Tomcat 9 Configuration
Security
Generating a self-signed SSL Key
Java offers a tool to generate self-signed certificates called keytool. You can find it inside the bin directory of your Java installation, e.g.:
"%JAVA_HOME%\bin\keytool" -genkey -keyalg RSA -alias TomcatKey -keystore /opt/tomcat/ssl/sslKey.jks
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
Adding the Key to Tomcat
We have to point Tomcat to our freshly generated SSL keystore. To do this open the server.conf
file - add the following lines with the path to your keystore and the password you defined for it:
<!-- /opt/tomcat/apache-tomcat-9.0.41/conf/server.conf -->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/opt/tomcat/ssl/sslKey.jks" keystorePass="instar"
clientAuth="false" sslProtocol="TLS"/>
Open the define port - default 8443
- inside your firewall and restart your server:
ufw allow 8443/tcp
service tomcat restart
And visit the dashboard on https://192.168.2.111:8443/
.
Enforcing Encryption
Now all web apps are accessible via http on port 8080 and https on port 8443. If you want to enforce traffic for the management app to go through https you can edit the web.xml
file of the application. Add the user-data-constraint
tag and set the transport to CONFIDENTIAL:
<!-- nano /opt/tomcat/apache-tomcat-9.0.41/webapps/manager/WEB-INF/web.xml -->
<security-constraint>
<web-resource-collection>
<web-resource-name>HTML Manager interface (for humans)</web-resource-name>
<url-pattern>/html/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager-gui</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Virtual Hosts
Creating a Virtual Host
To serve multiple web sites from our server we first create the following folder structure inside the root of the Tomcat install dir:
virtual-hosts
├── host1
│ └── ROOT
├── host2
│ └── ROOT
└── host3
└── ROOT
Each ROOT folder will hold the content for one of the web apps host1
- host3
. Now we need to tell Tomcat where to find our apps. The Host directory currently only points to the webapps
folder - let's add our virtual host below that entry:
<!-- nano /opt/tomcat/apache-tomcat-9.0.41/conf/server.xml -->
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
<Host name="virtual-host1.com" appBase="virtual-hosts/host1"
unpackWARs="true" autoDeploy="true" />
<Host name="virtual-host2.com" appBase="virtual-hosts/host2"
unpackWARs="true" autoDeploy="true" />
<Host name="virtual-host3.com" appBase="virtual-hosts/host3"
unpackWARs="true" autoDeploy="true" />
For testing we can now add a hello-world to each ROOT folder:
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>Tomcat Boilerplate</title>
</head>
<body>
<h1>Hello from Virtual Host 1</h1>
<h3>Virtual Host Address: <%=request.getRequestURL().toString() %></h3>
</body>
</html>
To test our settings we need to add the 3 domains to our host
file:
192.168.2.111 virtual-host1.com
192.168.2.111 virtual-host2.com
192.168.2.111 virtual-host3.com
Now restart your server:
service tomcat restart
And you will be able to access your virtual hosts:
https://virtual-host1.com:8443/
https://virtual-host2.com:8443/
https://virtual-host3.com:8443/