In this blog post I am going to set-up secure access to a web application running on Tomcat (on Windows 2012 R2) by using a certificate from an internal PKI.
I am going to use KeyStore Explorer 1.1 (mirror) for the creation and modification of the KeyStore. This GUI tool makes it easier than the command line.
Use the PastBin URL to copy and paste the code in the correct format.
If you encounter any issues, please check the following:
1. You need to sign the private key in your Keystore with the certificate from your PKI.
Only adding the Certificate to your Keystore is not enough!
2. You need to point to the correct KeyStore file in Server.xml.
3. The keyAlias should point to the Private key and not to the root, intermediate or the PKI certificate (if added)
3. If you change the port number, make sure it is not in use by any other process on the system or by an other connector port in the Tomcat configuration (Server.xml).
4. Check the catalina log in the Logs directory of Tomcat for more information if there are any errors.
5. If you receive the error: Connector attribute SSLCertificateFile must be defined when using SSL with APR in Catalina.log, then comment out line 27 in Server.xml. That line states:
<Listener className=”org.apache.catalina.core.AprLifecycleListener” SSLEngine=”on” />
Redirect traffic from port 80 to 443
Now that the server is running on port 443, traffic coming in from port 80 should be redirected to port 443 to use HTTPS.
|Open Server.xml from the Tomcat Conf directory and verify that the port 80 connector contains redirectPort=”443”.
<Connector port=”80″ protocol=”HTTP/1.1″ connectionTimeout=”20000″
|Open Web.xml from the Conf folder and add:
|Save the file and restart Tomcat
Redirect the default homepage to the web application
Now that the web application is secure and port 80 is redirected to port 443 it is time to replace the default website.
|Create a new HTML file with the content:
<meta http-equiv=”refresh” content=”0;URL=https://site/application”>
|Save the file in the Tomcat folder \webapps\ROOT\
|Restart TomCat, when opening http://server the user is redirected to https://server/application