- Liferay Tomcat HTTPs Configuration. Keystore and SSLCertificateFile Approaches. This article explains how to configure HTTPs/SSL for Liferay bundled with Tomcat, using two different approaches.
- ### SSL Part 1: Creating Java SSL KeyStore (JKS) This is part one of a three-part series on how to configure a single SSL certificate for use on both Tomcat and Apache. I'll take you through creating a new Java KeyStore (JKS), submitting a Certificate Signing Request (CSR), and finally, importing the singed certificate into your KeyStore.
Save yourself some time: Use the DigiCert Java Keytool CSR Wizard to generate a Keytool command to create your Tomcat keystore and CSR. Simply fill out the form, click Generate, and then paste your customized Java Keytool command into your terminal.
Installing SSL Certificate Chain (Root, Intermediate(s) and the End Entity)
1. Import Root Certificate
-> keytool -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt -keystore domain.keystore
2. Import Intermediate(s)
-> keytool -import -trustcacerts -alias intermediate_filename -file intermediate_filename.crt -keystore domain.keystore
Tomcat Keystore List
Depending on the type of certificate that was purchased, there may be more than one Intermediate certificate in the chain of trust. Please install all intermediates in numberical order until you get to the domain/end entity certificate.
In order to determine which chain of trust you have, please follow the article title Which is Root? Which is Intermediate?
Example:UTNAddTrustSGCCA.crt would become to UTNAddTrustSGCCA.
For more information on
3. Import Entity/Domain certificate
-> keytool -import -trustcacerts -alias mykey -file yourDomainName.crt -keystore domain.keystore
You should receive a message: Certificate reply was installed in keystore if successful. It should NOT match the output of Step 1 or 2 above.
Note: If an alias was specified upon creation of the CSR then please use that alias instead of mykey.
4. Restart the Web Server Service.
Note: Tomcat will first need an SSL Connector configured before it can accept secure connections. Please ensure this is set BEFORE the server is restarted.
Tomcat SSL Connector
* CSR Generation: Java-based Webservers (using keytool)
* Which is Root? Which is Intermediate?
Tomcat Keystore File
* Tomcat SSL Connector
In this tutorial, you will learn how to deploy your Java Webapps on Tomcat with Docker.
Apache provides a large list of Docker images for running Tomcat as a container. In fact, there likely more Tomcat images than most any project hosted on Docker Hub. The caveat is they all run OpenJDK. While OpenJDK has come along ways since its inception, there are still some differences between it and Java JDK.
Your first step in running your web application with Tomcat in Docker is to build an Docker image for your app. We will cover two methods for building your image:
- Adding artifacts from a previous Java build to the Tomcat base image.
- Using Multistage builds to compile your Java Webapp and building a final, slim image based off of the Tomcat base image.
tomcat-users.xmlshould be added.
A single stage Docker build is a basic build, and is the most commonly used method. With this approach it is expected that you already have all of the artifacts required, and that you are adding these artifacts to your image.
A multistage build is a very handy way of compiling your application in a temporary container image, and then copying the artifacts into a final image. The benefit is all of our source files, build tools, and other dependencies do not become part of our final image, thus, minizing the final image size and security footprint.
In the example below, we are using the community supported OpenJDK image as our build base. Within this first stage of our dockerfile we are compiling our Java Webapp.
In the second stage we are using an official Tomcat image as our base. Artifacts generated during our build stage are then copied over to the final stage, and placed in Tomcat’s base directory. Also as part of our Docker build, we are adding a
tomcat-users.xml to configure users permissions.
To build the image, run the
docker build command and tag your image.
Test the newly created Docker image by running it using the
docker run command.
If the container started correctly and Tomcat also started successfully, you should be able to access it by going to the following URL in your web browser.
Running Your Tomcat Container
When running a Docker container it should be started as a daemon, which essential runs it as a background service. You will also need to map a local port to the container’s exposed port. By default, the Tomcat image listens on port 8080. However, in our example we will map port 80 from our local machine to the container’s port 8080.
To run the container as a daemon use the
-d flag, and to map local port 80 to the container’s port 8080 use the
The above command will start a container named
webap-1.0.0 using our
webapp:1.0.0 image. To verify the container started successfully and is running, use the
docker ps command.
For troubleshooting issues or monitoring application logs, use the
docker logs command.
Configuring SSLTLS for Tomcat
Enabling SSLTLS on Tomcat is a two-part process that is not simply by any means, unfortunately. You can thank Java for this.
The first step is to create a keystore that will hold your certificate files securely. Your files will be encrypted and protected by a password to prevent unauthorized access.
The second step is configure Tomcat to use your keystore and to enable SSLTLS. This second step is fairly messy and how you enable depends on a lot of factors.
Creating a Keystore
Step 1: Create the Keystore
You will need Java installed on your local machine, whether it’s the official JDK or OpenJDK. The following example creates a new keystore at the
./webapp.keystore with an alias of
webapp. You will be prompted to set a password for the keystore, and it is highly recommended that you do.
Step 2: Create a Certificate Signing Request (CSR)
If you do not already have a certificate and key file, you will need to generate a CSR. This CSR should then be submitted to a certificate authority of your choice, who will then supply you with a certificate file and key file to be used by your web application.
Step 3: Import the Certificate files
Once you have obtained the files from your certificate authority, it is time to import them into your keystore. The first file you will import is the root certificate, which should have been provided to you.
Second, you will import your certificate to ythe keystore.
You now have a keystore with the certificate that will be used to create secure TLSSSL connections to your web app. Next you will have to enable SSLTLS in Tomcat.
Enable TLSSSL in Tomcat is pretty messy, as result of how Java implemented it. We’re not going to cover this part in detail, since there are multiple ways of doing it depending on how you want to configure Tomcat.
The first step is to create a custom
server.xml file, which will be used to point to your keystore and enable SSLTLS. A good starting point is to copy the
server.xml file from the official Tomcat image.
To copy the
server.xml from the image to your local filesystem, use the
docker run command to start a new tomcat container, and then use
docker exec to copy the
server.xml file onto your local filesystem.
server.xml file will look like the following.
Next, follow instructions on how to configure the
server.xml file to use your keystore, its password, and enable SSLTLS. A great guide has bene published by Mulesoft.
Adding Keystore to Docker Image
It doesn’t matter where you place your keystore file, so long as Tomcat is able to access it. In our example below, we are placing the keystore in the root directory of our container. We are also copying our own custom
server.xml file into the Docker image, since Tomcat needs to know where your keystore is located and its password.
Tomcat Java Keystore Location
Build Tomcat Image with SSL
Tomcat Java Keystore Location Windows
The final step is to build your updated Docker image with the keystore and custom
server.xml file. We’re going to tag the example build with
webap:1.0.0-tls as a way to communicate that this version is TLS enabled. However, this is an arbritrary tag that’s only useful if you need to differentiate between multiple images.