Global Open Versity, Vancouver Canada Install JDK6 & Setup Secure Connection on Tomcat AS on Linux

HowTo Generate & Setup Secure Connection on Tomcat AS on Linux

By Kefa Rabah, krabah@globalopenversity.org April 10, 2009 SerengetiSys Labs

Secure Socket Layer (SSL) Certificate: How It Works

Secure Sockets Layer (SSL), now TLS enables a secure e-commerce, communications, and
interactions for Web sites, intranets, and extranets. That’s SSL technology protects your Web site
and makes it easy for your Web site visitors to trust you in three essential ways:

1. An SSL Certificate enables encryption of sensitive information during online transactions.

2. Each SSL Certificate contains unique, authenticated information about the certificate
owner.
3. A Certificate Authority verifies the identity of the certificate owner when it is issued, and
that the owner is “who he says he is”.

Installing Java SE JDK 6 and Tomcat 6

The aim of this paper is to download and install Java SE JDK 6 and the Tomcat binaries on a
Linux system, to make it a secure web applications server using SSL Certificate.

Part 1: Install JDK6

1. To download Java SE SDK 6, just go to http://java.sun.com/javase/downloads/index.jsp,
and follow the instructions to download a file called: jdk-6-linux-i586-rpm.bin, and save it
in /usr/java directory. You may have to create the java directory if it’s not there.
2. To install Java SE SDK, just type following commands in /usr/java directory.

# chmod 755 jdk-6-linux-i586-rpm.bin

#./jdk-6-linux-i586-rpm.bin

3. To .verify that JDK6 is installed in /usr/jav/jdk1.6.0_12 directory, type the following

command to test:

#/usr/java/jdk1.6.0_12/bin/java -version

Part 2: Install Apache Tom Cat Web Server

1. To download Tomcat 6, just go to http://tomcat.apache.org/, and follow the instructions to
download a file called: apache-tomcat-6.0.2.tar.gz, and save it in /usr/ directory.

2. Next, we are going to install tomcat in /usr directory. Go to /usr directory, and type
following commands.

#cp /usr/apache-tomcat-6.0.2.tar.gz /usr

#tar -zxvf apache-tomcat-6.0.2.tar.gz

3. The following command creates a symbolic link to the tomcat directory.

# ln –s apache-tomcat-6.0.2 tomcat

4. Insert the following lines inside /etc/profile or /root/.bashrc.

1
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org A GOV Open Knowledge License Technical Publication

Global Open Versity, Vancouver Canada Install JDK6 & Setup Secure Connection on Tomcat AS on Linux

export JAVA_HOME=/usr/java/jdk1.6.0_12
export CATALINA_HOME=/usr/tomcat
export PATH=$JAVA_HOME/bin:$CATALINA_HOME/bin:$PATH

5. Before we begin, we will need to ensure that CATALINA_HOME and JAVA_HOME are correctly
set. To do this, we open a terminal and type the following:

# echo $CATALINA_HOME

# echo $JAVA_HOME

6. If everything is fine, you can start Tomcat with the following command.

# $CATALINA_HOME/bin/startup.sh

7. To test that Tomcat is running, from another computer, go to graphical desktop, open a Web
browser, and type in following URL: http://xxx.xxx.xxx.xxx:8080, where xxx.xxx.xxx.xxx is
the your computer’s IP address or domain name. or you can also use http://localhost:8080. If
everything is fine, you should be able to see a web page such as this.

8. To stop Tomcat, type:

# $CATALINA_HOME/bin/shutdown.sh

Part 3: Test the Installed JDK6 and Tomcat Web Server

1. To create a JSP web application, first you need to create a web application folder structure
under the /usr/tomcat/webapps directory. In this case, we create a web application called:
testapache, following is its structure.

/usr/tomcat
/webapps
/testapache

2
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org A GOV Open Knowledge License Technical Publication

Global Open Versity, Vancouver Canada Install JDK6 & Setup Secure Connection on Tomcat AS on Linux

/WEB-INF
/classes
/lib

2. Create a index.jsp file in the /usr/tomcat/webapps/testapache folder, and put

following lines into the file.

<%@page contentType="text/html"%>
<%@page pageEncoding="UTF-8"%>
<html>
<head><title>JSP Test Page</title></head>
<body>
<h1>Hello World!</h1>
<%-- <jsp:useBean id="beanInstanceName" scope="session"
class="beanPackage.BeanClassName" /> --%>
<%-- <jsp:getProperty name="beanInstanceName" property="propertyName" /> --%>
</body>
</html>

To test you index page, open a web browser, and type in following URL:
http://localhost:8080/testapache/. If everything is fine, you should be able to see a hello world
web page.

Part 4: Creating Self-Signed Certificate & SSL Configuration for Secure Webserver

1. Create a new keystore containing a self-signed certificate by executing the following (these
are Windows commands):

]# cd $JAVA_HOME/bin
]# kytool -genkey -alias tomcat -keyalg RSA

Linux always stores the key in the logged in user default home directory, if location is not
specified.

