Apache Tomcat

Apache Tomcat is an open-source software implementation of the Java Servlet and Java Server Pages technologies. It can run as a stand-alone web server or it can run as a Servlet/JSP container behind another web server, such as Apache or Microsoft IIS:

Instructions are provided to secure the Apache Tomcat SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. certificate with the UKCUnbound Key Control - The name of Unbound's key management product. when it is installed as a standalone server with JSEE using the UKCUnbound Key Control - The name of Unbound's key management product. PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 interface.

See the following link for more information about Apache Tomcat.

https://projects.apache.org/project.html?tomcat

For information on configuring Apache Tomcat 7 SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network./TLSTransport Layer Security - a cryptographic protocol that provides communications security over a computer network:

https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

Prerequisites

You need the following prerequisites for integration with UKCUnbound Key Control - The name of Unbound's key management product.:

Tomcat Integration with UKC

To integrate Tomcat with UKCUnbound Key Control - The name of Unbound's key management product., you must complete the following tasks:

  1. Step 1: Set up the SSL Certificate
  2. Step 2: Configure the Tomcat SSL Provider
  3. Step 3: Configure Java to use UKC PKCS#11
  4. Step 4: Copy the JAR Extension
  5. Step 5: Run the Solution

Step 1: Set up the SSL Certificate

The SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. certificate is used to encrypt and decrypt communication between the end user’s browser and the Tomcat server. You can either use an existing certificate or you can generate a new certificate for the Tomcat application using UKCUnbound Key Control - The name of Unbound's key management product..

Option 1: Import Tomcat’s SSL certificate into UKC

To protect the certificate's private key, we import it into the UKCUnbound Key Control - The name of Unbound's key management product. system where it is split and refreshed regularly. If you have an existing certificate, import it into UKCUnbound Key Control - The name of Unbound's key management product. with the following command:

ucl import -i tomcat.pfx -p <partition> --name <tomcat_key_name> --file-pass <PWD>

Option 2: Integrate and Use the Openssl Tool

You can use openssl tool to generate a private key in UKCUnbound Key Control - The name of Unbound's key management product. with the corresponding certificate.

Note
The following process results in a self-signed certificate. For production use, you need to have the certificate request signed by a trusted certification authority.

Bind Openssl tool with UKC

To bind the openssl tool with UKCUnbound Key Control - The name of Unbound's key management product., refer to the instructions in OpenSSL

Generate Private Key and Certificate in UKC

  1. Use the following command to generate the private key in UKCUnbound Key Control - The name of Unbound's key management product.. The created tomcat.key is a PEMPrivacy-enhanced Electronic Mail - Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" file that contains a reference to the UID of the created key.

    2. Note
    The private key is stored in the UKCUnbound Key Control - The name of Unbound's key management product. partition specified during OpenSSL

    openssl genrsa -out tomcat.key 2048

  1. Create a certificate request and fill in the certificate details.

    2. openssl req -new -key tomcat.key -out certreq

  2. Sign the certificate request.

    3. openssl x509 -req -days 3650 -in certreq -signkey tomcat.key -out tomcat.crt

  3. Import the certificate to UKCUnbound Key Control - The name of Unbound's key management product..

    4. ucl import -i tomcat.crt -p <partition> --name <tomcat_key_name>

  4. Add a label to the certificate. This must be the same name as configured on the Tomcat SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. connector keyAlias parameter.

    ucl change-info -p <partition> --newname unbtomcat -u <UID>

    For example:

    ucl change-info -p part1 --newname unbtomcat -u b88638cc7e016dee

Step 2: Configure the Tomcat SSL Provider

Enable and configure the Tomcat SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. provider by editing the appropriate section of the Tomcat configuration file:

/usr/local/apache-tomcat-7.0.54/conf/server.xml

The file should contain the following:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreType="PKCS11"
keystoreProvider="DYADIC" keyAlias="unbtomcat" />

Step 3: Configure Java to use UKC PKCS#11

Configure Java to use UKCUnbound Key Control - The name of Unbound's key management product. PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 and the UKCUnbound Key Control - The name of Unbound's key management product. provider by editing the file:

/usr/lib/jvm/java-7-oracle/jre/lib/security/java.security

It should contain the following:

security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=sun.security.ec.SunEC
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=sun.security.pkcs11.SunPKCS11
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.10=sun.security.smartcardio.SunPCSC
security.provider.11=com.dyadicsec.provider.DYCryptoProvider <partition>

Note
Replace com.dyadicsec.provider.DYCryptoProvider with com.unbound.provider.UBCryptoProvider when running on machine that had not installed the UKCUnbound Key Control - The name of Unbound's key management product. client software.

Step 4: Copy the JAR Extension

Copy the ekm-java-provider-2.0.jar file to the Java extensions directory. The jar file can be found here:

  • Windows
    C:\Program Files\Dyadic\ekm-client\lib\ekm-java-provider-2.0.jar
  • Ubuntu
    \usr\lib\ekm-java-provider-2.0.jar
  • Centos
    \usr\lib64\ekm-java-provider-2.0.jar

The file must be copied to the JRE or JDK directory:

  • JRE
    \PATH\TO\Java\jre<version>\lib\ext
  • JDK
    \PATH\TO\Java\jdk<version>\jre\lib\ext

Step 5: Run the Solution

  1. Start Tomcat by running the following command:

    2. /usr/local/tomcat/bin/startup.sh

  2. Access Tomcat by browsing to http://[IP Address]:8443

Troubleshooting

You can troubleshoot using Tomcat server management commands and by listing the UKCUnbound Key Control - The name of Unbound's key management product. keys via Java with UKCUnbound Key Control - The name of Unbound's key management product. PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11.

Manage Tomcat Server

Use the following commands to troubleshoot:

  1. Start Tomcat server:

    2. /usr/local/tomcat/bin/startup.sh

  2. Stop Tomcat server:

    3. /usr/local/tomcat/bin/shutdown.sh

  3. Access Tomcat in HTTP - http://[IP Address]:8080
  4. Access Tomcat in HTTPS - http://[IP Address]:8443
  5. Tomcat log file:

    6. /usr/local/apache-tomcat-7.0.54/logs/catalina.out