Recipe 15.2 Setting Up SSL on Tomcat


Problem

You want to set up SSL on Tomcat so that you can transmit usernames and passwords in encrypted form.

Solution

Create a digital certificate for the Tomcat server using the $JAVA_HOME\bin\ keytool utility, then uncomment the SSL Connector element in conf/server.xml .

Discussion

When transferring usernames and passwords over HTTP, you should set up SSL on Tomcat or whichever application server you are using. This protocol ensures that the names and passwords are in encrypted form as they travel across the network, and thus protected from theft and malicious use by hackers and other intruders.

Setting up SSL on Tomcat 4 is a two-step process:

  1. Use the keytool utility to create a keystore file encapsulating a digital certificate used by the server for secure connections.

  2. Uncomment the SSL Connector element in Tomcat's conf/server.xml file, and alter its attributes if necessary.

The keytool utility is located in the bin subdirectory of the directory where you have installed the JSDK. The following command line creates a single self-signed digital certificate for the Tomcat server within a keystore file named .keystore . This file is created in the home directory of the user running the command.

 %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA 

The Unix version of this command is:

 $JAVA_HOME\bin\keytool -genkey -alias tomcat -keyalg RSA 

For this command to succeed, the JAVA_HOME environment variable must be set to the directory where the Java 2 SDK is installed, such as h:\j2sdk1.4.1_01 .


Example 15-2 shows the console output resulting from executing the keytool command. The keytool will request some information about you and your organization, but you can accept the default values by pressing Enter. This information is incorporated into the server's certificate and presented to the user (via her web browser) when she requests any components with a URL that starts with https :// .

In setting up SSL for Tomcat, you must use the same password for both the keystore and the certificate that is stored in the keystore .

The default password used in Tomcat is "changeit": http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html.


Example 15-2. The console output resulting from using the keytool utility
 Enter keystore password:  changeit What is your first and last name?   [Unknown]:  Bruce Perry What is the name of your organizational unit?   [Unknown]: What is the name of your organization?   [Unknown]: What is the name of your City or Locality?   [Unknown]: What is the name of your State or Province?   [Unknown]: What is the two-letter country code for this unit?   [Unknown]: Is CN=Bruce Perry, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?   [no]:  yes Enter key password for <tomcat>         (RETURN if same as keystore password): 

Finally, uncomment the SSL Connector element in the conf/server.xml file (shown in Figure 15-3) by removing the comment characters around it ( <!-- --> ). Then restart Tomcat.

Example 15-3. The Connector element inside server.xml
 <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <Connector className=   "org.apache.coyote.tomcat4.CoyoteConnector" port=    "8443" minProcessors="5" maxProcessors="75" enableLookups=    "true" acceptCount="100" debug="0" scheme="https" secure="true"     useURIValidationHack="false" disableUploadTimeout="true">       <Factory className=       "org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth=        "false" protocol="TLS" /> </Connector> 

The Connector uses a different port number (8443) than that used by insecure HTTP connections (in Tomcat, it's usually 8080). After you have restarted Tomcat, you can now make a secure connection to a web component in the home application with a URL that looks like this:

 https://localhost:8443/home/sqlJsp.jsp 

Don't forget the https (as opposed to http ) part in setting up these web links!


See Also

The Tomcat documentation on setting up SSL for use with authentication: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html; Recipe 15.1 on creating usernames and passwords in Tomcat; Recipe 15.3 on using BASIC authentication; Recipe 15.4 on using form-based authentication; Recipe 15.5 on logging out a user; Recipe 15.6-Recipe 15.9 on using the JAAS.



Java Servlet & JSP Cookbook
Java Servlet & JSP Cookbook
ISBN: 0596005725
EAN: 2147483647
Year: 2004
Pages: 326

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net