Both...
Either....
If you pickup a book on J2EE security, you will find sections on
"declarative security" and "programmatic security".
Setting up an SSL certificate is done completely at the container level.
You can specify which components must go through SSL in your deployment descriptor.
As James said, it's a very broad topic.
If you're serious about it, get a book.
"Mastering Tomcat" by Wiley Press has a good introduction to security.
A lot of what it covers applies to J2EE in general, not just
Tomcat.