Jakarta-Tomcat Web Server

     SSL Installation Support Instructions

Jakarta-Tomcat SSL Installation

Once you receive the email with your certificate, follow the below
instructions to install your EBIZID SSL Certificate.

These must be imported in the correct order:
Root
Intermediate CA
domain/site certificate

We provide several methods to installing your certificates please choose the most appropriate method for your server.

1. Use the keytool command to import the certificates as follows:

keytool -import -trustcacerts -alias root -file ***********Root.crt -keystore domain.key

(If you are using an alias then please include the alias command in the string.)

Example:

The password is then requested.

Enter keystore password: (This is the one used during CSR creation)

The following information will be displayed about the certificate and you will be asked if you want to trust it (the default is no so type 'y' or 'yes'):

Owner: CN=UTN Root, O=UTN Corporation, C=US
Issuer: CN=UTN Root, O=UTN Corporation, C=US
Serial number: 1a3
Valid from: Fri Feb 23 23:01:00 GMT 1996 until: Thu Feb 23 23:59:00 GMT 2006
Certificate fingerprints:
MD5: C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58
SHA1: 90:DE:DE:9E:4C:4E:9F:6F:D8:86:17:57:9D:D3:91:BC:65:A6:89:64
Trust this certificate? [no]: yes

Then an information message will display as follows:
Certificate was added to keystore

Use the same process for the Intermediate certificate using the keytool command:

keytool -import -trustcacerts -alias comodo -file ************CA.crt
-keystore domain.key

All the certificates are now loaded and the correct root certificate will be presented.

Now import the "Server Certificate" using the following command:
keytool -import -alias domainname -file domainname.crt -keystore domain.key

If necessary, update the server.xml configuration file:

1. Open "$JAKARTA_HOME/conf/server.xml" in a text editor.

2. Find the following section:

<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="10" debug="0" scheme="https" secure="true">
<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
clientAuth="false" protocol="TLS"
keystoreFile="tomcat.kdb"
keystorePass="password"/>

3. If you want Tomcat to use the default SSL port, change all instances of the port number 8443 to 443.

4. Add the keystoreFile and keystorePass directives to correspond with the keystore file and password that you are using.

5. Start or restart Tomcat using the appropriate startup script (startup.sh for unix/linux or startup.bat for windows)

In the following example please replace the example keystore name 'domain.key' with your keystore name.

Use the keytool command to import the certificates as follows:
keytool -import -trustcacerts -alias root -file (insert root certificate file name) -keystore domain.key

Use the same process for the Comodo certificate using the keytool command:
keytool -import -trustcacerts -alias INTER -file (insert intermediate CA file name) -keystore domain.key

Use the same process for the site certificate using the keytool command, if you are using an alias then please include the alias command in the string. Example:

keytool -import -trustcacerts -alias yyy (where yyy is the alias specified during CSR creation) -file domain.crt -keystore domain.key

Step Two

Tomcat will first need a SSL Connector configured before it can accept secure connections.

Note: By default Tomcat will look for your Keystore with the file name .keystore in the home directory with the default password 'changeit'. The home directory is generally /home/user_name/ on Unix and Linux systems, and C:\Documents and Settings\user_name\ on Microsoft Windows systems. -- It is possible to change the filename, password, and even location that Tomcat looks for the keystore. If you need to do this, pay special attention to #8 of Option 1 or #5 of Option 2 below.

Option 1 -- Add an SSL Connector using admintool:

1. Start Tomcat
2. Enter 'http://localhost:8080/admin' in a local browser to start admintool
3. Type a username and password with administrator rights
4. On the left select 'Service' (Java Web Services Developer Pack)
5. Select 'Create New Connector' from the drop-down list on the right
6. Choose 'HTTPS' in the 'Type' field
7. In the 'Port' field, enter '443'. This defines the TCP/IP port number on which Tomcat will listen for secure connections
8. Enter the Keystore Name and Keystore Password if (a.) your keystore is named something other than .keystore, (b.) if .keystore is located in a directory other than the home directory of the machine on which Tomcat is running, or if (c.) the password is something other than the default value of 'changeit'. If you have used the default values, you can leave these fields blank.
9. Select 'Save' to save the new Connector
10. Select 'Commit Changes' to save the new Connector information to the server.xml file so that it is available the next time Tomcat is started

Option 2 -- Configure the SSL Connector in server.xml:

1. Copy your keystore file (your_domain.key) to the home directory (see the Note above)
2. Open the file Home_Directory/conf/server.xml in a text editor
3. Uncomment the 'SSL Connector' Configuration
4. Make sure that the 'Connector Port' is 443
5. If your keystore filename is something other than the default file name (.keystore) and/or your keystore password is something other than default ('changeit') then you will need to specify the correct keystore filename and/or password in your connector configuration -- ex. keypass="newpassword". When you are done your connector should look something like this:
   
   <Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/home/user_name/your_domain.key" keypass="your_keystore_password"/>
   
   
6. Save the changes to server.xml
7. Restart Tomcat