Setting Up SSL with Apache Tomcat 64-bit

This week I share with you some notes compiled by my good friend and colleague, Brian Yasaki.  Brian has painstakingly put together notes for using a self-signed SSL certificate with Taskspace/Webtop on Apache Tomcat 6.0.24 64-bit using Java 1.5.0_22 64-bit on Windows Server 2008 SP2 64-bit.  Interestingly, there were some quirks and bugs in this process that make it not as straightforward as it is on a 32-bit system.

  1. Download and install Java 1.5.0_22 64-bit version (Note that for Intel x86 architecture and AMD CPUs you want the “Windows x64” download).
  2. Once installed, set the JAVA_HOME environment variable to the installation folder (C:\Program Files\Java\jre6).
  3. Download apache-tomcat-6.0.24-windows-x64.zip (This is the first Tomcat 6 version to support 64-bit Java) and extract it to C:\apache-tomcat-6.0.24x64.
  4. Since there is no apache-tomcat-6.0.24-windows-x64 installer, you have to install the Windows Tomcat service and create the Start Menu items manually.
  5. From a “Run as Administrator” Command Prompt, install a new Tomcat service instance:  run C:\apache-tomcat-6.0.24x64\bin\service.bat install Tomcat6x64 (the new service will be named Tomcat6x64).
  6. Create new Start Menu shortcuts. Using Windows Explorer, browse to the C:\ProgramData\Microsoft\Windows\Start Menu\Programs folder. Create a new folder named “Apache Tomcat 6.0”
  7. Create a new shortcut named “Configure Tomcat x64” that has a Target: C:\apache-tomcat-6.0.24x64\bin\tomcat6w.exe //ES//Tomcat6x64 and Start in: C:\apache-tomcat-6.0.24x64\bin, and under the Compatibility tab check the “Run this program as an administrator”.
  8. Create a new shortcut named “Monitor Tomcat x64” that has a Target: C:\apache-tomcat-6.0.24x64\bin\tomcat6w.exe //MS//Tomcat6x64 and Start in: C:\apache-tomcat-6.0.24x64\bin and under the Compatibility tab check the “Run this program as an administrator”.
  9. Double-click “Configure Tomcat x64” shortcut.  On the Java tab, add these Java Options:
    • -Dserver
    • -XX:PermSize=256m
    • -XX:MaxPermSize=512m
    • -XX:+UseParallelOldGC
    • -XX:+CMSClassUnloadingEnabled
  10. Set the Initial and Maximum memory pool to 2048.
  11. Start the new Apache Tomcat Tomcat6x64 service.
  12. Create a keystore file using the keytool application in the %JAVA_HOME%\bin folder.
  13. keytool -genkey –validity 365 –keysize 2048 -alias <fully qualified hostname> -keyalg RSA –keystore <hostname>.jks
  14. The password must be changeit. For the First and Last Name prompt, enter the fully qualified host name of the server running Tomcat.
  15. Copy the .jks file to the C:\ .keystore because the 64-bit version of some of the Java libraries have bugs and won’t find it otherwise.
  16. Edit the C:\Tomcat-6.0.24x64\conf\server.xml file.  Change Tomcat to use the standard port numbers for HTTP and HTTPS protocols. Change all “8080” to “80” and all “8443” to “443” in the file.  You also need to un-comment the definition for the SSL HTTP/1.1 Connector and make changes to its parameters.  Here are the two definitions:
  17. <!-- Define a non-SSL HTTP/1.1 Connector -->
                <Connector port="80"
                 protocol="HTTP/1.1"
                 maxThreads="200"
                 connectionTimeout="20000"
                 redirectPort="443" />
    
    <!-- Define a SSL HTTP/1.1 Connector -->
                <Connector port="443"
                 protocol="org.apache.coyote.http11.Http11Protocol"
                 SSLEnabled="true"
                 maxThreads="200"
                 scheme="https"
                 secure="true"
                 keystorefile="C:/.keystore"
                 keystorePass="changeit"
                 keyAlias="<fully qualified hostname>"
                 clientAuth="false"
                 sslProtocol="TLS" />
    
  18. Tomcat 64-bit has an issue with the keystorefile parameter such that the only value that works is C:/.keystore. This is why you renamed and moved the .jks file to C:\ .keystore in step #6. The keystorePass value must match the password used when creating the keystore file. The default Tomcat password is changeit.

WDK-based Applications

  1. All of the deployed web apps need to have their C:\Tomcat-6.0.24x64\webapps\\WEB-INF\web.xml file changed to force the web app to always use the SSL connection.  Here is the XML text that needs to be insert before the closing </web-app> tag (substitute the correct web app name for app_name):
  2. <security-constraint>
      <web-resource-collection>
        <web-resource-name>app_name</web-resource-name>
        <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
    </security-constraint>
    
  3. If a self signed certificate is being used, UCF transfers will fail unless this change is made to web apps that use UCF (DA, Webtop, TaskSpace). The following XML must be added to the C:\Tomcat-6.0.24x64\webapps\<app_name>\wdk\contentXfer\ucf.installer.config.xml file inside the <configuration> tag:
  4. <configuration>
      <option name=”https.host.validation” persistent=”false”>
        <value>false</value>
      </option>
    </configuration>
    
  5. To make the Taskspace login page the default web page, the C:\apache-tomcat-6.0.24x64\webapps\ROOT\index.html file must be deleted and the C:\apache-tomcat-6.0.24x64\webapps\ROOT\index.jsp file must be changed. Here is the code for the index.jsp file:
  6. <?xml version="1.0" encoding="ISO-8859-1"?>
    <!--DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <%@ page session="false" %>
    <%
      String redirectURL = "https://<fully qualified host name>/taskspace/component/main/?appname=<app_name>";
      response.sendRedirect(redirectURL);
    %>
  7. Or, to make the Webtop login page the default web page, the C:\apache-tomcat-6.0.24x64\webapps\ROOT\index.html file must be deleted and the C:\apache-tomcat-6.0.24x64\webapps\ROOT\index.jsp file must be changed. Here is the code for the index.jsp file:
  8. <?xml version="1.0" encoding="ISO-8859-1"?>
    <!--DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <%@ page session="false" %>
    <%
      String redirectURL = "https://<fully qualified host name>/webtop";
      response.sendRedirect(redirectURL);
    %>
  9. Once these changes have been made, stop Tomcat.  Clear the Tomcat cache by deleting the C:\apache-tomcat-6.0.24x64\work\Catalina folder.  Restart Tomcat.
  10. To test the changes, make an HTTP connection to <fully qualified host name>.  You should automatically be redirected to the HTTPS connection defined above.
Advertisements

About Scott
I have been implementing Documentum solutions since 1997. In 2005, I published a book about developing Documentum solutions for the Documentum Desktop Client (ISBN 0595339689). In 2010, I began this blog as a record of interesting and (hopefully) helpful bits of information related to Documentum, and as a creative outlet.

6 Responses to Setting Up SSL with Apache Tomcat 64-bit

  1. doquent says:

    I think even the info for setting up Tomcat with self-signed SSL is valuable. So this is super! Thanks for sharing.

    Like

  2. Pingback: One Year Ago « dm_misc: Miscellaneous Documentum Tidbits and Information

  3. Pingback: DRX v2.2 Released | dm_misc: Miscellaneous Documentum Information

  4. Pingback: DRX 2.3 Released | dm_misc: Miscellaneous Documentum Information

  5. Pingback: Brian Yasaki, Rest in Peace | dm_misc: Miscellaneous Documentum Information

  6. Pingback: Links to All of My Source Code | dm_misc: Miscellaneous Documentum Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: