Securing Apache Tomcat (Raspberry Pi)

Apache Tomcat running an insecure connection

With the Raspberry Pi running Apache Tomcat it is time to secure it. HTTP (non-secure) traffic may be okay for a closed home/test environment but for a work/production environment HTTPS (secure) should be used.

Apache Tomcat running an insecure connection
Apache Tomcat running an insecure connection

To show how to turn HTTPS on for Tomcat I will be using a self-signed certificate. If you are using a public facing Tomcat then you will need a certificate from a certificate authority.

For information on SSL and Tomcat 8 please see: https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html

Generating the self-signed certificate

  • Open terminal
  • Enter: sudo keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/tomcat8/keystore
geektechstuff_generate_self_cert
Generating a self-signed cert
  • Fill in the relevant fields, these include creating a password, your name, organisational unit, organisation, city, state/province and country code.
  • Re-enter the password word.

Adding the certificate to Tomcat

  • sudo nano /etc/tomcat8/server.xml
  • navigate down the file until SSL/TLS is mentioned
The Tomcat server.xml file
The Tomcat server.xml file

Two methods are now available:

  • Uncomment out the connector details for the SSL by deleting the <!– and –> from around the paragraph.
Uncomment the paragraph about the SSL connector
Uncomment the paragraph about the SSL connector
  • Edit the settings to match:

<!– Define a SSL Coyote HTTP/1.1 Connector on port 8443 –>
<Connector
protocol=”org.apache.coyote.http11.Http11NioProtocol”
port=”8443″ maxThreads=”200″
scheme=”https” secure=”true” SSLEnabled=”true”
keystoreFile=”/etc/tomcat8/keystore” keystorePass=”CERT_PASSWORD”
clientAuth=”false” sslProtocol=”TLS”/>

OR

  • Leave the original commented out and add the settings (so you have the original incase something goes wrong):

<!– Define a SSL Coyote HTTP/1.1 Connector on port 8443 –>
<Connector
protocol=”org.apache.coyote.http11.Http11NioProtocol”
port=”8443″ maxThreads=”200″
scheme=”https” secure=”true” SSLEnabled=”true”
keystoreFile=”/etc/tomcat8/keystore” keystorePass=”CERT_PASSWORD”
clientAuth=”false” sslProtocol=”TLS”/>

 

  • Then Tomcat needs a restart, which can be done with sudo systemctl restart tomcat8

If an error occurs during the restart, double check the server.xml as misconfiguration of the server.xml causes issues.

Testing the connection

Now time to see if the certificate is present. Instead of port 8080, we now need to connect to port 8443.

Trying https
Trying https

At this stage the Pi’s web browser warns that of err_cert_authority_invalid, aka an invalid certificate. Don’t panic, this is because it is a self-signed certificate and fine to see in a test environment when we know we are using self-signed certificates. If you see this error on the web then I would recommend heading “back to safety”. Clicking “Advanced” will give the option to proceed.

Clicking "advanced" for the proceed option
Clicking “advanced” for the proceed option

Once advanced/proceed, the HTTPS site will load and information about the certificate becomes available.

The self-signed cert
The self-signed cert

The Safari browser (running on my Mac) shows a little bit more detail about the issue with the self-signed certificate, the issue being that the certificate has not been verified by a third party.

Certificate not verified by a third party
Certificate not verified by a third party

If this was to be a public facing website, or if you wanted the site to work over HTTPS without certificate warnings then a certificate authority (third party) is required. For details on this process check out: https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html#Installing_a_Certificate_from_a_Certificate_Authority

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.