There might be situations where you don't desire or can't put a Nginx reverse proxy in front of the Tomcat server and you want to server SSL directly on the Tomcat server.
You might also want to change the port number tomcat is serving the application under SSL so we will cover that topic too.
This can be useful for on-premises Tomcat servers or when load balancers or reverse proxies are not available.
We are going to assume you are using our dockerized Tomcat server, instructions are similar for standalone Tomcat servers without the specific docker instructions.
- Ability to run docker commands on the Iriusrisk host.
- Certificate in X509 format (pem), both the public and the private keys. For this guide we will call the public certificate "cert.pem" and the private one "key.pem"
Since we will need external tools included with the JDK, we will use the binary tools already included within the Iriusrisk Tomcat container.
Copy your X509 certificate public (cert.pem) and private (key.pem) files on the /tmp/ folder inside the iriusrisk running container:
$ docker cp cert.pem iriusrisk-tomcat8:/tmp/
$ docker cp key.pem iriusrisk-tomcat8:/tmp/
Open a shell inside the docker container:
$ docker exec -it iriusrisk-tomcat8 sh
And go to the /tmp/ folder:
$ cd /tmp
Now we will create a new keystore with the certificates included using the openssl binary:
$ openssl pkcs12 -export -out keystore.pkcs12 -in cert.pem -inkey key.pem
And convert it from pkcs12 to jks format (java keystore):
$ keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore tomcatssl.jks -deststoretype JKS
And exit the container to go back to the docker host again:
Now we copy the generated jks file inside the container to the docker host:
$ docker cp iriusrisk-tomcat8:/tmp/tomcatssl.jks .
And also we copy the tomcat server.xml configuration file to the docker host:
$ docker cp iriusrisk-tomcat8:/usr/local/tomcat/conf/server.xml .
Now we need to edit the server.xml file and add a new connector section with the path of the jks that Tomcat will use, you can also change the port to an unused port here (20000 in this example):
<Connector port="20000" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true">
<Certificate certificateKeystoreFile="conf/tomcatssl.jks" type="RSA" />
Now we need to bring the application down:
$ docker-compose down
Now that we have all files ready (server.xml and tomcatssl.jks) we need to modify the docker-compose.yml.
- You can either comment or remove the Nginx section since it won't be used.
- You need to change the ports section to expose the configured port outside the container.
- You need to add the volume section as described here.
This is the final aspect of the docker-compose.yml:
# - "80:80"
# - "443:443"
# - NG_SERVER_NAME=iriusrisk.yourdomain.com
# - tomcat8
# image: continuumsecurity/iriusrisk-prod:nginx-prod-ssl
# container_name: iriusrisk-nginx
# - "./cert.pem:/etc/nginx/ssl/star_iriusrisk_com.crt"
# - "./key.pem:/etc/nginx/ssl/star_iriusrisk_com.key"
The application is ready and we can start it again:
$ docker-compose up -d
Check that Tomcat starts correctly looking at the logs:
$ docker logs -f iriusrisk-tomcat8
After 5-10 minutes the application should be up and running in the new port number with your certificates directly on the Tomcat server.
Article is closed for comments.