Home > other >  What is wrong with the way I configured SSL in tomcat?
What is wrong with the way I configured SSL in tomcat?

Time:05-04

Firstly, I'm trying to configure my java web project for school as HTTPS, so I'm trying to make a self signed certificate and import it to tomcat. My tomcat version is 9.0.591 and I'm using java 17.

I basically followed the documents in the official tomcat website.

I first created a keystore by running this exact command "%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA

this is what I entered

And then I simply added it to the tomcat server.xml file as such -

<Connector
       protocol="org.apache.coyote.http11.Http11NioProtocol"
       port="8443" maxThreads="200"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="${user.home}/.keystore" keystorePass="changeit"
       clientAuth="false" sslProtocol="TLS"/>

And I added this to the web.xml file -

<security-constraint>
    <web-resource-collection>
        <web-resource-name>DigitalLibrary</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Now I'm not gonna lie, I don't really know what the code in the web.xml file means so if you could explain that as well I'd appreciate it. All I know is that it makes the server automatically forward to https instead of http.

Lastly I ran the server, windows of course did not recognize the certificate so I downloaded the CER file straight from chrome and added it to the Trusted Root Certification Authorities through mmc.

When I tried running the server again the certificate still was not recognized. What did I do wrong that made windows not recognize it? It does obviously show up when I run the server but windows won't recognize it.... I have tried just putting up the keystore file in the Trusted Root Certification Authorities and it still didn't work.

Thanks in advance.

CodePudding user response:

Meta: this is not programming or development, and will probably get closed or moved. This doesn't fit as a comment but I consent to it being deleted or moved.

HTTPS certificates must contain the domain name you use to connect to the server, or the IP address if you use that instead which is rare on the internet but not uncommon in test environments, or optionally a wildcard matching the domain name.

For Chrome or Edge, you must add the SubjectAlternativeName extension to the cert with the domain name(s) or IP address(es) of the server. See the keytool documentation. For other browsers you may do that or (at least for now) put one name or address of the server as 'Common Name' in Subject, which is what keytool describes inaccurately as "First and Last Name" (but note the confirmation shows it as CN, which is the correct abbreviation for Common Name).

CodePudding user response:

To fully understand web.xml have a look at the servlet specification: https://download.oracle.com/otndocs/jcp/servlet-4-final-eval-spec/index.html

Basically with a declaration of a security constraint the application instructs the container to ensure confidential communication, which in practice is done via encryption. Therefore the container will not forward HTTP requests but tell the client via HTTP response 3xx (redirect) to connect via HTTPS. As soon as the client follows that redirect the container can have the request processed by the application.

For HTTPS traffic, the server (=Tomcat) needs to present a TLS certificate, which you likely created by following https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html

Somehow I believe the certificate Tomcat presented on the first run (and which you added to the browser's truststore) is not the same that it presented on the next run. This would be enough of a reason for the browser to reject that site again.

  • Related