Skip to content

Tomcat9 SSL self-sign Cert and configuration

This is in setting up tomcat 9 on linux with self-sign cert enable. It is with some discretion that the version of tomcat must align with the version of either OpenJDK or from Oracle's JDK. The version from Apache Tomcat website had mentioned that Tomcat v9 can be used with newer Oracle JDK or whereas Tomcat v8 can be used with Oracle JDK or newer.

Install Oracle's JDK can be super simple on linux. Download either their x86 or x86_64 bit version and plop it onto your local home download directory /home/username/Download .

Download Java:
Download Tomcat:

The following are commands where i had issued in order to move a binary JDK file to another directory location before extracting this tarball package.

sudo mv /home/username/Download/ jdk-8u211-linux-x64.tar.gz /opt
sudo mv /home/username/Download/apache-tomcat-9.0.21.tar.gz /opt
cd /opt
sudo tar xzvf jdk-8u211-linux-x64.tar.gz
sudo chown -R username:username jdk1.8.0_211
sudo mkdir tomcat9
sudo tar xzvf apache-tomcat-9.0.21.tar.gz
cd apache-tomcat-9.0.21/
sudo cp -pr . ../tomcat9
cd ..
sudo chown -R username:username tomcat9/

# Your /opt directory should look something like this.
drwxr-xr-x 7 username username 4096 Jun 20 12:51 jdk1.8.0_211
drwxr-xr-x 9 username username 4096 Jun 20 13:05 tomcat9

Now, oracle's JDK v1.8.211 and tomcat 9 have both been installed. There is a minor issue with executing both java and catalina server from the command line. We must configure a few files for this user named username on this linux VM with the following commands:

vim .bashrc

somehow paste the following lines onto this file if you are using ubuntu linux otherwise Fedora/CentOS/Redhat would be .bash_profile.

# for use of Java JDK
export PATH=$PATH:$JAVA_HOME/bin
export CATALINA_HOME=/opt/tomcat9

Save either your .bashrc or .bash_profile file by issuing when using vim :wq
Finally, we must use the command source one of those two files to activate the commands.
source .bashrc
source .bash_profile

Now, we must configure tomcat 9 since java is functional. Tomcat 6/7/8/9 must have a user before one could use its built-in management tools and system monitoring software. Therefore we must conduct the following items.

cd /opt/tomcat9/conf
vim tomcat-users.xml
paste the following items before the last tag of this tomcat-users.xml file.

We must now generate a keystore file and a new directory inside /opt/tomcat9/conf directory to hold the key and keystore file.

cd /opt/tomcat9/conf
mkdir pki; cd pki

keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -storetype JKS -keystore keystore.jks -storepass maythehobbitbewithyou -validity 1024

once you had decided to use JKS type using keytool, there should be a new file called keystore.jks. There is a warning since this JKS format is proprietary algorithm from former SUN Microsystem and now Oracle. There is an alternative approach to this madness.

# keytool -genkey -alias tomcat -keystore keystore.pfx -storetype PKCS12 -keyalg RSA -storepass maythehobbitbewithyou -validity 1024 -keysize 2048

we can then check the key to see the fingerprint and see if our tomcat key has been placed inside this keystore.* by issuing this command.

keytool -list -keystore keystore.jks

one last item we must now do would be to configure this /opt/tomcat9/conf/server.xml file to enable port 8443 for this self-signed cert we've created on the previous step. 🙂

Finally, after saving the above text in your server.xml config file. You can now start tomcat Catalina service with the following command:
$CATALINA_HOME/bin/ start

This command is to stop the service. You can also find some additional instructions to figure out a way to make this tomcat instance run when your OS boots up.

$CATALINA_HOME/bin/ stop

I also had to comment out the inner two lines of this file called context.xml inside each of these two directories in order host management on the web interface would appeared :

i believed this was all that i had done before tomcat 9 and oracle JDK were working rediculously well. This was an example only to demonstrate a simple semi-secure middleware web engine. One would need to make a production instance of any J2EE engine or other html engine such as Glassfish/WildFly/JBOSS/Weblogic/apache/IIS to be more secure in order to prevent data being leaked out over connection and prevent some random Hobbit in the Middle Attacks. Some recommendation would be to acquire an actual pem file which is publicly verified Cert from or other cert authorities and reconfigure your production Tomcat instance. Second, for development/testing environment, one could also place this entire deployment of JDK, Tomcat and configuration onto a container environment using Docker or Kubetnetty running one container as a service in your Linux environment. Running either dockers, or Kubernetty was ridicously slow inside windows ->VM(linux)->Dockers. Use some form of a linux distro(CentOS,Redhat,Ubuntu,Slackware) to deploy your container once this container environment has been installed and configured properly. Bare in mind that RAM is important ! and no, we are not talking about sheep or goat or a four legged animal with lots of white bushy hair on its body !

Leave a Reply

Your email address will not be published. Required fields are marked *