Ssl On Tomcat 8.5

 

Learn how to install an SSL/TLS Certificate on an Apache Tomcat Server with GlobalSign's support team. Get your SSL/TLS Certificate here today: https://goo.g. PKCS#7 (.p7b) PEM (.crt) PKCS#12 (.pfx) After the certificate is issued, you can proceed with its installation on Tomcat server. Depending on the certificate format in which you received the certificate from the Certificate Authority, there are different ways of importing the files into the keystore. PKCS#7 (.p7b) If the certificate you received is in.Read more.

In this tutorial we will learn how to configure SSL/TLS in Apache Tomcat 8.5.24.

  • (1)Creating a Keystore

    To Create a keystore file to store the server's private key and self-signed certificate use following command:

    For example, I created the keystore as:

    Note that keytool comes with JDK (In this example JDK 1.8 is used). With this tool, we can manage a keystore (database) of cryptographic keys and trusted certificates etc.

    Above example command will create a file 'localhost-rsa.jks' under C:my-cert-dir.


  • (2)Configuring SSL HTTP/1.1 Connector

    Add followings in <tomcat-dir>confserver.xml


  • (3)Testing

    Start tomcat via <tomcat-dir>binstartup.bat

    Access tomcat home at https://localhost:8443

    Chrome shows above Privacy error for self-signed certificate. Click on 'ADVANCE' and click 'Proceed to localhost (unsafe)':


  • (4)Deploy a Servlet application

    Let's deploy the web application we used in the last tutorial.

Example Project

Dependencies and Technologies Used:

  • javax.servlet-api 3.1.0 Java Servlet API
  • JDK 1.8
  • Maven 3.3.9

Monitoring and Managing Tomcat

Table of Contents

Introduction

Monitoring is a key aspect of system administration. Looking inside a running server, obtaining some statistics or reconfiguring some aspects of an application are all daily administration tasks.

Enabling JMX Remote

Note: This configuration is needed only if you are going to monitor Tomcat remotely. It is not needed if you are going to monitor it locally, using the same user that Tomcat runs with.

The Oracle website includes the list of options and how to configure JMX Remote on Java 8: http://docs.oracle.com/javase/6/docs/technotes/guides/management/agent.html.

The following is a quick configuration guide for Java 8:

Add the following parameters to setenv.bat script of your Tomcat (see RUNNING.txt for details).
Note: This syntax is for Microsoft Windows. The command has to be on the same line. It is wrapped to be more readable. If Tomcat is running as a Windows service, use its configuration dialog to set java options for the service. For Linux, MacOS, etc, remove 'set ' from beginning of the line.

If you don't set com.sun.management.jmxremote.rmi.port then theJSR 160 JMX-Adaptor will select a port at random which will may it difficult toconfigure a firewall to allow access.

If you require TLS:

  1. change and add this:
  2. to configure the protocols and/or cipher suites use:
  3. to client certificate authentication use:

If you require authorization (it is strongly recommended that TLS is alwaysused with authentication):

  1. change and add this:
  2. edit the access authorization file $CATALINA_BASE/conf/jmxremote.access:
  3. edit the password file $CATALINA_BASE/conf/jmxremote.password:Tip: The password file should be read-only and only accessible by the operating system user Tomcat is running as.
  4. Alternatively, you can configure a JAAS login module with:

If you need to specify a host name to be used in the RMI stubs sent to theclient (e.g. because the public host name that must be used to connect is notthe same as the local host name) then you can set:

If you need to specify a specific interface for the JMX service to bind tothen you can set:

Manage Tomcat with JMX remote Ant Tasks

To simplify JMX usage with Ant, a set of tasks is provided that may be used with antlib.

antlib: Copy your catalina-ant.jar from $CATALINA_HOME/lib to $ANT_HOME/lib.

The following example shows the JMX Accessor usage:
Note: The name attribute value was wrapped here to be more readable. It has to be all on the same line, without spaces.

import: Import the JMX Accessor Project with <import file='${CATALINA.HOME}/bin/catalina-tasks.xml' /> and reference the tasks with jmxOpen, jmxSet, jmxGet, jmxQuery, jmxInvoke, jmxEquals and jmxCondition.

