Skip to main content

tomcat ssl existant

Tomcat: activer HTTPS avec des certificats SSL existants

Dans le cas ou un certificat SSL existe déjà, voici comment faire en sorte que Tomcat serve en HTTPS avec les certificats existants.

Pour que cela fonctionne, il faut avoir en sa possession:
  • La clé privée qui a servie à générer le CSR, généralement un "*.key"
  • Le certificat délivré par le registrar (ce qui a été délivré en réponse à la CSR), généralement un "*.cert"
  • Le certificat de l'autorité, généralement un "*.pem". Par exemple pour Gandi, c'est https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem, docmenté dans https://wiki.gandi.net/en/ssl/intermediate
Noter que la documentation officielle de Tomcat couvre un certain cas d'utilisation mais pas celui-ci. En effet, https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html traite des cas ou on souhaite autosigner le certificat, ou alors il traite du cas ou l'on doit encore générer le CSR à partir d'une clé privée, toutes les 2 encore à créer.

Configuration des clés & certificats

Activer la possibilité de se logger à l'utilisateur sous lequel tourne Tomcat:
nano -w /etc/passwd
Et donner un SHELL à l'utilisateur Tomcat. Passer sous l'utilisateur sous lequel tourne Tomcat:
su - tomcat8
On crée un certificat de type "pkcs12", car c'est ce format qui est reconnu par les outils Java. La création de ce certificat met en jeu la clé privée et le certificat (que Gandi a délivré). Il demande une passphrase: je mets "rktmb" partout. C'est une mauvaise pratique, mais pour le tutoriel cela simplifie la tâche.
openssl pkcs12 -export -name tomcat \
  -in /usr/share/tomcat8/ssl.key/rktmb.crt \
  -inkey /usr/share/tomcat8/ssl.key/rktmb.key \
  -out  /usr/share/tomcat8/ssl.key/rktmb.p12
On converti ce certificat de type "pkcs12" en "keystore", dont le chemin est ''/usr/share/tomcat8/.keystore'' (certaines documentations préfère utiliser un fichier avec extension ".jks"):
keytool -importkeystore -destkeystore /usr/share/tomcat8/.keystore \
                          -srckeystore /usr/share/tomcat8/ssl.key/rktmb.p12 \
                          -srcstoretype pkcs12 -alias tomcat
A cette étape, on a créé le keystore et on l'a appelé "tomcat". Il ne faut plus en créer, on vient de le faire. Le certificat du CA n'a pas encore été importé, on le fait avec:
keytool -import -alias root   -keystore /usr/share/tomcat8/.keystore -trustcacerts -file /usr/share/tomcat8/ssl.key/GandiStandardSSLCA.pem

Configuration de Tomcat pour utiliser tout cela

Dans ''/etc/tomcat8/server.xml'', décommenter:

<Connector  port="8443" 
              protocol="org.apache.coyote.http11.Http11NioProtocol"
              keystoreFile="/usr/share/tomcat8/.keystore"
              keystorePass="rktmb"
              maxThreads="150" 
              SSLEnabled="true" 
              scheme="https" secure="true"
              clientAuth="false" 
              sslProtocol="TLS" />

Restart du service et tests

systemctl status tomcat8
  systemctl stop tomcat8
  systemctl status tomcat8

systemctl start tomcat8
  systemctl status tomcat8


Aller sur https://tomcat-ssl-test.rktmb.org:8443/

Comments

Popular posts from this blog

npm run build base-href

Using NPM to specify base-href When building an Angular application, people usually use "ng" and pass arguments to that invocation. Typically, when wanting to hard code "base-href" in "index.html", one will issue: ng build --base-href='https://ngx.rktmb.org/foo' I used to build my angular apps through Bamboo or Jenkins and they have a "npm" plugin. I got the habit to build the application with "npm run build" before deploying it. But the development team once asked me to set the "--base-href='https://ngx.rktmb.org/foo'" parameter. npm run build --base-href='https://ngx.rktmb.org/foo did not set the base href in indext.html After looking for a while, I found https://github.com/angular/angular-cli/issues/13560 where it says: You need to use −− to pass arguments to npm scripts. This did the job! The command to issue is then: npm run build -- --base-href='https://ngx.rktmb.org/foo&

dockerfile multiline to file

Outputing a multiline string from Dockerfile I motsly use a Dockerfile by sourcing from a base ditribution: CentOS or Debian. But I also have a local mirror and would like to use it for packages installation. Espacially on CentOS it is about many lines to write to the /etc/yum.repos.d/CentOS-Base.repo file. Easiest way: one RUN per line The first method that comes in mind is to issue one RUN per line to write. Here you are: RUN echo "[base] " > /etc/yum.repos.d/CentOS-Base.repo RUN echo "name=CentOS-$releasever - Base " >> /etc/yum.repos.d/CentOS-Base.repo RUN echo "baseurl=ftp://packages-infra.mg.rktmb.org/pub/centos/7/base-reposync-7 " >> /etc/yum.repos.d/CentOS-Base.repo RUN echo "gpgcheck=0 &quo

Gnome VNC Grey Checkboxes

When setting up VNC server in Gnome, I get a grey screen (or a black one) and the checkboxes to "Accept clipboard from viewers", "Send clipboard to viewers", "Send primary selection to viewers". I'm setting up a VNC server on a Debian 10 machine that has Gnome environment. A zillion articles can be found on Internet, they have the same global path: Install Gnome and GDM Install TigerVNC Setup the VNC Server: password + startup Run the server Connect from the client One of them is this TeknoTut how-to I took inspiration from. The tutorial is good, but I needed to complete it with extra steps in order to make it work: If the current user has already a running Gnome session, I just get the "grey screen with the checkboxes". It is good to know that: The "grey screen" is due to the "xsetroot" command that can be seen in some howtos The checkboxes are due to the "vncconfig -iconic &" command