yanokwa/ssl-configure-java-keystore-jks-tomcat.txt

## ssl-configure-java-keystore-jks-tomcat.txt
### SSL Part 2: Configure Tomcat 6 with Java KeyStore (JKS)

This is part two of a three-part series on how to configure a single SSL certificate for use on both Tomcat and Apache. Here we'll cover setting up Tomcat 6 to use your Java KeyStore, which we created in [Part 1](/tutorials/ssl-create-java-keystore-jks-tomcat.php) of this series.

#### 1\. Adding the SSL connector to Tomcat's configuration

Tomcat 6 stores its configuration in /etc/tomcat6/server.xml
To open the file, run the following:

# sudo nano /etc/tomcat6/server.xml

Scroll down until you find Tomcat's default HTTP:8080 connector.
It should look like this:

<pre class="shelloutput"><Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           URIEncoding="UTF-8"
           redirectPort="8443" /></pre>

Just under that code, copy and paste in the following:

<pre class="shelloutput"><Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" keystoreType="JKS"
           keystoreFile="/etc/my_ssl/mysite.jks"
           keystorePass="changeit" /></pre>

If you followed part one of my guide without any changes, this should be correct. If not, make sure that the file referenced in line 4 of the connector exists, and has proper permissions.
Also, make sure you update "changeit" in line 5 with the password you created for your KeyStore.

#### 2\. Restart Tomcat 6

# sudo service tomcat restart

If all is well, tomcat should restart successfully within 30 seconds or so.

#### 3\. Test the SSL Connector on TCP Port 8443

First let's make sure that Tomcat is indeed running, by testing the default port (8080). Open up a browser and go to

http://your.domain.com:8080

You should see the "It Works" Tomcat welcome page.
Now, let's try the SSL Connector we configured. Point your browser to

https://your.domain.com:8443

You should again see the "It Works" Tomcat welcome page.
If so, congratulations, you've successfully configured Tomcat 6 to use SSL!

#### Troubleshooting

I won't go into to many troubleshooting scenarios here, but I thought I'd cover a few of the most common ones...

If tomcat does not restart successfully after adding the SSL Connector in step 1, double-check your server.xml and make sure you added the SSL connector properly:

1.  keystoreFile parameter points to the right JKS file
2.  keystorePass parameter has the correct password in it
3.  you didn't accidentally uncomment one of the example connectors
4.  make sure that tomcat has read permissions to the KeyStore file

If tomcat restarts successfully, but you don't see the "It Works" page from

http://your.domain.com:8080

or

https://your.domain.com:8443

make sure that both TCP Ports 8080 and 8443 are open to incoming connections in your firewall.
	### SSL Part 2: Configure Tomcat 6 with Java KeyStore (JKS)

	This is part two of a three-part series on how to configure a single SSL certificate for use on both Tomcat and Apache. Here we'll cover setting up Tomcat 6 to use your Java KeyStore, which we created in [Part 1](/tutorials/ssl-create-java-keystore-jks-tomcat.php) of this series.

	#### 1\. Adding the SSL connector to Tomcat's configuration

	Tomcat 6 stores its configuration in /etc/tomcat6/server.xml
	To open the file, run the following:

	# sudo nano /etc/tomcat6/server.xml

	Scroll down until you find Tomcat's default HTTP:8080 connector.
	It should look like this:

	<pre class="shelloutput"><Connector port="8080" protocol="HTTP/1.1"
	connectionTimeout="20000"
	URIEncoding="UTF-8"
	redirectPort="8443" /></pre>

	Just under that code, copy and paste in the following:

	<pre class="shelloutput"><Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
	maxThreads="150" scheme="https" secure="true"
	clientAuth="false" sslProtocol="TLS" keystoreType="JKS"
	keystoreFile="/etc/my_ssl/mysite.jks"
	keystorePass="changeit" /></pre>

	If you followed part one of my guide without any changes, this should be correct. If not, make sure that the file referenced in line 4 of the connector exists, and has proper permissions.
	Also, make sure you update "changeit" in line 5 with the password you created for your KeyStore.

	#### 2\. Restart Tomcat 6

	# sudo service tomcat restart

	If all is well, tomcat should restart successfully within 30 seconds or so.

	#### 3\. Test the SSL Connector on TCP Port 8443

	First let's make sure that Tomcat is indeed running, by testing the default port (8080). Open up a browser and go to

	http://your.domain.com:8080

	You should see the "It Works" Tomcat welcome page.
	Now, let's try the SSL Connector we configured. Point your browser to

	https://your.domain.com:8443

	You should again see the "It Works" Tomcat welcome page.
	If so, congratulations, you've successfully configured Tomcat 6 to use SSL!

	#### Troubleshooting

	I won't go into to many troubleshooting scenarios here, but I thought I'd cover a few of the most common ones...

	If tomcat does not restart successfully after adding the SSL Connector in step 1, double-check your server.xml and make sure you added the SSL connector properly:

	1. keystoreFile parameter points to the right JKS file
	2. keystorePass parameter has the correct password in it
	3. you didn't accidentally uncomment one of the example connectors
	4. make sure that tomcat has read permissions to the KeyStore file

	If tomcat restarts successfully, but you don't see the "It Works" page from

	http://your.domain.com:8080

	or

	https://your.domain.com:8443

	make sure that both TCP Ports 8080 and 8443 are open to incoming connections in your firewall.