If you have a web server certificate signed by one of the recognized Certificate Authorities, you can install that certificate into your Tomcat server. These instructions may be followed whether or not you have set up a test certificate as described here.
We are going to call your install directory $BIOCORE_HOME. EVERYWHERE YOU SEE $BIOCORE_HOME REPLACE IT WITH YOUR CHOSEN DIRECTORY.
We got our secure web server working by importing our Apache-mod_ssl certificate into Tomcat. It should be possible to generate a certificate for Tomcat directly, but we have not tried that procedure.
To obtain a secure certificate you must generate a private/public key pair, and use that to generate a certificate signing request (CSR). You email the CSR to a certificate authority such as Thawte or Verisign and arrange for payment. You will receive a certificate in return. We used OpenSSL to generate our Apache-mod_ssl certificate request, following instructions provided by Thawte.
To generate a version of your certificate for Tomcat, you will need the following items.
- Copies of your server key and server certificate files. If you call them something other than server.key and server.crt, use your file names below.
- OpenSSL (you needed this to generate the Apache certificate originally.
- Java (which you will also need to run your server)
- ImportKey, a small java program to copy an apache key and certificate into a Sun-format keystore file. ImportKey was originally written by the folks at Computer Mutter GmbH, and we have modified very slightly, compiled it, and put it in a signed JAR file.
Build OpenSSL
If you don't have OpenSSL installed, you'll need to install that now. We installed version 0.9.6, but any recent version should do. First, extract the OpenSSL files into $BIOCORE_HOME.cd $BIOCORE_HOME gunzip -dc openssl.tar.gz |tar xvf - cd openssl-0.9.6Next, run
config
.
./config --openssldir=$BIOCORE_HOME/opensslHit <Enter> at the prompt about manually configuring, if you get one.
make make test make installThis will install the
openssl
program into
$BIOCORE_HOME/openssl/bin
.
Import the Certificate
Now, put copies of server.key
, server.crt
,
and importkey.jar into
$BIOCORE_HOME/tomcat/current/conf
Next, you must convert the key and certificate files into formats that the Sun java tools understand. You can do this by executing the following OpenSSL commands.
$BIOCORE_HOME/openssl/bin/openssl pkcs8 \ -topk8 -nocrypt -in server.key \ -out server.key.der -outform der $BIOCORE_HOME/openssl/bin/openssl x509 \ -in server.crt -out server.crt.der \ -outform derIf your key or certificate files are encoded with pass phrases, you will be prompted to enter them.
Now we need to run the ImportKey program to place the certificate and
key into a keystore file. Our version of the file is signed with our
web server certificate using the java jarsigner
tool. First, make sure the JAR file has not been tampered with by
running:
$BIOCORE_HOME/java/current/bin/jarsigner \ -verify -verbose -certs importkey.jarThat should return "jar verified". You should also see some lines that look like
X.509, CN=biocore-s.ks.uiuc.edu, OU=Theoretical and Computational Biophysics, O=University of Illinois, L=Urbana, ST=Illinois, C=USIf the file cannot be verified, it is posible that it has been modified. In that case, please contact us.
Next, run ImportKey.
$BIOCORE_HOME/java/current/bin/java \ -cp importkey.jar comu.ImportKey server.key.der server.crt.derAfter this step, you can delete the
.der
files. Tomcat
will also no longer require the original key and certificate files, so
you may wish to move them elsewhere. However, don't delete your only
copy of those files. It would be best to store them, along with the
original Certificate Signing Request (CSR) file on some safe off-line
storage.
Running ImportKey will create a keystore.tomcat file containing your
real certificate under the alias tomcat
. Both the
keystore and the key itself will have the password
changeit
. You should change this immediately to something
more secret using keytool
.
$BIOCORE_HOME/java/current/bin/keytool \ -storepasswd -keystore keystore.tomcat $BIOCORE_HOME/java/current/bin/keytool \ -keypasswd -alias tomcat -keystore keystore.tomcatTomcat requires that both the key and the keystore use the same password. I'll assume below that you set it to "PASSWORD".
Other platforms..
Contributions are welcome..
Return to the Tomcat installation.
Back to the installation page
Feedback
The BioCoRE team welcomes any comments, questions, or suggestions that you might have concerning our software! Please email us or fill out our feedback form.