Tomcat Installation Manual

This document explains how to install Jakarta Tomcat with SSL support on *nix servers.

  1. Download and unpack Jakarta Tomcat installation package (version 3.2.3 available here);
  2. Export ${TOMCAT_HOME}, ${JAVA_HOME}, $PATH=$PATH:${JAVA_HOME}/bin environment variables to the startup server script (or to the user's profile if you are running tomcat manually).

If you are planning to run tomcat as a standalone server (i.e. without apache), you may wish to create an SSL certificate. It takes the following steps:

  1. Unpack Java Secure Socket Extension package (jsse.tgz) in the ${TOMCAT_HOME}/lib and ${JAVA_HOME}/jre/lib/ext directories
    (for details visit http://java.sun.com/products/jsse/index-14.html).
  2. In the ${TOMCAT_HOME}/conf directory, make the following changes to the server.xml configuration file:
    1) uncomment the SSL connector container:
    <Connector className="org.apache.tomcat.service.PoolTcpConnector">
    <Parameter name="handler" value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
    <Parameter name="port" value="8443"/>
    <Parameter name="socketFactory" value="org.apache.tomcat.net.SSLSocketFactory"/>
    <Parameter name="keystore" value="/var/tomcat/conf/keystore" />
    <Parameter name="keypass" value="changeit"/>
    <Parameter name="clientAuth" value="false"/>
    </Connector>
    In this example the certificate file is /var/tomcat/conf/keystore. The keystore password is "changeit" and clients' authentification is not required;
    2) if you don't want to use insecure (default 8080) port simultaneously with secure port when starting tomcat, you must remark appropriate "Connector" container.
  3. Generate an RSA SSL certificate for tomcat or convert it from an existing PEM certificate. You can use our SSL key maker.
    1) GENERATION:
    a) export CLASSPATH=${JAVA_HOME}/jre/lib/ext into the startup tomcat script
    (or into user's profile if tomcat is started manually);
    b) into the ${JAVA_HOME}/jre/lib/security/java.security file add the following line:
    security.provider.2=com.sun.net.ssl.internal.ssl.Provider
    c) run "keytool -genkey -alias tomcat -keyalg RSA" to generate a certificate file.
    This will create the ${HOME}/.keystore file, which then should be copied into the directory specified in the "keystore" parameter of the server.xml file). Alternatively, the certificate file can be generated with the SSL key maker by entering "3" in the main menu;
    d) start the server.
    2) CONVERTING from a serv.crt file (PEM format) signed by a trusted Certificate Authority:
    run keytool -import -v -trustcacerts -alias tomcat -file "/path_to_serv.crt"
    (Alternatively, the PEM certificate file can be converted with the SSL key maker by entering "4" in the main menu).

Note:

Options 1 and 2 of the SSL key maker main menu are not applicable for standalone tomcat servers.
Option 1 generates a private key file (ca.key) and a certificate file (ca.crt) for your own Certificate Authority.
Option 2 generates a public key file (serv.key) and a certificate file (serv.crt) for a web server, e.g. apache. However, if you don't want to base your web server certificate on the ca.crt file, send the Certificate Signing Request file (serv.csr) to a trusted Certificate Authority for verification.



Home   Products   Services   Partners   Support   News   Contact   Forum
© Altaire Limited.
All rights reserved.