Skip to main content

How to update Apache Tomcat SSL Certificate

Gregory Linkous
Updated

SSL For Tomcat

Certificates

For IIS we use .pfx files and this must be supplied by the customer.

For Tomcat we require a p7b certificate and if it is not received from the customer, you can create own.

1. Launch IIS and select the server name, then Server Certificates.

2. Right-click on the certificate and select Export.

3. Export the .pfx file to the root of the drive where ProjectDox resides, choose a password and confirm the password. You will need this password during the Tomcat SSL process.

4. Launch the mmc.exe on the web server.

5. Choose File, Add/Remove Snap-in and choose Certificates.

6. Click the Add button in the middle of the screen.

7. Choose the third radio button, Computer account then click Next.

8. Continue with the default radio, Local computer (the computer this console is running on), then click Finish.

9. Expand Personal, select Certificate, right mouse click on the certificate.

10. Choose All Tasks, Export.

11. Click Next on the Welcome to the Certificate Export Wizard.

12. Click the radio for Cryptographic Message Syntax Standard for PKCS #7 Certificates (.P7B)

13. Place a checkmark for Include all certificates in the certification path if possible, click Next.

14. Use the Browse button and navigate to the root drive where ProjectDox is installed and save the file as a .p7b file.

15. You will be returned to the File name screen, click Next.

16. Once the process is complete, you will see the settings you specified, click Finish.

You now have a .pfx with a known password and a .p7b certificate to continue on to the next step.

Installation DOS Commands

Create the Keystore for Tomcat

Convert .pfx certificate file to JKS:

1. Launch a command prompt on the web server.

2. From Java folder (eg. C:\Program Files\Java\jre7\bin) run the following command:

Sample: keytool -importkeystore -srckeystore e:\certificate.pfx -srcstoretype pkcs12 -destkeystore destcert.jks -deststoretype JKS -storepass

Actual: keytool -importkeystore -srckeystore e:\incoming\lorassl\avolvecloudsslcom.pfx -srcstoretype pkcs12 -destkeystore pdtomcert.jks -deststoretype JKS -storepass MyPassword

3. The result will give you the keyAlias value.

Entry for alias le-c5a08b67-625c-4184-8769-59eca73b6b55 successfully imported.

Import command completed:  1 entries successfully imported, 0 entries failed or

cancelled

NOTE:  In the above command, we did not provide a path for the –destkeystore parameter therefore, the JKS file is created in Java bin folder.

4. Copy the C:\Program Files\IGC\Tomcat 8 For Brava\conf\your_p7b_file.p7b into C:\Program Files\Java\jre7\bin.

5. Import certificate into JKS file (which is the keystore) using this command:

Sample: keytool -import -trustcacerts -alias alias_from_jks_file -file your_p7b_file.p7b -keystore destcert.jks -storepass

Actual: keytool -import -trustcacerts -alias le-c5a08b67-625c-4184-8769-59eca73b6b55 -file ssl_certificate.p7b -keystore pdtomcert.jks -storepass

Edit Apache Tomcat server.xml

1. Copy destination JKS file to C:\Program Files\IGC\Tomcat 8 For Brava\conf folder.

2. Before changes are made to the server.xml file, save the original file as server.xmlOrig.

NOTE:  If for any reason you need to revert to non SSL, activating the original file will make it very easy.

3. Edit C:\Program Files\IGC\Tomcat 8 For Brava\conf\server.xml You can skip a-d if you copy the server.xml file from \ProjectDox\Integration\BravaPlugin\JP folder and edit the following 2 values, this example is configured for SSL.

keystorePass="<>"
keyAlias="<>"

4. Uncomment the following section:

               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"

               clientAuth="false" sslProtocol="TLS" />

5. Update Tomcat to use newer TLS protocols by replacing sslProtocol=”TLS” with sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"

6. Add new keys to that section:

 

             maxThreads="150" SSLEnabled="true" scheme="https" secure="true"

clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"

keystoreFile="${catalina.base}/conf/pdtomcert.jks"               

keystorePass=”XXXXXXXXXX”

keyAlias=”XXXXXXXXXXXXXXXXXXXX”

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,

                    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,

                    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,

                    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,

                    TLS_ECDHE_RSA_WITH_RC4_128_SHA,

                    TLS_RSA_WITH_AES_128_CBC_SHA256,

                    TLS_RSA_WITH_AES_128_CBC_SHA,

                    TLS_RSA_WITH_AES_256_CBC_SHA256,

                    TLS_RSA_WITH_AES_256_CBC_SHA,

                    SSL_RSA_WITH_RC4_128_SHA"

 />

7. Save the server.xml file.

Apache Tomcat Logging

To turn off the logs in Tomcat that create excessive large files named localhost_access_log, comment out the following line:

Restart Apache Tomcat

1. Stop the Apache Tomcat Service on the web server.

2. Start the Apache Tomcat Service on the web server.

3. Test viewing file from within ProjectDox application.

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk