By: Reema sen Emailed: 1700 times Printed: 2204 times
If you’re using Java 1.4, or Java 5 Standard Edition, Java Secure Socket Extension (JSSE) has been integrated into its core, so no additional download is needed.
Note More information about JSSE can be found at http://java.sun.com/products/jsse/.
Create a certificate keystore by executing the following command:
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
Specify a password value of changeit. This process should
resemble the session shown in
Figure: The output of the keytool program when creating a certificate keystore for Tomcat
The keytool application will prompt you for information such as first and last name, city, state, and so on. We’ve used localhost as the first and last name values, because this is the value matched by your browser when verifying authenticity of the certificate. It actually shows up as the certification path in the resulting certificate. For testing purposes, you can accept the default values for most of the other prompts. When the tool prompts you to verify the data, type yes and press Enter. Finally, press Enter to accept the keystore password as the user password.
This is still not a valid certificate because you’re generating it yourself. To get a valid certificate, you must purchase one from a certificate authority (CA) such as VeriSign. In this example, using localhost will result in one less warning in the user’s browser.
Now, edit %TOMCAT_HOME%/conf/server.xml and remove the comments around the SSL HTTP/1.1 Connector entry. After you’ve set this up, you should be able to access Tomcat by using https://localhost:8443. Don’t forget the s after http. The port has to be specified because it isn’t the default port for HTTPS (port 443).
Tomcat expects the .keystore file that was created by the keystore tool to be in a particular location (the user’s home directory). If you are having trouble accessing Tomcat over SSL (particularly if the error log has messages about not being able to access the .keystore file), you can tell Tomcat where the .keystore file is by adding this attribute to the SSL <Connector> element of servler.xml:
If you don’t want to specify your port numbers on your URLs when using Tomcat, you can easily change them in the server.xml file. When accessing Tomcat for the first time on its SSL port, you should be prompted with a security alert (see Figure below).
Figure: When accessing a secure site over SSL by
using a certificate that was created by
someone other than a CA, the browser will display a security alert informing you of that fact.
If you use your real name rather than localhost when generating
this certificate, the security
alert will warn you that the certificate’s name doesn’t match the name of the page you’re
trying to view (see Figure below).
Figure: If the name on the certificate has a
problem, the security alert will also display
One thing you’ll probably notice after setting this up is that your browser warns you about the certificate. This is because the issuer of the certificate is unknown (you) and the browser doesn’t recognize you as a CA. CAs, such as VeriSign (http://www.verisign.com), Thawte (http://thawte.com), and TC TrustCenter (http://www.trustcenter.de/set_en.htm), are trusted organizations that verify and certify that a server is who it says it is. Also, you can obtain client certificates if you want to set up both client and server certificates. This may be necessary in highly secure, top-secret, X Files–flavored applications, but it’s not necessary for most web applications.
One drawback to using SSL in a web application is that it tends to significantly decrease the throughput of the server. This is mainly due to the encryption and decryption process on each end of the connection. Therefore, we recommend that you use SSL only for the parts of your application that really need it—for instance, when a user logs in or when a user submits a credit card number.
Be the first one to add a comment
Most Viewed Articles (in JSP )
Most Emailed Articles (in JSP)