Let's Configure HTTP'Secure' in Apache-Tomcat

What is HTTPS?.. if you don't have any idea about what is HTTPS, refer my previous blog post about HTTPS. If you have an idea about HTTPS and SSL/TLS handshake, you are good to go 😊 


Creating a digital certificate

We can create a digital certificate using "Java KeyStore (JKS)". This is a repository of security certificates.
We can generate a keystore file using keytool command. in order to work with keytool, you must have "JAVA" installed in your computer. 
keytool is a key and certificate management utility that allows users to administrate their own public/private key pairs, and the keystore file we are going to generate bellow will also be our local tomcat server's server certificate.  

Options 

When creating a "keystore", we need to provide some options and values to it.
  1. -genkey/-genkeypair
  2. -alias 
  3. -keyalg 
  4. -keystore 
  5. -keysize
  6. -validity
  7. -sigalg
  8. -storepass
  9. -keypass
  10. -dname 

-genkey/-genkeypair

-genkey option is an older version, but still supports for newer versions and also going to supports for future versions as well.
-genkeypair option is the new version of -genkey option.

-alias

This option is used to specify an entity to the keystore. Since we are creating server certification, we use alias as "server".

-keyalg

This is the key algorithm. 

-keystore 

This is your key store name.

-keysize

Specify the key size of the keystore file. key size should be, 
  • 2048 when using -genkey/-genkeypair and -keyalg is "RSA".
  • 1024 when using -genkey/-genkeypair and -keyalg is "DSA".
  • 256 when using -genkey/-genkeypair and -keyalg is "EC".

-validity

Specify the certificate validity period.

-sigalg

Specify the signature algorithm.
  • If the underlying private key is of type "DSA", the -sigalg option defaults to "SHA1withDSA"
  • If the underlying private key is of type "RSA", the -sigalg option defaults to "SHA256withRSA".
  • If the underlying private key is of type "EC", the -sigalg option defaults to "SHA256withECDSA".

-storepass

This specify the password that protect the integrity of the keystore.

-keypass

Specify the password used to protect the private key of the generated key pair.

-dname

specifies the X.500 Distinguished Name to be associated with alias.

Example arguments,

"CN=server, OU=ID, O=IBM, L=Cupertino, S=California, C=US"

in above example,

  • CN       ==   Common Name.
  • OU       ==   Organization Unit.
  • O          ==   Organization Name.
  • L           ==   Locality Name. 
  • S           ==   State Name.
  • C          ==   Country Name.

So, those are the options that we need to provide.

In your terminal or in your command-prompt if you type,

keytool -genkeypair -alias server -keyalg RSA -keypass password -storepass password -keystore keystore.jks -keysize 2048 -validity 365 -sigalg SHA256withRSA 

and press enter,
it will ask your 
  1. first and last name 
  2. name of your organization unit
  3. name of your organization
  4. name of your City or Locality
  5. name of your State or Province
  6. two-letter country code for this unit
when you provide this information and press enter again, it will ask whether the provided information is correct. Those are the option values for the option "dname" Type YES or Y and hit enter again to create the file. 
 
(following image is an example)
 


However, you can pass those dname arguments on the time of typing the keystore generation command. 

keytool -genkey -alias server -keyalg RSA -keystore keystore.jks -keysize 2048 -validity 365 -sigalg SHA256withRSA -storepass password -keypass password -dname "CN=Kalindu Wijekoon, OU=ID, O=MSI, L=Colombo, S=Western, C=SL"

(Following image is an example)

So now we successfully generated a server certificate to enable our HTTPS service in tomcat. 

Modifying tomcat's "server.xml"

Go to tomcat install directory, and go to "conf" directory and open "server.xml" file in your text editor.
After you open server.xml file, it has the following configuration commented out. (Notice : this will change according to your tomcat version. Currently I'm using Apache Tomcat 9.0.12)
    
  <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
    -->

(following image highlights the above mentioned commented configs)

Under above, put following configurations.

    <Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/root/Works/keystore/keystore.jks" keystorePass="password"
clientAuth="false" sslProtocol="TLS" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHsE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
    />


Remember to change the "keystoreFile" and "keystorePass" values accordingly.

(Following image's highlighted area is an example)


This will assign port no 8443 as https.

This will support following ciphers.
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHsE_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • SSL_RSA_WITH_RC4_128_SHA
Save the edited server.xml file.
Go into Apache-tomcat's bin folder and execute following command in terminal / command-prompt

sh catalina.sh run in Linux.

catalina.bat run in Windows.

After successfully start up the server, Open the browser and go to https://localhost:8443 and it should give SSL Warning due to using self-signed certificate.
Add SSL Exception and view the tomcat page.

Linux Example

(startup the server)

(Server startup successfully)

(Adding SSL exception. The following image is a Windows example, since I already added the SSL exception in my Linux PC 😅)


(https in tomcat 😎)


Windows Example

(Server startup)

(Server startup successfully)

(Adding SSL exception in the web browser)


(https in tomcat 😎)


So this way you can configure HTTPS in Apache-tomcat 😊😊

All command are compatible with Linux,Windows and macOS operating systems, except the server startup command. 
In windows it should be catalina.bat run and in Linux and macOS it should be sh catalina.sh run 

Comments

Post a Comment

Popular posts from this blog

RMI (intro)

Image
What is RMI?  RMI stands for Remote Method Invocation. It is an application programming interface (API) that allows an object running on one Java Virtual  Machine (JVM) to invoke methods on an object running on another Java Virtual Machine (JVM), client server architecture is a good example where RMI is used. Basically, RMI provides for communication between programs written in the Java programming language. Architecture  In an RMI application there are two programs, a server side program and a client side program. Inside the server side program, a remote object is created and reference of that object is made available for clients. The client side program requests the remote object from the server to invoke its methods.  (A diagram to represent RMI architecture) Stub & Skeleton? Stub is a representation the remote object in the client and its acts as a gateway for the client program. Skeleton is the object that in the server-side. stub communicates with
Read more

Mitigate CSRF with Double Submit Cookies

Image
I previously explained what is CSRF  and how we can mitigate a CSRF attack using Synchronizer token pattern technique. In this blog post I'm going to talk about another CSRF mitigation technique called "Double Submit Cookies Pattern"  😉 What is Double Submit Cookies Pattern? This is a technique, that sends a random seed or a "token" as we call it, in both a cookie and as a request parameter, with the server verifying if the cookie value and the request value match. Why DSCP? Now its obvious that a third party entity cannot perform a CSRF attack without the CSRF token, and in here attacker or the third party entity cannot get the token because its in a cookie, and third party web pages cannot retrieve cookies from another web page that has a different domain. For example, assume that the genuine web page is banker.com, and the attacker's web page is attacker.com, when a user logged in to the banker.com, and accidentally redirect to attacker
Read more