Apache Tomcat
Apache Tomcat is an open-source software implementation of the Java Servlet and Java Server Pages technologies. It can run as a stand-alone web server or it can run as a Servlet/JSP container behind another web server, such as Apache or Microsoft IIS:
- When it runs as a stand-alone web server, the SSL
Secure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. mechanism can be one of the following:
- Java Secure Socket Extension (JSSE) implementation provided as part of the Java runtime (versions 1.4+).
- APR implementation, which by default uses the OpenSSL engine.
- When it runs as a Servlet/JSP container behind another web server, it is usually necessary to configure the primary web server to handle the SSL
Secure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. connections from users.
Instructions are provided to secure the Apache Tomcat SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. certificate with the UKC
Unbound Key Control - The name of Unbound's key management product. when it is installed as a standalone server with JSEE using the UKC
Unbound Key Control - The name of Unbound's key management product. PKCS
Public-Key Cryptography Standards - Industry-standard cryptography specifications.#11 interface.
References:
- See the following link for more information about Apache Tomcat: https://projects.apache.org/project.html?tomcat
- For information on configuring Apache Tomcat 7 SSL
Secure Sockets Layer - a cryptographic protocol that provides communications security over a computer network./TLS
Transport Layer Security - a cryptographic protocol that provides communications security over a computer network: https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
Prerequisites
You need the following prerequisites for integration with UKCUnbound Key Control - The name of Unbound's key management product.:
- Tomcat must be installed as a standalone web server.
- The UKC
Unbound Key Control - The name of Unbound's key management product. client must be installed and registered with the UKC
Unbound Key Control - The name of Unbound's key management product. system.
Tomcat Integration with UKC
To integrate Tomcat with UKCUnbound Key Control - The name of Unbound's key management product., you must complete the following tasks:
- Step 1: Set up the SSL Certificate
- Step 2: Configure the Tomcat SSL Provider
- Step 3: Configure Java to use UKC PKCS#11
- Step 4: Copy the JAR Extension
- Step 5: Run the Solution
Step 1: Set up the SSL Certificate
The SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. certificate is used in the SSL
Secure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. Handshake phase. You can either use an existing certificate or you can generate a new certificate for the Tomcat application using UKC
Unbound Key Control - The name of Unbound's key management product..
Option 1: Import Tomcat’s SSL certificate into UKC
If you have an existing certificate, import it into UKCUnbound Key Control - The name of Unbound's key management product. with the following command:
ucl import -i tomcat.pfx -p <partition> --file-pass <pfx password> --name <tomcat-cert>
Option 2: Generate self-signed certificate
You can use openssl tool to generate a private key in UKCUnbound Key Control - The name of Unbound's key management product. with the corresponding certificate.
Note
The following process results in a self-signed certificate. For production use, you need to have the certificate request signed by a trusted certification authority.
Bind Openssl tool with UKC
To bind the openssl
tool with UKCUnbound Key Control - The name of Unbound's key management product., refer to the instructions in OpenSSL
Generate Private Key and Certificate in UKC
- Use the following command to generate the private key in UKC
Unbound Key Control - The name of Unbound's key management product.. The created
tomcat.key
is a PEMPrivacy-enhanced Electronic Mail - Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" file that contains a reference to the UID of the created key.
Note
The private key is stored in the UKCUnbound Key Control - The name of Unbound's key management product. partition specified during OpenSSL
- Create a certificate request and fill in the certificate details.
- Sign the certificate request.
- Import the certificate to UKC
Unbound Key Control - The name of Unbound's key management product..
- Add a label to the certificate. This must be the same name as configured on the Tomcat SSL
Secure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. connector
keyAlias
parameter.ucl change-info -p <partition> --newname unbtomcat -u <UID>
For example:
ucl change-info -p part1 --newname unbtomcat -u b88638cc7e016dee
openssl genrsa 2048 -out tomcat.key
openssl req -new -key tomcat.key -out certreq
openssl x509 -req -days 3650 -in certreq -signkey tomcat.key -out tomcat.crt
ucl import -i tomcat.crt -p <partition> --name <tomcat-cert>
Step 2: Configure the Tomcat SSL Provider
Enable and configure the Tomcat SSLSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. provider by editing the appropriate section of the Tomcat configuration file:
/usr/local/apache-tomcat-7.0.54/conf/server.xml
The file should contain the following:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreType="PKCS11"
keystoreProvider="UNBOUND" keyAlias="unbtomcat" />
Step 3: Configure Java to use UKC PKCS#11
Configure Java to use UKCUnbound Key Control - The name of Unbound's key management product. PKCS
Public-Key Cryptography Standards - Industry-standard cryptography specifications.#11 and the UKC
Unbound Key Control - The name of Unbound's key management product. provider by editing the file:
/usr/lib/jvm/java-7-oracle/jre/lib/security/java.security
It should contain the following:
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=sun.security.ec.SunEC
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=sun.security.pkcs11.SunPKCS11
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.10=sun.security.smartcardio.SunPCSC
security.provider.11=com.unbound.provider.UBCryptoProvider <partition>
Step 4: Copy the JAR Extension
Copy the ekm-java-provider-2.0.jar file to the Java extensions directory. The jar file can be found here:
- Windows
C:\Program Files\Dyadic\ekm-client\lib\ekm-java-provider-2.0.jar
- Ubuntu
\usr\lib\ekm-java-provider-2.0.jar
- Centos
\usr\lib64\ekm-java-provider-2.0.jar
The file must be copied to the JRE or JDK directory:
- JRE
\PATH\TO\Java\jre<version>\lib\ext
- JDK
\PATH\TO\Java\jdk<version>\jre\lib\ext
Step 5: Run the Solution
- Start Tomcat by running the following command:
- Access Tomcat by browsing to http://[IP Address]:8443
/usr/local/tomcat/bin/startup.sh
Troubleshooting
You can troubleshoot using Tomcat server management commands and by listing the UKCUnbound Key Control - The name of Unbound's key management product. keys via Java with UKC
Unbound Key Control - The name of Unbound's key management product. PKCS
Public-Key Cryptography Standards - Industry-standard cryptography specifications.#11.
Manage Tomcat Server
Use the following commands to troubleshoot:
- Start Tomcat server:
- Stop Tomcat server:
- Access Tomcat in HTTP - http://[IP Address]:8080
- Access Tomcat in HTTPS - http://[IP Address]:8443
- Tomcat log file:
/usr/local/tomcat/bin/startup.sh
/usr/local/tomcat/bin/shutdown.sh
/usr/local/apache-tomcat-7.0.54/logs/catalina.out