This took me a day to setup on a new CentOS Amazon image. To be honest I’d never configured SSL for tomcat before, and this was the first time that I’d used tomcat8. So I just want to go over the steps I had to do so I’ll remember all of the tweeks needed.<\/p>\n
Configuring SSL was more painful than I expected. First issue was that I had to break up the Microsoft IIS formated certificate I had. Fortunatly that I’ve done before. From novell<\/a><\/p>\n First create a new folder for all of this. To export the private key without a passphrase or password. To Generate a public version of the private RSAkey To export the Certificate The directory will now have a file cert.pem and a key.pem<\/p>\n Now from apache.org<\/a> * key.pem – your certificate’s private key First, concatenate the CA certs, make sure the intermediate CA goes first: $ cat domainIntermediate.crt inter.crt root.crt > chain.crt<\/p>\n Next, export the pkcs12 file:<\/p>\n $ openssl pkcs12 -export -chain -inkey key.pem -in cert.pem\\ When prompt for export password, enter something and don’t leave it empty.<\/p>\n Now, use keytool to verify:<\/p>\n $ keytool -list -v -storetype pkcs12 -keystore server.p12<\/p>\n Enter the export password for the keystore password. Then you should see …. Tomcat8 should now be able to use that server.p12 file as it’s keystore. If using Linux 2.6.24 or later, you can set up a file capability on the java executable, to give elevated privileges to allow opening privileged ports only, and no other superuser privileges: # echo “JAVA_HOME\/lib\/amd64\/jli” > \/etc\/ld.so.conf.d\/java-libjli.conf At this point I usually switch user to tomcat. to do that edit \/etc\/passwd and change tomcat user to use \/bin\/bash We need to edit \/etc\/tomcat8\/server.xml Also in my case the application was to live on the root so to do that find the host section and add Context like so:<\/p>\n <Host appBase=”webapps” autoDeploy=”true” name=”localhost” unpackWARs=”true”> exit out of the tomcat account change it back to nologin then restart tomcat. Easy right?<\/p>\n","protected":false},"excerpt":{"rendered":" This took me a day to setup on a new CentOS Amazon image. To be honest I’d never configured SSL for tomcat before, and this was the first time that I’d used tomcat8. So I just want to go over the steps I had to do so I’ll remember all of the tweeks needed. Configuring<\/p>\n
\nType: mkdir cert Type: cd cert
\nNow get the Intermediate and root certificates from your CA place them in the folder.
\nGet the .pfx certificate and put it in the folder.<\/p>\n
\nType: openssl pkcs12 -in filename.pfx -nocerts -nodes -out key.pem<\/p>\n
\nType: openssl rsa -in key.pem -out server.key<\/p>\n
\nType: openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem<\/p>\n
\nAssuming:<\/p>\n
\n* cert.pem – your certificate
\n* domainIntermediate.crt – Organization Validation intermediate
\n* inter.crt – the intermediate CA that signed your certificate
\n* root.crt – the root CA that signed the intermediate CA<\/p>\n
\nNote on this – For the chain ON A NORMAL LOAD BALANCER, it’s intermediate first then domain Intermediate then the root, BUT if you want a unified cert like we are doing here the order is different, it would be domain Intermediate, then CA Intermediate, then the CA Root.\u00a0 Makes no sense to me but for Comodo it is so<\/a>.<\/strong><\/p>\n
\n-name “server” -CAfile chain.crt -out server.p12<\/p>\n
\na line like this from the output:<\/p>\n
\nCertificate chain length: 3
\n….<\/p>\n
\nMove the server.p12 to the tomcat home directory which is \/usr\/share\/tomcat8\/
\nMake sure tomcat is the owner, Type: chmod tomcat:tomcat server.p12
\nThis server needs to use 443 instead of 8443. To do that we need to tweek java permissions.
\nI used the guide at confluence<\/a> but used the 5th option:<\/p>\n
\n# setcap cap_net_bind_service+ep \/path\/to\/bin\/java
\nAfter setting this you may notice errors when starting Java like this, for example:
\n$ java -version
\n\/path\/to\/bin\/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
\nThis means that the library is being imported from a dynamic path, and not in the trusted ld.so path. See http:\/\/bugs.sun.com\/view_bug.do?bug_id=7157699 for details. To fix this, you need to locate the library, and add its path to the ld.so configuration. Note that the below is an example, and this may differ depending on Linux distribution. Replace JAVA_HOME with the correct location:
\n$ find JAVA_HOME -name ‘libjli.so’
\nJAVA_HOME\/lib\/amd64\/jli\/libjli.so<\/p>\n
\n# ldconfig -v
\nAfter setting this all up, you need to make sure that Confluence only starts java with the direct binary path, and not via a symbolic link, otherwise the capability will not be picked up.
\nSetting this up means that any user can open privileged ports using Java, which may or may not be acceptable for you<\/p>\n
\nthen as root su tomcat<\/p>\n
\nAdd a new connector like this:
\n<Connector
\nprotocol=”org.apache.coyote.http11.Http11NioProtocol”
\nport=”443″ maxThreads=”200″
\nscheme=”https” secure=”true” SSLEnabled=”true”
\nkeystoreFile=”${user.home}\/server.p12″ keystoreType=”PKCS12″ keystorePass=”changeit”
\nclientAuth=”false” sslProtocol=”TLS”\/><\/p>\n
\n<Context docBase=”\/var\/lib\/tomcat8\/webapps\/YourAppName” path=”” reloadable=”true” \/><\/p>\n