SSL Certificates Installing an SSL Certificate (JKS Format) on a Tomcat Server (Linux)-Certificate Installation-Help & Documentation-Tencent Cloud

Scenario
This document describes how to install an SSL certificate (JKS format) on a Tomcat server.
Note
The certificate name cloud.tencent.com is used as an example.
The tomcat-9.0.56 version is used as an example.
The current server OS is CentOS 7. Detailed steps vary slightly by OS.
Before installing an SSL certificate, please enable port 443 on the Tomcat server to ensure that HTTPS can be enabled after the certificate is installed. For more information, refer to How Do I Enable Port 443 for a VM?.
For detailed directions on how to upload SSL certificate files to a server, see Copying Local Files to CVMs.
Preparations
A remote file copy tool such as WinSCP has been prepared. It is recommended to download the latest version from the official website.
If you need to deploy to Tencent Cloud CVM, it is suggested to use the file upload feature of the CVM. For more information, see Uploading Files to CVM.
Install the remote login tool such as PuTTY or Xshell.
The Tomcat service has been installed and configured on the current server.
The data required to install the SSL certificate includes:
Name
Note
Server IP address
The server IP address, which is used to connect the PC to the server.
Username
The username used to log in to the server.
Password
 The password used to log in to the server.
Note
For a CVM instance purchased on the Tencent Cloud official website, log in to the CVM console to get the server IP address, username, and password.
If you have chosen the "Paste CSR" method when applying for an SSL certificate, or if the brand of the certificate you purchased is Wotrus, then the download of the JKS certificate file is not provided. You will need to manually convert the format to generate a keystore. The operation method is as follows: 
Access the conversion tool.
Upload the certificate and private key files from the Nginx folder to the conversion tool, fill in the keystore password, click submit, and convert it into a JKS format certificate.
The current Tomcat service is installed by default in the /usr directory. For instance, if the Tomcat folder is named Tomcat-9.0.56, then its configuration file directory would be: /usr/Tomcat-9.0.56/conf.
If you have chosen the "Paste CSR" method when applying for an SSL certificate, or if the brand of the certificate you purchased is Wotrus, then the download of the JKS certificate file is not provided. You will need to manually convert the format to generate a keystore. The operation method is as follows: 
Access the conversion tool.
Upload the certificate and private key files from the Nginx folder to the conversion tool, input the keystore password, click Submit, and convert them into a JKS format certificate.
The current Tomcat service is installed by default in the /usr directory. For instance, if the Tomcat folder is named Tomcat-9.0.56, then its configuration file directory would be: /usr/Tomcat-9.0.56/conf.
Instructions
Certificate Installation
1. Please navigate to the SSL Certificate Service Console and select the certificate you wish to install, then click Download.
2. In the "Certificate Download" window that appears, select JKS for the server type, click Download, and decompress the cloud.tencent.com certificate file package to a local directory. After decompression, you can obtain the relevant type of certificate files. This includes the cloud.tencent.com_jks folder:
Folder Name: cloud.tencent.com_jks
Folder content:
cloud.tencent.com.jks: Key Store
keystorePass.txt password file (If a private key password has been set, there will be no keystorePass.txt password file)
3. Utilize WinSCP (a tool for transferring files between a local and a remote computer) to log into the Tomcat server. Then, copy the obtained keystore file cloud.tencent.com.jks from the local directory to the Tomcat configuration file directory /usr/Tomcat-9.0.56/conf.
Note
For detailed directions, see Uploading files via WinSCP to a Linux CVM from Windows.
We recommend using the file upload feature of the Cloud Virtual Machine (CVM) for deployment to CVM. For more details, please refer to Uploading Files to CVM.
