat/ssl/example.jks" 
   keystorePass="mypassword" />

This enables SSL along with pointing to the keystore file generated earlier.

Some additional recommendations and notes:

  • Use protocol="TLSv1.2" to only allow modern TLS 1.2+
  • Tweak the ciphers attribute to enable only strong ones
  • Set clientAuth="want" to allow mutual client cert authentication
  • You can also set SSL session properties like sessionTimeout
  • Refer to the Tomcat docs for more

Save the updated server.xml file and restart Tomcat for settings to take effect.

Switch Tomcat to Standard HTTPS Port 443

By default, Tomcat accepts connections on port 8080. To access our newly configured SSL encryption, we need to switch to the standard HTTPS port 443.

Again edit server.xml and modify the connector‘s port attribute:

<Connector port="443" ... />

This makes Tomcat listen for SSL requests on port 443 rather than 8080.

Restart Tomcat again for the new port to be active. Now you should be able to access the website at https://example.com directly!

Validate SSL Configuration using SSL Labs

As a final step, validate that the SSL implementation meets modern standards using the excellent SSL Labs Server Test.

This free tool performs a deep analysis of the SSL certificate, protocol support, cipher suites, and vulnerabilities. It then assigns an overall letter grade from A+ to F.

For optimal security, you want to achieve an A+ on the SSL Labs test. Anything less means there are vulnerabilities or weak configurations present.

Common things to tweak based on the report:

  • Enable HTTP Strict Transport Security (HSTS)
  • Only allow strong cipher suites like AES-256 and ECDHE
  • Disable TLS versions less than 1.2
  • Configure OCSP stapling for fast revocation checking

I recommend continuously testing and optimizing your SSL configuration as threats evolve. Refer to the SSL Labs grading guide for improving your score.

Closing Thoughts

Congratulations friend! At this point you‘ve enabled robust SSL encryption within Tomcat to securely serve your web applications.

We covered a ton of ground around certificates, keys, CSRs, CAs, ciphers, ports, and more! With your new SSL skills, you can launch a hardened Tomcat instance safe from data theft.

Of course, encryption is just one piece of the security puzzle. Be sure to also follow best practices like:

  • Disabling unnecessary connectors
  • Removing sample apps
  • Restricting web folder permissions
  • Logging and monitoring all activity
  • Updating Tomcat and Java regularly
  • And much more!

For additional tips on securing your Java environments, check out my article on 10 Ways to Harden Tomcat. Drop any other questions below!

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.