Overview

This section describes how to configure Tomcat, its security issues, the steps required to create the certificate keystores and compatibiliy options.

Enabling security

In order to enable security in Tomcat the following entry must be added to the $TOMCAT_HOME/conf/server.xml.

  <Connector port="8443"
          maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
          enableLookups="false" disableUploadTimeout="true"
          acceptCount="100" debug="0" scheme="https" secure="true"
          clientAuth="want"
          keystoreFile="/certificatesLocation/hostKeystore.pcks12"
          keystorePass="changeit"
          keystoreType="PKCS12"
          truststoreFile="/certificatesLocation/caKeystore.jks"
          truststorePass="changeit"
          truststoreType="JKS"/>

The following parameters could be changed according to the user´s needs:

  1. port: port in which the Tomcat will be listening for secured connections
  2. clientAuth: specifies if client authentication is required. The possible values are true, false or want. True will imply that a valid certificate is always required. If the value is false no certificate is required. Finally if the want option is set, in case a valid certificate is present it will be used, otherwise it won´t be required to have a valid certificate
  3. keystoreFile: path to the keystore containing the server certificate
  4. keystorePass password of the keystore file
  5. keystoreType: keystore type (JKS or PKCS12)
  6. truststoreFile: path to the trustore file containing the CAs
  7. truststorePass: password of the trustore file
  8. truststoreType: keystore type (JKS or PKCS12)

keystore.pkcs12 and caKeystore.jks creation

Tomcat need two different kind of keystores, the keystoreFile (keystore.pkcs12) where the host certificate and the private host key are stored (PKCS12 format) and the truststoreFile (caKeystore.jks) where all CAs on which Tomcat rely are stored.

To create the keystore.pkcs12 you need to do the following steps:

  • Generate a key pair and apply for signing the public key to your CA.
    #For a Certificate Signing Request and getting the hostname.pem
    openssl req -subj '/C=<Country-Code>/ST=<State>/L=<Region>/CN=<FQDN hostname>' -newkey rsa:1024 -nodes -batch -keyout hostkey.pem -out hostcsr.pem
    
    #For a temporary self-signed certificate
    openssl req -new -subj '/C=<Country-Code>/ST=<State>/L=<Region>/CN=<FQDN-hostname>' -newkey rsa:1024 -nodes -x509 -batch -keyout hostkey.pem -out hostcert.pem
    

  • Create the keystore containing the private host key and the host certificate the following command must be executed:
    openssl pkcs12 -export -in /etc/grid-security/hostkey.pem -inkey /etc/grid-security/hostcert.key -out keystore.pkcs12 \
                   -name tomcat -CAfile <CA certificate> -caname root -chain -passout pass:<keystore-password>
    

In this example it has been considered that the host certificate and private key (hostcert.pem and hostkey.pem) are located under /etc/grid-security and are in pem format. This output directory must match the keystoreFile configuration parameter in the Tomcat configuration file (${TOMCAT_HOME}/conf/server.xml).

For all the CAs to be added to the caKeystore the following command needs to be run:

${JAVA_HOME}/bin/keytool -keystore /etc/grid-security/caKeystore.jks -import -alias <CA identifier> -trustcacerts -file <CA certificate>

This step must be executed for every CA that you want to include in your caKeystore (for example the CERN CA /etc/grid-security/certificates/fa3af1d7.0). To automate this process you can run the following program which load all CA certificates in /etc/grid-security/caKeystore.jks:

python insertCA.py

You can get this program here.

Enabling JSP 1.5

To enable JSP 1.5 in Tomcat edit the web.xml (located at $TOMCAT_HOME/conf/web.xml) and add the following entries to the different servlet sections.

  <init-param> <param-name>compilerSourceVM</param-name> <param-value>1.5</param-value> </init-param>
  <init-param> <param-name>compilerTargetVM</param-name> <param-value>1.5</param-value> </init-param>

Disabling default xml libraries

For getting a properly configured Tomcat server, fully compatible with the webservice, you need to disable the default loading of the following libraries:

mv ${TOMCAT_HOME}/common/endorsed/xml-commons-apis.jar ${TOMCAT_HOME}/common/endorsed/xml-commons-apis.jar.sample

-- Main.caguado - 15 Dec 2006

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2006-12-15 - CarlosAguado
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    ETICS All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback