In all my years as a senior software engineer, my team had always used (or rather forced to use) a proprietary application server.
Ultimately we finally decided to move towards open source application servers and Apache TomEE (Apache Tomcat + EE) ticked all the points. Needless to say that was the easy bit.
We had to move away from all the inbuilt tools provided by the (old) application server and had to learn TomEE, which wasn't that hard at all since Apache Tomcat is a widely used application server and thus support was readily available.
The tricky bit I found was when I had to enable https on Apache TomEE and I reckon having a hard time finding all the necessary steps & installation from the web.
http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html
So, here I have collated all necessary steps to make any Apache TomEE (tomcat 7, or 8.5 or 9) SSL enabled. Oops , did i mention this is for installation on a Linux Server, I do NOT think Win OS will be any different though :-)
NOTE:
- Bear in mind, if your server has tighter restrictions (set by your company’s network administrator) — you might need to use sudo, ask for internet access for enabling yum etc.
2. This also assumes you have set up $JAVA_HOME environment variable.
STEPS:
First and foremost you need to get hold of your company’s SSL certificates — usually there will be 3 — certificate.crt,certificate_key.pem, certificate_ca.crt
For self signed certificate, please see http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html
Combine all 3 certificates and make into one (use Notepad++) or any similar text editor for this — lets name it sslcert
Login to the linux server and navigate to the path , where Apache TomEE is installed .
For me that TomEE-home is at /opt/apache-tomee-plume
Shut the Apache TomEE server down if it is running .
sudo sh /opt/apache-tomee-plume/bin/shutdown.sh
cd /opt/apache-tomee-plume
create a folder called keystore here.
sudo mkdir keystore
Copy sslcert & the 3 individual cert files to /opt/apache-tomee- plume/keystore/
cd $JAVA_HOME/bin
RUN below command
sudo keytool -import -keystore keystore.jks -alias sslcert — file /opt/apache-tomee-plume/keystore/ sslcert
use password as apachetomcat or something you can remember easily.
To list it again type keytool -list -v -keystore keystore.jks
Now install apr-devel, openssl-devel and gcc libraries
Apache Portable Runtime (APR), also known as Tomcat’s “native library,” is by far the best practice to follow.
http://tomcat.apache.org/tomcat-8.5-doc/apr.html
sudo yum install apr-devel
sudo yum install openssl-devel
sudo yum install apr-util
sudo yum install *apr* (i am doing this because I am not sure what else i have missed — this sort of gets me all the needed apr libs.)
yum install gcc — this one is the c lib that is needed for doing configure command.
Now we need to extract native tomcat: tomcat-native.tar.gz
cd /opt/apache-tomee-plume/bin
RUN:
sudo tar –xvf tomcat-native.tar.gz — this will extract the foldercd /opt/apache-tomee-plume/bin/tomcat-native-1.1.33- src/jni/native
Give exec permissions to all files, dir and sub directories — again this step depends on the linux login you are using . If you are logged in as root , you wouldn't need to do this step.
sudo chmod 777 -R *
Now RUN the configure command
./configure — with-apr=/usr/bin/apr-1-config — with-java- home=$JAVA_HOME — with-ssl=yes — prefix=/opt/apache- tomee-plume
After the configure script has succeeded, run
sudo make
sudo make install
cd /opt/apache-tomee-plume/bin
Now add the native libraries to class path as below by creating a new file setenv.sh here (if you do not have this file — else amend accordingly) with below content
sudo vi setenv.sh
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/apache-tomee- plume/lib
export LD_LIBRARY_PATH
Save the file — :wq
cd /opt/apache-tomee- plume/conf
Change server.xml as below — paying particular attention to the keystore path
<Connector protocol=”org.apache.coyote.http11.Http11AprProtocol” port=”7070" maxThreads=”200"
scheme=”https” secure=”true” SSLEnabled=”true” SSLCertificateFile=”/opt/apache-tomee-plume/keystore/yourcertificate.crt” SSLCertificateKeyFile=”/opt/apache-tomee-plume/keystore/yourcertificate_key.pem” SSLCACertificateFile=”/opt/apache-tomee-plume/keystore/yourcertificate_ca.crt” SSLVerifyClient=”optional” SSLProtocol=”TLSv1+TLSv1.1+TLSv1.2"/>
If you are like me using another port such as 7070 or say 8888 — you need to open that port first .
sudo iptables -I INPUT -p tcp — dport 7070 -j ACCEPT
sudo iptables-save
sudo ip6tables -I INPUT -p tcp — dport 7070 -j ACCEPTsudo ip6tables-save
Now start the server up
sudo sh /opt/apache-tomee-plume/bin/startup.sh
SSL should now work
https://serverhostname:7070/
Enjoy !
References: