Java SSL

Direct configuration

If you want your Java application server to handle HTTPS you have to use a Java keystore file.

Create new self-signed SSL keystore

You can create a new (self signed) keystore with (use mypassphrase as passphrase to match application servers' described configuration bellow):

keytool -genkey -alias tomcat -keyalg RSA -validity 3650 -keystore mykeystore.jks

You can check the keystore content with:

keytool -list -v -keystore mykeystore.jks

Update with a signed SSL certification (optional)

Generate a certificate request from your keystore:

keytool -keystore mykeystore.jks -certreq -alias tomcat -keyalg RSA -file mycert.csr

Once you get the signed certificate mycert.crt import it with back into the keystore with:

keytool -import -alias tomcat -keystore mykeystore.jks -file mycert.crt

Note: Make sure that the Java global cacerts keystore contains the CA certificate that signed your certificate, if it is not the case you need to add it with: sudo keytool -keystore /etc/pki/java/cacerts -import -trustcacerts -alias <CA alias> -file <CA certificate file>.crt

Tomcat/TomEE HTTPS connector configuration

Applicable to Tomcat 6, 7 and 8 and to TomEE

<Connector
    port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
    SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    keystoreFile="${catalina.home}/conf/mykeystore.jks" keystorePass="mypassphrase"
    (...)
    />

JBoss HTTPS connector configuration

Applicable to JBoss 4.0 and 4.2

<Connector port="8443" protocol="HTTP/1.1"
    SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    keystoreFile="${jboss.server.home.dir}/conf/mykeystore.jks" keystorePass="mypassphrase"
    (...)
/>

Reverse proxy configuration

Applicable to JBoss 4.0 and 4.2 (that uses an embedded Tomcat 5.5) and to Tomcat 6, 7 and 8 and to TomEE.

If HTTPS (let's say on the 443 port) is handled by a reverse proxy that calls your application server in HTTP (let's say on the 8080 port) or in AJP (let's say on the 8009 port) you need to add some additional attributes to the corresponding application server's HTTP or AJP connector:

<Connector
    (...)
    proxyName="<public host name>" proxyPort="<public port, usually 443>" scheme="https" secure="true" />