Enabling TOMCAT to Handle Https Requests
A Brief Tutorial
Download pdf version from www.siddharthindia.com
Normally in academic web based projects we sometimes need secured transaction so that nobody can know what is happening between the client and server. For these purposes we need HTTPS instead of HTTP.
Hyper Text Transfer Protocol Secure (HTTPS) is a secure version of the Hyper Text Transfer Protocol (http). It allows secure ecommerce transactions, such as online banking. Even Gmail now uses https. In the next few steps we will see how to enable Tomcat server to handle https request.
HTTP request is generally associated with port number 8080 but HTTPS request by default is associated with port number 8443. We can change the port number as desired but these are the standard ones. First start the Tomcat server then open any browser and type http://localhost:8080 You should be able to see the Tomcat home page. Now try opening https://localhost:8443 if nothing happens then follow the steps below:
- Install JDK and set the class path.
- Install Apache Tomcat server (For this tutorial, I have used Tomcat 5).
- Go to C:\Program Files\Java\jdk1.6.0_10\bin and check whether “keytool” exists or not. If it does not exist then your java version is very old. Try installing the latest jdk. If the class path is properly set then you can easily run all the java commands without any problem like javac, java, keytool etc.
- Open the command prompt, change the directory to C:\ using cd\
- You will get a c prompt like this C:\>
- Now type the command : keytool –genkey –keyalg RSA –alias anand –keystore keystore.jks -storepass siddharth –validity 360
- Press Enter. RSA represents the type of algorithm, anand refers to the alias name for the certificate (You can provide any name here), keystore is the name of the file in which our certificate will be stored. Its extension is .jks which means java key store, siddharth is the password. 360 is number of days showing certificate’s lifetime, after that renewal is needed.
- After pressing the Enter, a series of questions will be asked as seen in the figure 1 below. In the last it will be asked whether all the information is correct or not. Type YES. Again password will be asked. Press Enter if you want to use the same password.
Right click on the image and open it in new tab to view the image clearly
- After this you will get back to the C:\> .Now it’s the time to check what happened after doing all this.
- Type following: keytool –list –v –keystore.jks at the C prompt as shown in the figure 2 below
- Enter the same password. Now all the certificates will be displayed that are present in the java key store. Right now there is only one. Now whatever we have done is stored in the file keystore.jks. Where it is?? Any guess??
- As all the things that we are typing in the command prompt, we are typing in the front of C :\> prompt. This means the file keystore.jks is also created in C: drive.Just have a look to keystore.jks file. You can see it in figure 3 below
- Now the task of generating the certificate is over, next task is to configure the Tomcat so that it can use this generated file.
- Go to -> C:\Program Files\Apache Software Foundation\Tomcat 5.0\conf
- Try to locate the file: server.xml, open the file in editor like Editplus etc.
- Locate the following commented code as shown in the figure 4 below
- Uncomment this piece of code and add the following new parameters:
- SSLEnabled="true"
- keystoreFile="c:\keystore.jks"
- keystorePass="siddharth"
- So the final code will look like as shown in figure 5 below
- Now save the file and restart the tomcat server.
- After that open the browser and type: https://localhost:8443 and hit enter. You will see the following message in Google chrome as shown in figure 6 below
- And following message in Firefox as shown below in figure 7
- Select “Proceed anyway“ in Chrome and “I understand the risk” in firefox. Firefox will also show the details of the certificate that we installed in the Tomcat. It will look like as shown below in figure 8 .
- Finally, the home page will be displayed. See the figure 9 below
- Task finished.
- Some important points:
- These certificates are self signed.
- If we want to install the original certificates for the server then we can buy them from here http://www.verisign.com/ssl/buy-ssl-certificates/
- For the purpose of academic projects we can use the self signed certificates.
- If you are sending the data using the GET method rather than POST then the parameters are easily visible whether it is https or http. For this you need to encrypt the url parameters at the client side itself before sending to the server. To get out this problem you can download encryption/decryption readymade program in java script and java from the download section of my website www.siddharthindia.com
Very nice and clear explanation, very helpful
ReplyDeleteIf one don't understand by reading this he cannot understand from anywhere else.