Thursday, September 29, 2011

Configuring SSL in tomcat

What is SSL?
SSL or Secure Socket Layer is a technology which allows web browsers and web servers to communicate over a secured connection. The data being sent is encrypted by one side, transmitted, then decrypted by the other side before any further processing. Essentially, it is a two way process, Browser encrypts its requests before sending them to the server and server decrypts them then server encrypts the response and the browser decrypts it.

There is one more thing we should understand about SSL is certificates used for Authentication. When the Browser places the first request to a web server over a secure connection, that server will respond to your web browser with two things, one is your page (for example ICICI Loginpage,CitiBank login page) and other is a set of credentials, in the form of a Certificate; This certificate gives information to the browser about the authenticity of the website.

Certificates and SSL
In order to implement SSL, a web server must have an associated certificate for each external IP address that accepts secure connections. Certificate acts as a identity proof for the website like your passport for you. This certificate is signed by the issuer (you can also create your self-signed certificates as well, but do not use them in production). Issuer is normally a well recognized authority like VeriSign, Thawte, Go Daddy, etc.

Why shouldn't you use Self-signed certificates?
Hackers normally utilize the weakness of your certificate to attack and the weakness is that it is self-signed. The attack might happen, something like this, when the client attempts to connect to the server the hacker hijacks the connection(means that now your requests will go to the hacker not the server). He then sends the client his own self-signed certificate(seeing which you feel happy and say, wow, now I can fill my credit card info without any prob.) which has the same name as the one present in the server's self-signed certificate. The hacker then connects to the real server himself. When the client sends data to the server the attacker reads it(might change it as well) and then sends it along to the real server. So, your credit card information might get leaked.
Let us start with tomcat:
  1. You need to create a keystore file to store the private key of the server using the following command.
    Windows:

    Unix:

    Same is shown below:
    The file will get created under the directory from which you are running the command, for example, as shown in image, the file will get created under following path: C:\Users\dharmvir.singh

    To specify a different location to store the keystore file(keystore in the last of the path), just modify the above command as shown below:
    Windows:

    same way you can do in unix.
    Sample is shown below:
    Password used in both the example screens shots is "changeit" as it is the default password for tomcat.
    The certificate can be obtained from authorities like Verisign and others.
  2. Uncomment the following section from $CATALINA_HOME/conf/server.xml:
    
    
    $Catalina_Home here represents path of your tomcat home folder
To test it I created a sample TestServer app (I have attached tomcat with that application to download). Here is how it will look like on accessing it on localhost.
Tips on SSL:
  1. SSL has encryption/decryption which is expensive so do not configure entire application on SSL. For example, Website home, adds, banners pages, sitemap page, about us page might not be put on SSL.
  2. using name-based virtual hosts on a secured connection can be problematic. This is a limitation of SSL protocol. So you can use only one certificate for one IP address.

Apache-Troubleshooting SSL in tomcat

tomcat with SSL enabled can be downloaded from here, It contains the TestServer App as well, so just download and start the server and test it.

Relevant References

Note from Author: Please leave appreciation comment, if you like the article or else please leave your questions, suggestions or feedback.
Thanks,
java-espresso

1 comment: