Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Using multiple SSL certificates in single tomcat instance

Tags:

ssl

tomcat

I know that tomcat can handle multiple SSL certificates by setting up multiple Connectors listening on different IP's, but is it possible to set it up on the same IP?

The situation is that we have multiple web applications running in a single tomcat instance. Our server has only 1 static IP. Tomcat is set up to have Virtual Servers, so depending on the domain it serves a different app. However, if we want SSL in more that one of these apps, I predict we might run into trouble.

Does anyone have more experience in this field?

like image 591
Nico Huysamen Avatar asked Apr 16 '12 11:04

Nico Huysamen

2 Answers

To be able to use multiple certificates on the same IP address and port, you need Server Name Indication support. Unfortunately, this was introduced in Java 7, only on the client side.

(There are still problems w.r.t. SNI support on the client side, most notably because of lack of support from any version of IE on Win XP, Java 6 and below, and some mobile browsers.)

A workaround for this is to use a single certificate that supports multiple host names. The preferred way to do this is to have a certificate with multiple Subject Alternative Name (SAN) entries. Otherwise, if the names have a pattern, a wildcard certificate may be suitable (e.g. *.example.com for www.example.com and secure.example.com).

Apache Httpd has support for SNI, so you may be able to solve your problem by using distinct VirtualHosts for each host name you want to serve and use a reverse proxy to a different Tomcat configuration for each host.

like image 196
Bruno Avatar answered Oct 17 '22 21:10

Bruno

I don't believe you will get away with 1 ip address, but you may use multiple ports

<Connector
       port="9001" maxThreads="200"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="${user.home}/.keystore" keystorePass="changeit"
       clientAuth="false" sslProtocol="TLS"/>
-->

then https:9001//myurl

for your connections I would personally front it off to an apache httpd reverse proxy server though as it gives you way more flexibility and not a little security when properly configured

like image 35
Paddy Carroll Avatar answered Oct 17 '22 19:10

Paddy Carroll
Sign in to Comment

Related questions

Auto Reconnect of Database Connection
Java / Tomcat memory leak in RedHat Linux?
Collecting Java heapdump under load
Sharing Hibernate on multiple Tomcat instances
Clean Working directory of Tomcat in Eclipse
Configuring HTTPS certificate usage based on url in Tomcat
How do I add a Java backend to an existing PHP site without adding a tomcat server for Java Bridge?
Test-driven development for JSPs specifically
How to create servlet that will listen on specific port and accept TCP connections (non-https)
Tomcat axis web service client read timeout. Timeout configuration
Tomcat Web Application - storing objects as user-defined objects or simple IDs to persist user sessions through server reboot?
Secure Remote mySQL Connection
Tomcat KeyStore Environment Path
Jstack gives java.lang.reflect.InvocationTargetException
Tomcat 7 Async Processing failing - only one request processed simultanously
Change to a new version of the JDK?
Running two tomcat on a single port
org.apache.tomcat.util.bcel.classfile.ClassFormatException: Invalid byte tag in constant pool: 15 - Tomcat 7, JDK incompatibilty? [duplicate]
Angular 4.3 HTTPClient Basic Authorization not working
Getting a list of active sessions in Tomcat using Java

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!