Apache Tomcat

Apache Tomcat is an open-source software implementation of the Java Servlet and Java Server Pages technologies. It can run as a stand-alone web server or it can run as a Servlet/JSP container behind another web server, such as Apache or Microsoft IIS:

Instructions are provided to secure the Apache Tomcat SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. certificate with the UKCClosedUnbound Key Control - The name of Unbound's key management product. when it is installed as a standalone server with JSEE using the UKCClosedUnbound Key Control - The name of Unbound's key management product. PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 interface.

References: 

Prerequisites

You need the following prerequisites for integration with UKCClosedUnbound Key Control - The name of Unbound's key management product.:

Tomcat Integration with UKC

To integrate Tomcat with UKCClosedUnbound Key Control - The name of Unbound's key management product., you must complete the following tasks:

  1. Step 1: Set up the SSL Certificate
  2. Step 2: Configure the Tomcat SSL Provider
  3. Step 3: Configure Java to use UKC PKCS#11
  4. Step 4: Copy the JAR Extension
  5. Step 5: Run the Solution

Step 1: Set up the SSL Certificate

The SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. certificate is used in the SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. Handshake phase. You can either use an existing certificate or you can generate a new certificate for the Tomcat application using UKCClosedUnbound Key Control - The name of Unbound's key management product..

Option 1: Import Tomcat’s SSL certificate into UKC

If you have an existing certificate, import it into UKCClosedUnbound Key Control - The name of Unbound's key management product. with the following command:

ucl import -i tomcat.pfx -p <partition> --file-pass <pfx password> --name <tomcat-cert>

Option 2: Generate self-signed certificate

You can use openssl tool to generate a private key in UKCClosedUnbound Key Control - The name of Unbound's key management product. with the corresponding certificate.

Note
The following process results in a self-signed certificate. For production use, you need to have the certificate request signed by a trusted certification authority.

Bind Openssl tool with UKC

To bind the openssl tool with UKCClosedUnbound Key Control - The name of Unbound's key management product., refer to the instructions in OpenSSL

Generate Private Key and Certificate in UKC

  1. Use the following command to generate the private key in UKCClosedUnbound Key Control - The name of Unbound's key management product.. The created tomcat.key is a PEMClosedPrivacy-enhanced Electronic Mail - Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" file that contains a reference to the UID of the created key.
  2. Note
    The private key is stored in the UKCClosedUnbound Key Control - The name of Unbound's key management product. partition specified during OpenSSL

    openssl genrsa 2048 -out tomcat.key

  1. Create a certificate request and fill in the certificate details.
  2. openssl req -new -key tomcat.key -out certreq

  3. Sign the certificate request.
  4. openssl x509 -req -days 3650 -in certreq -signkey tomcat.key -out tomcat.crt

  5. Import the certificate to UKCClosedUnbound Key Control - The name of Unbound's key management product..
  6. ucl import -i tomcat.crt -p <partition> --name <tomcat-cert>

  7. Add a label to the certificate. This must be the same name as configured on the Tomcat SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. connector keyAlias parameter.

    ucl change-info -p <partition> --newname unbtomcat -u <UID>

    For example:

    ucl change-info -p part1 --newname unbtomcat -u b88638cc7e016dee

Step 2: Configure the Tomcat SSL Provider

Enable and configure the Tomcat SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. provider by editing the appropriate section of the Tomcat configuration file:

/usr/local/apache-tomcat-7.0.54/conf/server.xml

The file should contain the following:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreType="PKCS11"
keystoreProvider="UNBOUND" keyAlias="unbtomcat" />

Step 3: Configure Java to use UKC PKCS#11

Configure Java to use UKCClosedUnbound Key Control - The name of Unbound's key management product. PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 and the UKCClosedUnbound Key Control - The name of Unbound's key management product. provider by editing the file:

/usr/lib/jvm/java-7-oracle/jre/lib/security/java.security

It should contain the following:

security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=sun.security.ec.SunEC
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=sun.security.pkcs11.SunPKCS11
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.10=sun.security.smartcardio.SunPCSC
security.provider.11=com.unbound.provider.UBCryptoProvider <partition>

Step 4: Copy the JAR Extension

Copy the ekm-java-provider-2.0.jar file to the Java extensions directory. The jar file can be found here:

  • Windows
    C:\Program Files\Dyadic\ekm-client\lib\ekm-java-provider-2.0.jar
  • Ubuntu
    \usr\lib\ekm-java-provider-2.0.jar
  • Centos
    \usr\lib64\ekm-java-provider-2.0.jar

The file must be copied to the JRE or JDK directory:

  • JRE
    \PATH\TO\Java\jre<version>\lib\ext
  • JDK
    \PATH\TO\Java\jdk<version>\jre\lib\ext

Step 5: Run the Solution

  1. Start Tomcat by running the following command:
  2. /usr/local/tomcat/bin/startup.sh

  3. Access Tomcat by browsing to http://[IP Address]:8443

Troubleshooting

You can troubleshoot using Tomcat server management commands and by listing the UKCClosedUnbound Key Control - The name of Unbound's key management product. keys via Java with UKCClosedUnbound Key Control - The name of Unbound's key management product. PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11.

Manage Tomcat Server

Use the following commands to troubleshoot:

  1. Start Tomcat server:
  2. /usr/local/tomcat/bin/startup.sh

  3. Stop Tomcat server:
  4. /usr/local/tomcat/bin/shutdown.sh

  5. Access Tomcat in HTTP - http://[IP Address]:8080
  6. Access Tomcat in HTTPS - http://[IP Address]:8443
  7. Tomcat log file:
  8. /usr/local/apache-tomcat-7.0.54/logs/catalina.out