Apache Tomcat

Apache Tomcat is an open source software implementation of the Java Servlet and Java Server Pages technologies. It can run as a stand-alone web server or it can run as a Servlet/JSP container behind another web server, such as Apache or Microsoft IIS:

When it runs as a stand-alone web server, the SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. mechanism can be one of the following:
- Java Secure Socket Extension (JSSE) implementation provided as part of the Java runtime (versions 1.4+).
- APR implementation, which by default uses the OpenSSL engine.
When it runs as a Servlet/JSP container behind another web server, it is usually necessary to configure the primary web server to handle the SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. connections from users.

Instructions are provided to secure the Apache Tomcat SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. certificate with UKCUnbound Key Control - The name of Unbound's key management product. when it is installed as a standalone server with JSEE using UKCUnbound Key Control - The name of Unbound's key management product. PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 interface.

See the following link for more information about Apache Tomcat.

https://projects.apache.org/project.html?tomcat

For information on configuring Apache Tomcat 7 SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network./TLSTransport Layer Security - a cryptographic protocol that provides communications security over a computer network:

https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

Prerequisites

You need the following prerequisites for integration with UKCUnbound Key Control - The name of Unbound's key management product.:

Tomcat must be installed as standalone web server.
The UKCUnbound Key Control - The name of Unbound's key management product. client must be installed and registered with the UKCUnbound Key Control - The name of Unbound's key management product. system.

Tomcat Integration with UKC

To integrate Tomcat with UKCUnbound Key Control - The name of Unbound's key management product., you must complete the following tasks:

Step 1: Set up the SSL Certificate
Step 2: Configure the Tomcat SSL Provider
Step 3: Configure Java to use UKC PKCS#11
Step 5: Run the Solution

Step 1: Set up the SSL Certificate

The SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. certificate is used to encrypt and decrypt communication between the end user’s browser and the Tomcat server. You can either use an existing certificate or you can generate a new certificate for the Tomcat application using UKCUnbound Key Control - The name of Unbound's key management product..

Option 1: Import Tomcat’s SSL certificate into UKC

To protect the certificates private key, we import it into the UKCUnbound Key Control - The name of Unbound's key management product. system where it is split and refreshed regularly. If you have an existing certificate, import it into UKCUnbound Key Control - The name of Unbound's key management product. with the following command:

ucl import -i tomcat.pfx -p <partition> --name <tomcat_key_name> --file-pass <PWD>

Option 2: Generate a new certificate using UKC

If you need to generate a new certificate in UKCUnbound Key Control - The name of Unbound's key management product., you must first enable default key generation in UKCUnbound Key Control - The name of Unbound's key management product. and then generate the private key and certificate in UKCUnbound Key Control - The name of Unbound's key management product.. The private key is generated directly in the UKCUnbound Key Control - The name of Unbound's key management product. system.

Note
The following process results in a self-signed certificate. For production use, you need to have the certificate request signed by a trusted certification authority.

Enable default key generation in UKC

By default, key generation in UKCUnbound Key Control - The name of Unbound's key management product. through OpenSSL is turned off, as some applications use OpenSSL to create temporary keys. To enable default key generation through OpenSSL in the UKCUnbound Key Control - The name of Unbound's key management product. system, change the global OpenSSL setting set_gen_mode to 1 as follows:

Edit the default settings in the OpenSSL configuration file, located here:
/etc/ssl/openssl.cnf
Change the set_gen_mode parameter to 1. The result should look like the following:
# Unbound Tech specific ctrl.
set_gen_mode = 1

Note
To disable the default key generation in UKCUnbound Key Control - The name of Unbound's key management product. through OpenSSL, follow the previous instructions, but replace set_gen_mode = 1 with set_gen_mode = 0.

Generate the private key and certificate in UKC

Use the following command to generate the private key in UKCUnbound Key Control - The name of Unbound's key management product.. The created tomcat.key is an obfuscated key file and not the real one.

openssl genrsa -out tomcat.key 2048

Create a certificate request and fill in the certificate details.

openssl req -new -key tomcat.key -out certreq

Sign the certificate request.

openssl x509 -req -days 3650 -in certreq -signkey tomcat.key -out tomcat.crt

Import the certificate to UKCUnbound Key Control - The name of Unbound's key management product..

ucl import -i tomcat.crt -p <partition> --name <tomcat_key_name>

View the certificates in UKCUnbound Key Control - The name of Unbound's key management product..

ucl list

Display the details of the newly created certificate.

ucl show -p <partition> –u <UID>

For example:

ucl show -p part1 –u b88638cc7e016dee

Add a label to the certificate. This must be the same name as configured on the Tomcat SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. connector keyAlias parameter.
ucl change-info -p <partition> --name unbtomcat -u <UID>
For example:
ucl change-info -p part1 --name unbtomcat -u b88638cc7e016dee

Step 2: Configure the Tomcat SSL Provider

Enable and configure the Tomcat SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. provider by editing the appropriate section of the Tomcat configuration file:

/usr/local/apache-tomcat-7.0.54/conf/server.xml

The file should contain the following:

Step 3: Configure Java to use UKC PKCS#11

Configure Java to use UKCUnbound Key Control - The name of Unbound's key management product. PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#11 and the UKCUnbound Key Control - The name of Unbound's key management product. provider by editing the file:

/usr/lib/jvm/java-7-oracle/jre/lib/security/java.security

It should contain the following:

security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=sun.security.ec.SunEC
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=sun.security.pkcs11.SunPKCS11
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.10=sun.security.smartcardio.SunPCSC
security.provider.11=com.dyadicsec.provider.DYCryptoProvider <partition>