How to enforce https with tomcat?

Question

I have a webapp running on tomcat. Now I want to enforce https. I received 3 files which I saved in tomcat/conf/: localhost-rsa-cert.pem, localhost-rsa-chain.pem and localhost-rsa-key.pem

I changed server.xml so the uncommented connectors look like this and restarted tomcat. I can only access my page with ...com:8080 and not ...com:8443. What is the problem?

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443" />

---

<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
           maxThreads="150" SSLEnabled="true" >
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig>
        <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                     certificateFile="conf/localhost-rsa-cert.pem"
                     certificateChainFile="conf/localhost-rsa-chain.pem"
                     type="RSA" />
    </SSLHostConfig>
</Connector>

I read that you need to change something in web.xml too.

Answer 1

To enforce https by default you need to add the following to your web.xml(this is the root web.xml found in the same directory as server.xml). This will enforce to redirect all request to https://www.yoursite.com even when the user enter http://www.yoursite.com

**

<security-constraint>
 <web-resource-collection>
 <web-resource-name>Protected Context</web-resource-name>
 <url-pattern>/*</url-pattern>
 </web-resource-collection>
 <user-data-constraint>
 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
 </user-data-constraint>
 </security-constraint>

**

But first you need to install/configure your certificates properly and you need to make sure that you can access your application https when you manually enter https.

I have followed the following steps to install and configure SSL on tomcat 8.

1. Generated keystore running command:

   keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore

   Generated csr file by running command:

   keytool -certreq -keyalg RSA -alias tomcat -file yourCSR.csr -keystore tomcat.keystore

   Submitted CSR request on www.godaddy.com

Once my request is approved and goDaddy issued the certificates. I have followed the following steps(goDaddy sent this instruction along with the cert files). Install the root certificate by running the following command:

keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file [name of the root certificate]

Install the intermediate certificate by running the following command:

keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file [name of the intermediate certificate] my intermediate cert ends with .pem

Install the issued certificate into the keystore by running the following command:

keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file [name of the certificate]

Finally I add/modified the following to server.xml and restarted tomcat server.

<Connector port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />


<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
   maxThreads="150" scheme="https" secure="true"
   clientAuth="false" sslProtocol="TLS" keystoreFile=".mykeystore" keystorePass="xxxxxx"
   ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
   TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
   TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" />