At some point, you may wish to add SSL (https) security to your production Tomcat. If so, you will need to follow these high level steps.
- Create Java Keystore
- From keystore, create “Certificate Signing Request (CSR)”
- Send CSR to a Certificate Authority (CA). This steps requires a fee to the CA of your choosing.
- CA will send you various certificates.
- Combine certificates into keystore from Step 1.
- Install keystore into Tomcat
- Finalize Tomcat configurations
Keep in mind that the instructions below may vary slightly depending on the CA and your version of Tomcat. As such, Tomcat provides extensive documentation on how to install SSL. Your CA may also provide helpful step-by-step instructions.
- Create Keystore — Run the following command from a CMD prompt on your m-Power server:
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
Follow the on-screen prompts. (Note: When prompted for you first and last name, enter your FQDN [hostname]).
- Create CSR — Run the following command to generate your CSR:
keytool -certreq -alias tomcat -file csr.txt -keystore tomcat.keystore
- Send CSR to your CA — This step depends on who your CA is but typically you will have to log in to their website and purchase an SSL certificate. Choose your deployment as Apache Tomcat and follow the prompts to send your CSR to them.
- CA will send you the certificates — This can sometimes take up to an hour. Your CA will send you (most likely) a root certificate, an intermediate certificate, and a tomcat certificate. All of these are important. (Note: Please check your CA’s instructions to verify accuracy)
- Combine certificates with keystore — First of all, copy all new certificates into the same folder as your keystore. Also, make a backup of your keystore for safekeeping. Run the following three commands to load the certificates to the keystore:
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file [name of the root certificate]
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file [name of the intermediate certificate]
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file [name of the certificate]
- Install keystore — Copy tomcat.keystore to c:\program files\mrc\production\tomcat\conf
- Finalize configuration — Edit the c:\program files\mrc\production\tomcat\conf\server.xml file
Find the section that references port 443 and make it look like this:
<Connector port="443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="C:/Program Files/mrc/production/m-power/tomcat/conf/tomcat.keystore" keystorePass="[changeit]" clientAuth="false" sslProtocol="TLS"/>
Next find the line referencing the lifecycleListener and comment it out.