Tomcat 9 Configuration

• Security
  • Generating a self-signed SSL Key
  • Adding the Key to Tomcat
  • Enforcing Encryption
• Virtual Hosts
  • Creating a Virtual Host

Security

Generating a self-signed SSL Key

Java offers a tool to generate self-signed certificates called keytool. You can find it inside the bin directory of your Java installation, e.g.:

"%JAVA_HOME%\bin\keytool" -genkey -keyalg RSA -alias TomcatKey -keystore /opt/tomcat/ssl/sslKey.jks

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:
What is the name of your organizational unit?
  [Unknown]:
What is the name of your organization?
  [Unknown]:
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?

Adding the Key to Tomcat

We have to point Tomcat to our freshly generated SSL keystore. To do this open the server.conf file - add the following lines with the path to your keystore and the password you defined for it:

<!-- /opt/tomcat/apache-tomcat-9.0.41/conf/server.conf -->

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
               port="8443" maxThreads="200"
               scheme="https" secure="true" SSLEnabled="true"
               keystoreFile="/opt/tomcat/ssl/sslKey.jks" keystorePass="instar"
               clientAuth="false" sslProtocol="TLS"/>

Open the define port - default 8443 - inside your firewall and restart your server:

ufw allow 8443/tcp
service tomcat restart

And visit the dashboard on https://192.168.2.111:8443/.

Enforcing Encryption

Now all web apps are accessible via http on port 8080 and https on port 8443. If you want to enforce traffic for the management app to go through https you can edit the web.xml file of the application. Add the user-data-constraint tag and set the transport to CONFIDENTIAL:

<!-- nano /opt/tomcat/apache-tomcat-9.0.41/webapps/manager/WEB-INF/web.xml -->

<security-constraint>
    <web-resource-collection>
      <web-resource-name>HTML Manager interface (for humans)</web-resource-name>
      <url-pattern>/html/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
       <role-name>manager-gui</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

Virtual Hosts

Creating a Virtual Host

To serve multiple web sites from our server we first create the following folder structure inside the root of the Tomcat install dir:

virtual-hosts
├── host1
│  └── ROOT
├── host2
│  └── ROOT
└── host3
   └── ROOT

Each ROOT folder will hold the content for one of the web apps host1 - host3. Now we need to tell Tomcat where to find our apps. The Host directory currently only points to the webapps folder - let's add our virtual host below that entry:

<!-- nano /opt/tomcat/apache-tomcat-9.0.41/conf/server.xml -->

<Host name="localhost"  appBase="webapps"
      unpackWARs="true" autoDeploy="true">

      <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
          prefix="localhost_access_log" suffix=".txt"
          pattern="%h %l %u %t &quot;%r&quot; %s %b" />

</Host>

<Host name="virtual-host1.com"  appBase="virtual-hosts/host1"
    unpackWARs="true" autoDeploy="true" />

<Host name="virtual-host2.com"  appBase="virtual-hosts/host2"
    unpackWARs="true" autoDeploy="true" />

<Host name="virtual-host3.com"  appBase="virtual-hosts/host3"
    unpackWARs="true" autoDeploy="true" />

For testing we can now add a hello-world to each ROOT folder:

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
    <title>Tomcat Boilerplate</title>
  </head>
  <body>
    <h1>Hello from Virtual Host 1</h1>
    <h3>Virtual Host Address: <%=request.getRequestURL().toString() %></h3>
  </body>
</html>

To test our settings we need to add the 3 domains to our host file:

192.168.2.111  virtual-host1.com
192.168.2.111  virtual-host2.com
192.168.2.111  virtual-host3.com

Now restart your server:

service tomcat restart

And you will be able to access your virtual hosts:

https://virtual-host1.com:8443/
https://virtual-host2.com:8443/
https://virtual-host3.com:8443/