Sunday, October 25, 2015

Installing SSL Certificate in Apache Jakarta Tomcat

What is SSL Certificate:

SSL Certificates are small data files that digitally bind a crypto-graphic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol (port 443) and allows secure connections from a web server to a browser. Typically, SSL is used to secure credit card transactions, data transfer and logins, and more recently is becoming the norm when securing browsing of social media sites. SSL Certificates bind together:

A domain name, server name or hostname. An organizational identity (i.e. company name) and location.

Objective:

We will install SSL certificate for my.abc.com.bd domain. In that case all requests to http://my.abc.com.bd will be redirected to https://my.abc.com.bd

Scenario & Tested Environment:

Domain is: my.abc.com.bd
OS: Red Hat Enterprise Linux 5
Tomcat: jakarta-tomcat-4.1.24
Used Tool/Command: keytool (keytool is a key and certificate management utility)

Steps:

  1. CSR (Certificate Signing Request) Generation
  2. Submit CSR to CA (Certification Authority (CA) is an entity that issues digital certificates)
  3. Certificate Installation after receiving certificates from CA
  4. Apache Jakarta Tomcat Configuration Modification
  5. Restart Jakarta Tomcat Service


1. CSR (Certificate Signing Request) Generation:

What is a CSR? A CSR or Certificate Signing Request is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your organization name, common name (domain name), locality, and country. It also contains the public key that will be included in your certificate. A private key is usually created at the same time that you create the CSR.

Here is a CSR sample:

-----BEGIN CERTIFICATE REQUEST-----
MIIByjCCATMCAQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMR8w
HQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcwFQYDVQQDEw53d3cuZ29v
Z2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApZtYJCHJ4VpVXHfV
IlstQTlO4qC03hjX+ZkPyvdYd1Q4+qbAeTwXmCUKYHThVRd5aXSqlPzyIBwieMZr
WFlRQddZ1IzXAlVRDWwAo60KecqeAXnnUK+5fXoTI/UgWshre8tJ+x/TMHaQKR/J
cIWPhqaQhsJuzZbvAdGA80BLxdMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAIhl
4PvFq+e7ipARgI5ZM+GZx6mpCz44DTo0JkwfRDf+BtrsaC0q68eTf2XhYOsq4fkH
Q0uA0aVog3f5iJxCa3Hp5gxbJQ6zV6kJ0TEsuaaOhEko9sdpCoPOnRBm2i/XRD2D
6iNh8f8z0ShGsFqjDgFHyF3o+lUyj+UC6H1QW7bn
-----END CERTIFICATE REQUEST-----

[root@localhost]/opt/jdk1.5.0_21/bin/keytool -genkey -keyalg RSA -keysize 2048 -keystore /opt/sslcert/my.abc.com.bd.keystore
Enter keystore password: abcbd123

 What is your first and last name?
[Unknown]: my.abc.com.bd
What is the name of your organizational unit?
[Unknown]: IT/Technology
What is the name of your organization?
[Unknown]: ABC Technologies
What is the name of your City or Locality?
[Unknown]: Road # 2 House # 2 Gulshan # 2
What is the name of your State or Province?
[Unknown]: Dhaka
What is the two-letter country code for this unit?
[Unknown]: BD

Is CN=my.abc.com.bd, OU=IT/Technology, O=ABC Technologies, L=Road # 2 House # 2 Gulshan # 2, ST=Dhaka, C=BD correct?

 [no]: yes

 Enter key password for <mykey>
(RETURN if same as keystore password): abcbd123


This will generate a keystore file named my.abe.com.bd.keystore
Using this file, we will generate CSR file.

[root@localhost]#/opt/jdk1.5.0_21/bin/keytool -certreq -keyalg RSA -file /opt/sslcert/my.abc.com.bd.csr -keystore /opt/sslcert/my.abc.com.bd.keystore
Enter keystore password: abcbd123

 [root@localhost]# ls
my.abc.com.bd.csr my.abc.com.bd.keystore

2. Submit CSR to CA

Send necessary details to CA.


3. Certificate Installation

You will receive following files from CA:


  • AddTrustExternalCARoot.crt
  • my_abc_com_bd.crt
  • TrustedSecureCertificateAuthority5.crt
  • USERTrustRSAAddTrustCA.crt

Execute following commands from the directory containing both CSR & Keystore file. In our case, working directory is: /opt/sslcert/

[root@localhost]#keytool -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt -keystore my.abc.com.bd.keystore

 [root@localhost]#keytool -import -trustcacerts -alias TrustedSecureCertificateAuthority5 -file TrustedSecureCertificateAuthority5.crt -keystore my.abc.com.bd.keystore

 [root@localhost]#keytool -import -trustcacerts -alias USERTrustRSAAddTrustCA -file USERTrustRSAAddTrustCA.crt -keystore my.abc.com.bd.keystore

 [root@localhost]#keytool -import -trustcacerts -alias my.abc.com.bd -file my_abc_com_bd.crt -keystore my.abc.com.bd.keystore

 [root@localhost]#keytool -import -trustcacerts -file my_abc_com_bd.crt -keystore my.abc.com.bd.keystore


4. Jakarta Tomcat Configuration

Open $TOMCAT_HOME/conf/server.xml file. Add below entries:

<!– Define a non-SSL Coyote HTTP/1.1 Connector on port 80 –>
<Connector className=”org.apache.coyote.tomcat4.CoyoteConnector”
port=”80? minProcessors=”30? maxProcessors=”600?
enableLookups=”false” redirectPort=”8443?
acceptCount=”100? debug=”0? connectionTimeout=”20000?
useURIValidationHack=”false” disableUploadTimeout=”true” strategy=”ms” tcpNoDelay=”true” />
<!– Note : To disable connection timeouts, set connectionTimeout value to -1 –>
.............
.............
.............
.............
<!– Define a SSL Coyote HTTP/1.1 Connector on port 8443 –>
<Connector address=”1.2.3.4? className=”org.apache.coyote.tomcat4.CoyoteConnector”
port=”8443? minProcessors=”10? maxProcessors=”200?
enableLookups=”true”acceptCount=”100? debug=”0? scheme=”https” secure=”true” connectionTimeout=”20000?useURIValidationHack=”false”disableUploadTimeout=”true”>
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" keystoreFile="/opt/sslcert/my.abc.com.bd.keystore" keystorePass="abcbd123" keystoreType="JKS" protocol="TLS" randomFile="/opt/random.pem" rootFile="/opt/root.pem"/>
……
……
……
</Connector>
<Host name=”1.2.3.4? debug=”0? appBase=”<Document root>”
unpackWARs=”true” autoDeploy=”true”>
<Alias>my.abc.com.bd</Alias>
<Context path=”” docBase=”<Document root>” debug=”0?
reloadable=”true” crossContext=”true” />
</Host>
.............
.............

Open <Document Root>/WEB-INF/web.xml file. Add below entries:

<web-app>
.............
.............
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!– auth-constraint goes here if you require authentication –>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
.............
.............
.............
.............
</web-app>


5. Restart Jakarta Tomcat Service

[root@localhost]#sh $TOMCAT_HOME/bin/shutdown.sh
[root@localhost]#sh $TOMCAT_HOME/bin/startup.sh


Check the log file as well:
[root@localhost]#tail -f $TOMCAT_HOME/logs/catalina.out


Cheers :-) !!!
-
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Restore Archived Log into VMware Aria Operations for Logs (formerly known as vRealize Log Insight - vRLI)

As we cannot keep all logs in searchable space in vRLI production system due to performance and slowness issue, it is always recommended to ...