JMXAccessorOpenTask - JMX open connection task

List of Attributes

AttributeDescriptionDefault value
urlSet JMX connection URL - service:jmx:rmi:///jndi/rmi://localhost:8050/jmxrmi
hostSet the host, shortcut the very long URL syntax. localhost
portSet the remote connection port 8050
usernameremote JMX connection user name.
passwordremote JMX connection password.
refName of the internal connection reference. With this attribute you can configure more the one connection inside the same Ant project. jmx.server
echoEcho the command usage (for access analysis or debugging) false
ifOnly execute if a property of the given name exists in the current project.
unlessOnly execute if a property of the given name not exists in the current project.

Example to open a new JMX connection

Example to open a JMX connection from URL, with authorization andstore at other reference

Example to open a JMX connection from URL, with authorization andstore at other reference, but only when property jmx.if exists andjmx.unless not exists

Note: All properties from jmxOpen task also exists at allother tasks and conditions.

JMXAccessorGetTask: get attribute value Ant task

List of Attributes

AttributeDescriptionDefault value
nameFull qualified JMX ObjectName -- Catalina:type=Server
attributeExisting MBean attribute (see Tomcat MBean description above)
refJMX Connection reference jmx.server
echoEcho command usage (access and result) false
resultpropertySave result at this project property
delimiterSplit result with delimiter (java.util.StringTokenizer) and use resultproperty as prefix to store tokens.
separatearrayresultsWhen return value is an array, save result as property list ($resultproperty.[0..N] and $resultproperty.length) true

Example to get remote MBean attribute from default JMX connection

Example to get and result array and split it at separate properties

Access the senderObjectNames properties with:

Example to get IDataSender attribute connected only when cluster is configured.
Note: The name attribute value was wrapped here to bemore readable. It has to be all on the same line, without spaces.

JMXAccessorSetTask: set attribute value Ant task

List of Attributes

AttributeDescriptionDefault value
nameFull qualified JMX ObjectName -- Catalina:type=Server
attributeExisting MBean attribute (see Tomcat MBean description above)
valuevalue that set to attribute
typetype of the attribute. java.lang.String
refJMX Connection reference jmx.server
echoEcho command usage (access and result) false

Example to set remote MBean attribute value

JMXAccessorInvokeTask: invoke MBean operation Ant task

List of Attributes

AttributeDescriptionDefault value
nameFull qualified JMX ObjectName -- Catalina:type=Server
operationExisting MBean operation
refJMX Connection reference jmx.server
echoEcho command usage (access and result) false
resultpropertySave result at this project property
delimiterSplit result with delimiter (java.util.StringTokenizer) and use resultproperty as prefix to store tokens.
separatearrayresultsWhen return value is an array, save result as property list ($resultproperty.[0..N] and $resultproperty.length) true

stop an application

Now you can find the sessionid at ${sessions.[0..N} properties and access the countwith ${sessions.length} property.

Example to get all sessionids

Now you can find the sessionid at ${sessions.[0..N} properties and access the countwith ${sessions.length} property.

Example to get remote MBean session attribute from session ${sessionid.0}

Example to create a new access logger valve at vhost localhost

Now you can find new MBean with name stored at ${accessLoggerObjectName}property.

JMXAccessorQueryTask: query MBean Ant task

List of Attributes

AttributeDescriptionDefault value
nameJMX ObjectName query string -- Catalina:type=Manager,*
refJMX Connection reference jmx.server
echoEcho command usage (access and result) false
resultpropertyPrefix project property name to all founded MBeans (mbeans.[0..N].objectname)
attributebindingbind ALL MBean attributes in addition to namefalse
delimiterSplit result with delimiter (java.util.StringTokenizer) and use resultproperty as prefix to store tokens.
separatearrayresultsWhen return value is an array, save result as property list ($resultproperty.[0..N] and $resultproperty.length) true

Get all Manager ObjectNames from all services and Hosts

Now you can find the Session Manager at ${manager.[0..N].name}properties and access the result object counter with ${manager.length} property.

Example to get the Manager from servlet-examples application an bind all MBean properties

Now you can find the manager at ${manager.servletExamples.0.name} propertyand can access all properties from this manager with ${manager.servletExamples.0.[manager attribute names]}.The result object counter from MBeans is stored ad ${manager.length} property.

