Steps to Configure SSL on Tomcat and Setup Auto Redirect from HTTP to HTTPS

Secured Socket Layer (SSL) is the cryptography protocol to provide message security over the internet. It works on the notion of Private and Public keys and messages are encrypted before sending it over the network. To configure SSL on Tomcat, we need a digital certificate that can be created using Java keytool for development environment. For production environment, you should get the digital certificate from SSL certificate providers, for example, Verisign or Entrust.

Follow below steps to create your own digital certificate:

INDIA$ keytool -genkey -alias tomcat -keyalg RSA -keystore mycertificate.cert

Enter keystore password:
Re-enter new password:

What is your first and last name? [Unknown]:  INDIA INDIA

What is the name of your organizational unit? [Unknown]: Dev

What is the name of your organization? [Unknown]:  TGG

What is the name of your City or Locality? [Unknown]: Ahm

What is the name of your State or Province? [Unknown]: Gujarat

 What is the two-letter country code for this unit? [Unknown]: IN

Is CN=INDIA INDIA, OU=Dev, O=TGG, L=Ahm, ST=Gujarat, C=IN correct? [no]: Yes

 Enter key password for <tomcat> (RETURN if same as keystore password):

Re-enter new password:

Jay$ ls mycertificate.cert

I have used password “changeit” for keystore and key but you can use whatever you want.

Now that digital certificate is ready, our next step is to enable HTTPS communication port in tomcat and set it to use our digital certificate for providing SSL support.

To enable SSL open ~Tomcat_Installation/conf/server.xml file and uncomment following line:

<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" keystoreFile="/Users/INDIA/tomcat/conf/mycertificate.cert" clientAuth="false" sslProtocol="TLS" />

To avoid any misplacement of the certificate, I have put that in the tomcat conf directory. Now restart tomcat and try to access any web application over https with port 8443.

So we can access any web application on both HTTP and HTTPS ports. We can set up tomcat to redirect all HTTP request to HTTPS port with some configurations.

1. In ~TomcatInstallation/conf/server.xml

For HTTP Connector, set the redirect port to the HTTPS connector port. It will look somewhat like this:

<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> <Connector port="8090" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" />

2. In ~TomcatInstallation/conf/web.xml

Add below configuration but make sure to add it after all the servlet mapping tags.

<!-- added by Jay for automatic redirect from HTTP to HTTPS --> <security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>

Restart the tomcat now and all the HTTP requests will automatically be redirected to HTTPS i.e http://localhost:8080/axis2 will be automatically redirected to https://localhost:8443/axis2

Note: If you don’t want to provide ports in the URLs, then use 80 for HTTP and 443 for HTTPS and in this case you can skip the first step to automatic redirect HTTP requests to HTTPS because it will automatically pick the default port 443.