Global Open Versity, Vancouver Canada
Install JDK6 & Setup Secure Connection on Tomcat AS on Linux
HowTo Generate & Setup Secure Connection on Tomcat AS on Linux By Kefa Rabah,
[email protected]
April 10, 2009
SerengetiSys Labs
Secure Socket Layer (SSL) Certificate: How It Works Secure Sockets Layer (SSL), now TLS enables a secure e-commerce, communications, and interactions for Web sites, intranets, and extranets. That’s SSL technology protects your Web site and makes it easy for your Web site visitors to trust you in three essential ways: 1. An SSL Certificate enables encryption of sensitive information during online transactions. 2. Each SSL Certificate contains unique, authenticated information about the certificate owner. 3. A Certificate Authority verifies the identity of the certificate owner when it is issued, and that the owner is “who he says he is”. Installing Java SE JDK 6 and Tomcat 6 The aim of this paper is to download and install Java SE JDK 6 and the Tomcat binaries on a Linux system, to make it a secure web applications server using SSL Certificate.
Part 1: Install JDK6 1. To download Java SE SDK 6, just go to http://java.sun.com/javase/downloads/index.jsp, and follow the instructions to download a file called: jdk-6-linux-i586-rpm.bin, and save it in /usr/java directory. You may have to create the java directory if it’s not there. 2. To install Java SE SDK, just type following commands in /usr/java directory. # chmod 755 jdk-6-linux-i586-rpm.bin #./jdk-6-linux-i586-rpm.bin 3. To .verify that JDK6 is installed in /usr/jav/jdk1.6.0_12 directory, type the following command to test: #/usr/java/jdk1.6.0_12/bin/java -version
Part 2: Install Apache Tom Cat Web Server 1. To download Tomcat 6, just go to http://tomcat.apache.org/, and follow the instructions to download a file called: apache-tomcat-6.0.2.tar.gz, and save it in /usr/ directory. 2. Next, we are going to install tomcat in /usr directory. Go to /usr directory, and type following commands. #cp /usr/apache-tomcat-6.0.2.tar.gz /usr #tar -zxvf apache-tomcat-6.0.2.tar.gz 3. The following command creates a symbolic link to the tomcat directory. # ln –s apache-tomcat-6.0.2 tomcat 4. Insert the following lines inside /etc/profile or /root/.bashrc. © April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org
A GOV Open Knowledge License Technical Publication
1
Global Open Versity, Vancouver Canada
Install JDK6 & Setup Secure Connection on Tomcat AS on Linux
export JAVA_HOME=/usr/java/jdk1.6.0_12 export CATALINA_HOME=/usr/tomcat export PATH=$JAVA_HOME/bin:$CATALINA_HOME/bin:$PATH 5. Before we begin, we will need to ensure that CATALINA_HOME and JAVA_HOME are correctly set. To do this, we open a terminal and type the following: # echo $CATALINA_HOME # echo $JAVA_HOME 6. If everything is fine, you can start Tomcat with the following command. # $CATALINA_HOME/bin/startup.sh 7. To test that Tomcat is running, from another computer, go to graphical desktop, open a Web browser, and type in following URL: http://xxx.xxx.xxx.xxx:8080, where xxx.xxx.xxx.xxx is the your computer’s IP address or domain name. or you can also use http://localhost:8080. If everything is fine, you should be able to see a web page such as this.
8. To stop Tomcat, type: # $CATALINA_HOME/bin/shutdown.sh
Part 3: Test the Installed JDK6 and Tomcat Web Server 1. To create a JSP web application, first you need to create a web application folder structure under the /usr/tomcat/webapps directory. In this case, we create a web application called: testapache, following is its structure. /usr/tomcat /webapps /testapache © April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org
A GOV Open Knowledge License Technical Publication
2
Global Open Versity, Vancouver Canada
Install JDK6 & Setup Secure Connection on Tomcat AS on Linux
/WEB-INF /classes /lib 2. Create a index.jsp file in the /usr/tomcat/webapps/testapache folder, and put following lines into the file. <%@page contentType="text/html"%> <%@page pageEncoding="UTF-8"%>
JSP Test Page Hello World!
<%-- <jsp:useBean id="beanInstanceName" scope="session" class="beanPackage.BeanClassName" /> --%> <%-- <jsp:getProperty name="beanInstanceName" property="propertyName" /> --%> To test you index page, open a web browser, and type in following URL: http://localhost:8080/testapache/. If everything is fine, you should be able to see a hello world web page.
