Tomcat has its own documentation how to do it. I've just followed it with Tomcat 7:
Generate a personal private key wiht Java keytool:
Before using it, you need to import Root Certificate and the Class 1 domain validation certificate from the authority into your keystore, otherwise import of reply would not find the right chain. In my case it was:
Generate a personal private key wiht Java keytool:
keytool -genkey -alias www.mysite.com -dname "cn=www.mysite.com, o=
mysite, o=.com" -keysize 2048 -keyalg RSA
Generate a request for certificate:keytool -certreq -alias www.mysite.com -file www.mysite.com.csr
Submit the resulting request (as text) to the certificate authority. I did it with https://www.startssl.com/ for free. It produced a certificate (text) that I put into a www.mysite.com.signed.crt file.Before using it, you need to import Root Certificate and the Class 1 domain validation certificate from the authority into your keystore, otherwise import of reply would not find the right chain. In my case it was:
wget http://www.startssl.com/certs/ca.crt
keytool -import -trustcacerts -alias startcom.ca -file ca.crt
wget https://startssl.com/certs/sca.server1.crt
keytool -import -alias startcom.ca.sub -file sub.class1.server.ca.crt
Finally, import certificate to your keystore:keytool -import -alias www.mysite.com -file www.mysite.com.signed.c
rt
Now, you need to configure Tomcat via server.xml:<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/home/ubuntu/.keystore" keystorePass="PASSWORD" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/javascript,text/css,image$ />You may also want all HTTP requests redirected to HTTPS:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443"
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/javascript,text/css,image$
/>
Not to mention, your iptables has route both HTTP and HTTPS requests to your Tomcat port:
#IPTABLES
# forward 80 to 8080 and save tables
# ports 80 and 443 must be opened in AMAZON AWS UI Securtiy Groups
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443
sudo iptables-save
sudo bash -c 'iptables-save > /etc/iptables/rules.v4'
sudo iptables -nvL -t nat
No comments:
Post a Comment