Example to get all MBeans from a server and store inside an external XML property file

Now you can find all MBeans inside the file mbeans.properties.

Ssl On Tomcat 8.5 Full

JMXAccessorCreateTask: remote create MBean Ant task

List of Attributes

AttributeDescriptionDefault value
nameFull qualified JMX ObjectName -- Catalina:type=MBeanFactory
classNameExisting MBean full qualified class name (see Tomcat MBean description above)
classLoaderObjectName of server or web application classloader
( Catalina:type=ServerClassLoader,name=[server,common,shared] or
Catalina:type=WebappClassLoader,context=/myapps,host=localhost)
refJMX Connection reference jmx.server
echoEcho command usage (access and result) false

Example to create remote MBean

Warning: Many Tomcat MBeans can't be linked to their parent once
created. The Valve, Cluster and Realm MBeans are not automatically
connected with their parent. Use the MBeanFactory create
operation instead.

JMXAccessorUnregisterTask: remote unregister MBean Ant task

Ssl

List of Attributes

AttributeDescriptionDefault value
nameFull qualified JMX ObjectName -- Catalina:type=MBeanFactory
refJMX Connection reference jmx.server
echoEcho command usage (access and result) false

Example to unregister remote MBean

Warning: A lot of Tomcat MBeans can't be unregister.
The MBeans are not unlinked from their parent. Use MBeanFactory
remove operation instead.

JMXAccessorCondition: express condition

List of Attributes

AttributeDescriptionDefault value
urlSet JMX connection URL - service:jmx:rmi:///jndi/rmi://localhost:8050/jmxrmi
hostSet the host, shortcut the very long URL syntax. localhost
portSet the remote connection port 8050
usernameremote JMX connection user name.
passwordremote JMX connection password.
refName of the internal connection reference. With this attribute you can configure more the one connection inside the same Ant project. jmx.server
nameFull qualified JMX ObjectName -- Catalina:type=Server
echoEcho condition usage (access and result) false
ifOnly execute if a property of the given name exists in the current project.
unlessOnly execute if a property of the given name not exists in the current project.
value (required)Second arg for operation
typeValue type to express operation (support long and double) long
operation express one
  • equals
  • != not equals
  • > greater than (&gt;)
  • >= greater than or equals (&gt;=)
  • < lesser than (&lt;)
  • <= lesser than or equals (&lt;=)

Wait for server connection and that cluster backup node is accessible

JMXAccessorEqualsCondition: equals MBean Ant condition

List of Attributes

Ssl

Tomcat 8 Windows 64

AttributeDescriptionDefault value
urlSet JMX connection URL - service:jmx:rmi:///jndi/rmi://localhost:8050/jmxrmi
hostSet the host, shortcut the very long URL syntax. localhost
portSet the remote connection port 8050
usernameremote JMX connection user name.
passwordremote JMX connection password.
refName of the internal connection reference. With this attribute you can configure more the one connection inside the same Ant project. jmx.server
nameFull qualified JMX ObjectName -- Catalina:type=Server
echoEcho condition usage (access and result) false

Wait for server connection and that cluster backup node is accessible

Using the JMXProxyServlet

Tomcat offers an alternative to using remote (or even local) JMX connections while still giving you access to everything JMX has to offer: Tomcat's JMXProxyServlet.

The JMXProxyServlet allows a client to issue JMX queries via an HTTP interface. This technique offers the following advantages over using JMX directly from a client program:

Ssl On Tomcat 8.5 Download

  • You don't have to launch a full JVM and make a remote JMX connection just to ask for one small piece of data from a running server
  • You don't have to know how to work with JMX connections
  • You don't need any of the complex configuration covered in the rest of this page
  • Your client program does not have to be written in Java

A perfect example of JMX overkill can be seen in the case of popular server-monitoring software such as Nagios or Icinga: if you want to monitor 10 items via JMX, you will have to launch 10 JVMs, make 10 JMX connections, and then shut them all down every few minutes. With the JMXProxyServlet, you can make 10 HTTP connections and be done with it.

Ssl On Tomcat 8.5 Free

You can find out more information about the JMXProxyServlet in the documentation for the Tomcat manager.