Part 4: Creating Self-Signed Certificate & SSL Configuration for Secure Webserver 1. Create a new keystore containing a self-signed certificate by executing the following (these are Windows commands): ]# cd $JAVA_HOME/bin ]# kytool -genkey -alias tomcat -keyalg RSA Linux always stores the key in the logged in user default home directory, if location is not specified. Alternatively, you can choose to store your keys in a specific location, e.g.,: ]# keytool -genkey -alias tomcat -keyalg RSA -keystore \path\to\keystore for example: ]# keytool -genkey -alias tomcat -keyalg RSA -keystore /secure/mykey.keystore All in one line. And specify a password value of "changeit". When asked what is your first and last name? (enter your client server's DNS, e.g.,: server01.my-domain.com or www.my-domain.com, localhost, or IP address that you will use in browser or an application to connect to the server.). Fill in the rest of the prompts as you see fit. At the end when you’re asked to verify, make sure that the CN value is set to your client server's DNS. © April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org
A GOV Open Knowledge License Technical Publication
3
Global Open Versity, Vancouver Canada
Install JDK6 & Setup Secure Connection on Tomcat AS on Linux
At the end when prompted for the password for alias
, hit enter to keep the password the same as that of the keystore password. For self-signed certificate, perform the following procedure: 1. Export the tomcat cert (to be imported into the jdk's default keystore): ]# keytool -export -alias tomcat -keystore /secure/mykey.keystore -file /secure/tomcat.cer 2. Import the exported cert into the jdk keystore (modify keystore path to your cacerts location) – You must be root to perform this operation: ]# keytool -import -alias tomcat -keystore $JAVA_HOME/jre/lib/security/cacerts -file /secure/tomcat.cer type all in one line. Alternatively, If you’re interested in acquiring a third party SSL Certificate then, you need to mail this info to your chosen Certificate Authority (CA), e.g., VeriSign, Thawte or RSA, then proceed as below. Part 5: CERTIFICATE ISSUED BY A KNOWN CERTICATE AUTHORITY Using keytool.exe program creates a keystore for the certificate. See above. 1. Generate certificate request as follows: ]# keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore <path to the key> type all in one line. Now you have a file called certreq.csr that you can submit to the Certificate Authority (look at the documentation of the Certificate Authority website on how to do this). In return you get a Certificate or a number of Certificates. 2. Now you have to import those certificates into a keystore file that you have previously created. ]# keytool -import -alias root -keystore <path to the key> -trustcacerts -file type all in one line. And finally import your new Certificate ]# keytool -import -alias tomcat -keystore <path to the key> -trustcacerts -file
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org
A GOV Open Knowledge License Technical Publication
4
Global Open Versity, Vancouver Canada
Install JDK6 & Setup Secure Connection on Tomcat AS on Linux
Pat 6: Configure the SSL Connector in server.xml 1. Uncomment the "SSL HTTP1.1 Connector" entry in $CATALINE_HOME/conf/server.xml file, to reflect the keystore location, as shown below: keystorePassword= /> 2. Restart Tomcat and test your web server: https://localhost:8443, or in this case we’re using our FQDN:
If all goes well you will be asked if you want to proceed using the Security Certificate. Click Yes, and you should be in business, and you should see the usual Tomcat splash page. Henceforth, you should be able to access any web application supported by Tomcat via SSL. If this does not work, the do some troubleshooting, e.g.,: NOTE: If you’re behind a router don’t forget to open its port to 8443 (or 433)! You’re done – enjoy playing around with Tomcat SSL functionality! Part 7: What’s Certificate Authority (CA)? In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates for use by other parties. It is an example of a trusted third party. CAs are characteristic of many public key infrastructure (PKI) schemes. In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates for use by other
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org
A GOV Open Knowledge License Technical Publication
5
Global Open Versity, Vancouver Canada
Install JDK6 & Setup Secure Connection on Tomcat AS on Linux
parties. It is an example of a trusted third party. CAs are characteristic of many public key infrastructure (PKI) schemes A CA issues digital certificates that contain a public key and the identity of the owner. The matching private key is not similarly made available publicly for security reason and should only be known by only-and-only the owner and nobody else, and is kept secret by the end user who generated the key pair. The certificate is also an attestation by the CA that the public key contained in the certificate belongs to the person, organization, server or other entity noted in the certificate. A CA's obligation in such schemes is to verify an applicant's credentials, so that users and relying parties can trust the information in the CA's certificates. CAs use a variety of standards and tests to do so. A Registration Authority (RA) is required to validate the CA. If the user trusts the CA and can verify the CA's signature, then he can also verify that a certain public key does indeed belong to whoever is identified in the certificate –thereby completing the confidential and non-repudiation of the respective transaction.
----------------------Kefa Rabah is the Founder and CIO, of Serengeti Systems Group Inc. Kefa is knowledgeable in several field of Science & Technology, IT Security Compliance and Project Management, and Renewable Energy Systems. He is also the founder of Global Open Versity, a Center of Excellence in online eLearning.
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org
A GOV Open Knowledge License Technical Publication
6