Alternatively, you can choose to store your keys in a specific location, e.g.,:

]# keytool -genkey -alias tomcat -keyalg RSA -keystore \path\to\keystore

for example:

]# keytool -genkey -alias tomcat -keyalg RSA -keystore /secure/mykey.keystore

All in one line.

And specify a password value of "changeit". When asked what is your first and last name?
(enter your client server's DNS, e.g.,: server01.my-domain.com or www.my-domain.com,
localhost, or IP address that you will use in browser or an application to connect to the
server.).

Fill in the rest of the prompts as you see fit. At the end when you’re asked to verify, make sure
that the CN value is set to your client server's DNS.

3
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org A GOV Open Knowledge License Technical Publication

Global Open Versity, Vancouver Canada Install JDK6 & Setup Secure Connection on Tomcat AS on Linux

At the end when prompted for the password for alias <tomcat>, hit enter to keep the password
the same as that of the keystore password.

For self-signed certificate, perform the following procedure:

1. Export the tomcat cert (to be imported into the jdk's default keystore):

]# keytool -export -alias tomcat -keystore

/secure/mykey.keystore -file /secure/tomcat.cer

2. Import the exported cert into the jdk keystore (modify keystore path to your cacerts
location) – You must be root to perform this operation:

]# keytool -import -alias tomcat -keystore

$JAVA_HOME/jre/lib/security/cacerts -file /secure/tomcat.cer

type all in one line.

Alternatively, If you’re interested in acquiring a third party SSL Certificate then, you need to mail
this info to your chosen Certificate Authority (CA), e.g., VeriSign, Thawte or RSA, then proceed
as below.

Part 5: CERTIFICATE ISSUED BY A KNOWN CERTICATE AUTHORITY

Using keytool.exe program creates a keystore for the certificate. See above.

1. Generate certificate request as follows:

]# keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr

-keystore <path to the key>

type all in one line.

Now you have a file called certreq.csr that you can submit to the Certificate Authority (look at
the documentation of the Certificate Authority website on how to do this). In return you get a
Certificate or a number of Certificates.

2. Now you have to import those certificates into a keystore file that you have previously
created.

]# keytool -import -alias root -keystore <path to the key>

-trustcacerts -file <filename_of_the_chain_certificate>

type all in one line.

And finally import your new Certificate

]# keytool -import -alias tomcat -keystore <path to the key>

-trustcacerts -file <your_certificate_filename>

4
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org A GOV Open Knowledge License Technical Publication

Global Open Versity, Vancouver Canada Install JDK6 & Setup Secure Connection on Tomcat AS on Linux

Pat 6: Configure the SSL Connector in server.xml

1. Uncomment the "SSL HTTP1.1 Connector" entry in $CATALINE_HOME/conf/server.xml file,
to reflect the keystore location, as shown below:

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

maxThreads="150" scheme="https" secure="true"
clientAuth="want" sslProtocol="TLS"
keystoreFile=<path to the key>
keystorePassword=<your password> />

2. Restart Tomcat and test your web server: https://localhost:8443, or in this case we’re using
our FQDN:

If all goes well you will be asked if you want to proceed using the Security Certificate. Click Yes, and
you should be in business, and you should see the usual Tomcat splash page. Henceforth, you should be
able to access any web application supported by Tomcat via SSL.

If this does not work, the do some troubleshooting, e.g.,:

NOTE: If you’re behind a router don’t forget to open its port to 8443 (or 433)!

You’re done – enjoy playing around with Tomcat SSL functionality!

Part 7: What’s Certificate Authority (CA)?

In cryptography, a certificate authority or certification authority (CA) is an entity that issues
digital certificates for use by other parties. It is an example of a trusted third party. CAs are
characteristic of many public key infrastructure (PKI) schemes. In cryptography, a certificate
authority or certification authority (CA) is an entity that issues digital certificates for use by other

5
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org A GOV Open Knowledge License Technical Publication

Global Open Versity, Vancouver Canada Install JDK6 & Setup Secure Connection on Tomcat AS on Linux

parties. It is an example of a trusted third party. CAs are characteristic of many public key
infrastructure (PKI) schemes

A CA issues digital certificates that contain a public key and the identity of the owner. The
matching private key is not similarly made available publicly for security reason and should only
be known by only-and-only the owner and nobody else, and is kept secret by the end user who
generated the key pair. The certificate is also an attestation by the CA that the public key
contained in the certificate belongs to the person, organization, server or other entity noted in
the certificate. A CA's obligation in such schemes is to verify an applicant's credentials, so that
users and relying parties can trust the information in the CA's certificates. CAs use a variety of
standards and tests to do so. A Registration Authority (RA) is required to validate the CA.

If the user trusts the CA and can verify the CA's signature, then he can also verify that a certain
public key does indeed belong to whoever is identified in the certificate –thereby completing the
confidential and non-repudiation of the respective transaction.

-----------------------
Kefa Rabah is the Founder and CIO, of Serengeti Systems Group Inc. Kefa is knowledgeable in
several field of Science & Technology, IT Security Compliance and Project Management, and
Renewable Energy Systems. He is also the founder of Global Open Versity, a Center of Excellence
in online eLearning.

6
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org A GOV Open Knowledge License Technical Publication