After managing to get Tomcat5.5 working with Apache2 using mod_jk, my next venture was to enable SSL using a self-signed certificate in Tomcat. This proved to be quite a task.
The system I’m setting up is running RedHat Enterprise Linux 4.4. I installed all the official RedHat RPM’s to get Tomcat and Apache talking together with mod_jk (see Part I of this tutorial).
After 4 days of banging my head on my keyboard, I noticed that when I would run:
#java -version
It spit out this:
Java(TM) 2 Runtime Environment, Standard Edition (build pxi32dev-20061002a (SR3) )
IBM J9 VM (build 2.3, J2RE 1.5.0 IBM J9 2.3 Linux x86-32 j9vmxi3223-20061001 (JIT enabled)
J9VM - 20060915_08260_lHdSMR
JIT - 20060908_1811_r8
GC - 20060906_AA)
JCL - 20061002
This let me know that I am supposed to be using IBM’s version of java, which apparently is the default on my RedHat system, not Sun’s version. I think somewhere along the way I downloaded Sun’s jvm, and I assumed that I was supposed to be using it’s keytool to generate an SLL certificate for Tomcat, but such is not the case. This caused me much confusion, but here’s how I ended up fixing it:
1. Generate Keystore file
(NOTE: all of this assumes you already have Apache configured with SSL. I used OpenSSL, which I don’t go into here, but there are loads of resources online for you, and it’s relatively easy to do).
Assuming you have the default RedHat java rpm already installed, run this:
# /usr/lib/jvm/java-1.5.0-ibm-1.5.0.3/jre/bin/keytool -genkey -alias tomcat -keyalg RSA
NOTE: I used Tomcat’s default password of ‘changeit’ when prompted.
The keystore file gets dropped in the home directory of whatever user you are logged in as. I was root, so I then moved the keystore file to the tomcat home directory:
# mv /root/.keystore /etc/tomcat5/
# chown tomcat.tomcat /etc/tomcat5/.keystore
2. Next you have to edit Tomcat’s server.xml file
# nano /etc/tomcat5/server.xml
Uncomment the SSL connector and set it up like so:
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" algorithm="IbmX509" sslProtocol="SSL"
keystoreFile="/etc/tomcat5/.keystore"
keystorePass="changeit" />
Note that I added algorithm=”IbmX509″ and I changed sslProtocol=”TLS” to sslProtocol=”SSL”. This is necessary to get things working with IBM’s jvm.
3. Restart everything
# service tomcat5 stop
# service tomcat5 start
# apachectl restart
If you were following along from my last article, then browse to:
https://yoursite.com:8443/hello.jsp
If all went well, you should see the hello.jsp page showing you the system time!
Be First to Comment