• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Rob Spoor
  • Henry Wong
  • Liutauras Vilda
Saloon Keepers:
  • Tim Moores
  • Carey Brown
  • Stephan van Hulst
  • Tim Holloway
  • Piet Souris
Bartenders:
  • Frits Walraven
  • Himai Minh
  • Jj Roberts

Enabling SSL on Tomcat 9

 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There are a few questions I have regarding setting up SSL on Tomcat 9 as some of the things I've read have some inconsistencies and I'm also new to PKI. Ultimately, there are two things I'm trying to accomplish: enable SSL on Tomcat 9 for a secure websocket on a webserver and also locally for testing.

Tomcat Configuration

In server.xml, it already has a Connector commented out for SSL which looks like this



On the Tomcat's "how-to", and every other article, the Connector looks like this



I'm not sure which configuration to use, or even if there is a different protocol I should use. Also it seems that the connector is the only Tomcat configuration necessary, but let me know if I'm wrong.

Keystore

The webserver already uses SSL for HTTPS on Apache. Since it would be the same domain, would it be an issue to use the same certificate for Tomcat/WSS too? If not, Apache uses a domain.crt, domain.key, My_CA_Bundle.ca-bundle, and ca-bundle.crt.

For the local installation, I used mkcert to create a certificate for localhost which produced localhost.pem and localhost-key.pem.

Again, I'm new to PKI. I'm not sure if I need to use a Java Keystore file, if it can use a different file type, etc. Any help would be greatly appreciated.
 
Saloon Keeper
Posts: 23409
159
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you are already running Apache, I'd suggest avoiding SSL on Tomcat. Use Apache as a reverse proxy to Tomcat, instead, using mod_proxy or mod_jk with the Coyote Apache-to-Tomcat connector (port 8009).

There are several reasons why this is better:

1. You don't have to run Tomcat as an admin user to allow it to use ports 80 and 443 - Apache does the listening for you. Much more secure that way,

2. It's easier to set up SSL for Apache than for Tomcat, Plus, Tomcat doesn't take Apache-format certs, so if your certfiles and keyfiles were issued for Apache, you'd have to convert them for Tomcat.

3. You can run all your webapps through the Apache server, both JEE and non-JEE (for example, PHP apps).

Basically, the world-to-Apache link is SSL, then the Apache proxy feeds to Tomcat via a private internal channel. The tomcat server can be on the same machine as Apache or on a different machine or you can run multiple Tomcats with Apache doing load-balancing.

So I recommend this approach instead. I use Nginx  myself these days, fronting Tomcat, backend Apache servers in containers, NodeJS and whatever else needs a web interface.
 
Tim Holloway
Saloon Keeper
Posts: 23409
159
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
And welcome to the Ranch!
 
Ryan Medina
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:If you are already running Apache, I'd suggest avoiding SSL on Tomcat. Use Apache as a reverse proxy to Tomcat, instead, using mod_proxy or mod_jk with the Coyote Apache-to-Tomcat connector (port 8009).

There are several reasons why this is better:

1. You don't have to run Tomcat as an admin user to allow it to use ports 80 and 443 - Apache does the listening for you. Much more secure that way,

2. It's easier to set up SSL for Apache than for Tomcat, Plus, Tomcat doesn't take Apache-format certs, so if your certfiles and keyfiles were issued for Apache, you'd have to convert them for Tomcat.

3. You can run all your webapps through the Apache server, both JEE and non-JEE (for example, PHP apps).

Basically, the world-to-Apache link is SSL, then the Apache proxy feeds to Tomcat via a private internal channel. The tomcat server can be on the same machine as Apache or on a different machine or you can run multiple Tomcats with Apache doing load-balancing.

So I recommend this approach instead. I use Nginx  myself these days, fronting Tomcat, backend Apache servers in containers, NodeJS and whatever else needs a web interface.


You're right, that does sound like a better approach. I didn't think about doing it that way. When doing it that way, how does Tomcat need to be configured? Everything I found pretty much only showed the configuration for Apache. For example, does Tomcat still need to be configured to listen to a specific port or does Apache have a way to directly service the requests to Tomcat?
 
Tim Holloway
Saloon Keeper
Posts: 23409
159
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The Coyote connector proxies from Apache to Tomcat's port 8009. That's already set up and running in the standard Tomcat distribution, so the only work you need to do is on the Apache side. Your proxy configuration might take a URL such as https://payroll.foo.com and proxy it to localhost:8009/payroll_app.
 
I can't beleive you just said that. Now I need to calm down with this tiny ad:
SKIP - a book about connecting industrious people with elderly land owners
https://coderanch.com/t/skip-book
reply
    Bookmark Topic Watch Topic
  • New Topic