Apache Tomcat

Apache Tomcat is an open source software implementation of the Java Servlet and Java Server Pages technologies. It can run as a stand-alone web server or it can run as a Servlet/JSP container behind another web server, such as Apache or Microsoft IIS:

Instructions are provided to secure the Apache Tomcat SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. certificate with UKCUnbound Key Control - The name of Unbound's key management product. when it is installed as a standalone server with JSEE using UKCUnbound Key Control - The name of Unbound's key management product. PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 interface.

See the following link for more information about Apache Tomcat.

https://projects.apache.org/project.html?tomcat

For information on configuring Apache Tomcat 7 SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network./TLSTransport Layer Security - a cryptographic protocol that provides communications security over a computer network:

https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

Prerequisites

You need the following prerequisites for integration with UKCUnbound Key Control - The name of Unbound's key management product.:

Tomcat Integration with UKC

To integrate Tomcat with UKCUnbound Key Control - The name of Unbound's key management product., you must complete the following tasks:

  1. Step 1: Set up the SSL Certificate
  2. Step 2: Configure the Tomcat SSL Provider
  3. Step 3: Configure Java to use UKC PKCS#11
  4. Step 5: Run the Solution

Step 1: Set up the SSL Certificate

The SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. certificate is used to encrypt and decrypt communication between the end user’s browser and the Tomcat server. You can either use an existing certificate or you can generate a new certificate for the Tomcat application using UKCUnbound Key Control - The name of Unbound's key management product..

Option 1: Import Tomcat’s SSL certificate into UKC

To protect the certificates private key, we import it into the UKCUnbound Key Control - The name of Unbound's key management product. system where it is split and refreshed regularly. If you have an existing certificate, import it into UKCUnbound Key Control - The name of Unbound's key management product. with the following command:

ucl import -i tomcat.pfx -p <partition> --name <tomcat_key_name> --file-pass <PWD>

Option 2: Generate a new certificate using UKC

If you need to generate a new certificate in UKCUnbound Key Control - The name of Unbound's key management product., you must first enable default key generation in UKCUnbound Key Control - The name of Unbound's key management product. and then generate the private key and certificate in UKCUnbound Key Control - The name of Unbound's key management product.. The private key is generated directly in the UKCUnbound Key Control - The name of Unbound's key management product. system.

Note
The following process results in a self-signed certificate. For production use, you need to have the certificate request signed by a trusted certification authority.

Enable default key generation in UKC

By default, key generation in UKCUnbound Key Control - The name of Unbound's key management product. through OpenSSL is turned off, as some applications use OpenSSL to create temporary keys. To enable default key generation through OpenSSL in the UKCUnbound Key Control - The name of Unbound's key management product. system, change the global OpenSSL setting set_gen_mode to 1 as follows:

  1. Edit the default settings in the OpenSSL configuration file, located here:

    /etc/ssl/openssl.cnf

  2. Change the set_gen_mode parameter to 1. The result should look like the following:

    # Unbound Tech specific ctrl.
    set_gen_mode = 1

Note
To disable the default key generation in UKCUnbound Key Control - The name of Unbound's key management product. through OpenSSL, follow the previous instructions, but replace set_gen_mode = 1 with set_gen_mode = 0.

Generate the private key and certificate in UKC

  1. Use the following command to generate the private key in UKCUnbound Key Control - The name of Unbound's key management product.. The created tomcat.key is an obfuscated key file and not the real one.
  2. openssl genrsa -out tomcat.key 2048

  3. Create a certificate request and fill in the certificate details.
  4. openssl req -new -key tomcat.key -out certreq

  5. Sign the certificate request.
  6. openssl x509 -req -days 3650 -in certreq -signkey tomcat.key -out tomcat.crt

  7. Import the certificate to UKCUnbound Key Control - The name of Unbound's key management product..
  8. ucl import -i tomcat.crt -p <partition> --name <tomcat_key_name>

  9. View the certificates in UKCUnbound Key Control - The name of Unbound's key management product..
  10. ucl list

  11. Display the details of the newly created certificate.
  12. ucl show -p <partition> –u <UID>

    For example:

    ucl show -p part1 –u b88638cc7e016dee

  13. Add a label to the certificate. This must be the same name as configured on the Tomcat SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. connector keyAlias parameter.

    ucl change-info -p <partition> --name unbtomcat -u <UID>

    For example:

    ucl change-info -p part1 --name unbtomcat -u b88638cc7e016dee

Step 2: Configure the Tomcat SSL Provider

Enable and configure the Tomcat SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. provider by editing the appropriate section of the Tomcat configuration file:

/usr/local/apache-tomcat-7.0.54/conf/server.xml

The file should contain the following:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreType="PKCS11"
keystoreProvider="DYADIC" keyAlias="unbtomcat" />

Step 3: Configure Java to use UKC PKCS#11

Configure Java to use UKCUnbound Key Control - The name of Unbound's key management product. PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 and the UKCUnbound Key Control - The name of Unbound's key management product. provider by editing the file:

/usr/lib/jvm/java-7-oracle/jre/lib/security/java.security

It should contain the following:

security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=sun.security.ec.SunEC
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=sun.security.pkcs11.SunPKCS11
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.10=sun.security.smartcardio.SunPCSC
security.provider.11=com.dyadicsec.provider.DYCryptoProvider <partition>

Step 4: Copy the JAR Extension

Copy the jar file, ekm-java-provider-2.0.jar, into the Java extensions directory. The jar file can be found here:

  • Windows
    C:\Program Files\Dyadic\ekm-client\lib\ekm-java-provider-2.0.jar
  • Ubuntu
    \usr\lib\ekm-java-provider-2.0.jar
  • Centos
    \usr\lib64\ekm-java-provider-2.0.jar

The file must be copied to the JRE or JDK directory:

  • JRE
    \PATH\TO\Java\jre<version>\lib\ext
  • JDK
    \PATH\TO\Java\jdk<version>\jre\lib\ext

Step 5: Run the Solution

  1. Start Tomcat by running the following command:
  2. /usr/local/tomcat/bin/startup.sh

  3. Access Tomcat by browsing to http://[IP Address]:8443

Troubleshooting

You can troubleshoot using Tomcat server management commands and by listing the UKCUnbound Key Control - The name of Unbound's key management product. keys via Java with UKCUnbound Key Control - The name of Unbound's key management product. PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11.

Manage Tomcat Server

Use the following commands to troubleshoot:

  1. Start Tomcat server:
  2. /usr/local/tomcat/bin/startup.sh

  3. Stop Tomcat server:
  4. /usr/local/tomcat/bin/shutdown.sh

  5. Access Tomcat in HTTP - http://[IP Address]:8080
  6. Access Tomcat in HTTPS - http://[IP Address]:8443
  7. Tomcat log file:
  8. /usr/local/apache-tomcat-7.0.54/logs/catalina.out