4. In the /usr/Tomcat-9.0.56/conf directory, add the following content to the server.xml file:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
  maxThreads="150" scheme="https" secure="true"
#Path of the certificate
  keystoreFile="Tomcat installation directory/conf/cloud.tencent.com.jks" 
#Keystore password
  keystorePass="******"
  clientAuth="false"/>
The main parameters of the configuration file are described as below:
keystoreFile: The location of the keystore file. You can specify an absolute path or a path relative to the <CATALINA_HOME> (Tomcat installation directory) environment variable. If this item is not set, Tomcat will read a file named ".keystore" from the current operating system user's home directory by default.
KeystorePass: This is the keystore password, which specifies the password for the keystore. If you have set a private key password when applying for the certificate, please enter the private key password. If you haven't set a private key password when applying for the certificate, please enter the password found in the keystorePass.txt file in the Tomcat folder.
clientAuth: If set to true, it indicates that Tomcat requires all SSL clients to present a security certificate for identity verification.
For detailed content, refer to the server.xml file:
Note
To avoid format issues, you are not advised to copy the content of server.xml directly.
 <?xml version="1.0" encoding="UTF-8"?>
 <Server port="8005" shutdown="SHUTDOWN">
    <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
    <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
    <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
    <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
    <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
 <GlobalNamingResources>
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
 </GlobalNamingResources>
   <Service name="Catalina">
        <Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000"  redirectPort="8443" />
        <Connector port="443" protocol="HTTP/1.1"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false"
                keystoreFile="Tomcat installation directory/conf/cloud.tencent.com.jks"
                keystorePass="**" />
        <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
    <Engine name="Catalina" defaultHost="cloud.tencent.com">
        <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
        </Realm>
     <Host name="cloud.tencent.com"  appBase="webapps" 
        unpackWARs="true" autoDeploy="true" >
        <Context path="" docBase ="Knews" />
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
           prefix="localhost_access_log" suffix=".txt"  
           pattern="%h %l %u %t &quot;%r&quot; %s %b" />
      </Host>
    </Engine>
  </Service>
</Server>
5. Verify if the Tomcat server is running.
If already started, you need to execute the following commands in sequence in the bin directory of the Tomcat installation directory (for example, /usr/Tomcat-9.0.56/bin) to shut down and restart the Tomcat service.
./shutdown.sh (Shut down the Tomcat service)
./startup.sh (Start the Tomcat service)
If not already running, you need to execute the following command in the bin directory of the Tomcat installation directory (for example, /usr/Tomcat-9.0.56/bin) to start the Tomcat service.
./startup.sh
6. Upon successful startup, you can access it through https://cloud.tencent.com.
If the security lock icon is displayed in the browser, the certificate has been installed successfully. The details are as shown below:
﻿
﻿
﻿
In case of a website access exception, troubleshoot the issue by referring to the following FAQs:
Unable to access the website via HTTPS
After deploying the SSL certificate, the browser indicates "Website connection is not secure"
Is your site indicating an insecure connection?
What should I do if I am prompted that HTTPS is not secure after reapplying for deployment upon expiration of the SSL certificate?
After deploying the SSL certificate on the server, a 404 error occurs when accessing resources
(Optional) Security configuration for automatic redirect from HTTP to HTTPS
If you need to automatically redirect HTTP requests to HTTPS, you can set it up using the following steps:
1. Edit the web.xml file in the conf directory of the Tomcat installation directory (for example, /usr/Tomcat-9.0.56/conf), and locate the </welcome-file-list> tag.
2. Please add a new line after the closing tag </welcome-file-list> and insert the following content:
<login-config>
 <!-- Authorization setting for SSL -->
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection>
   <web-resource-name>SSL</web-resource-name>
   <url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
3. In the Tomcat installation directory, modify the server.xml file in the conf directory (for example, /usr/Tomcat-9.0.56/conf). Change the redirectPort parameter to the port of the SSL connector, which is port 443. See the following example:
<Connector port="80" protocol="HTTP/1.1"
  connectionTimeout="20000"
  redirectPort="443" />
Note
 This modification operation allows non-SSL connectors to be redirected to SSL connectors.
4. In the Tomcat installation directory /bin (for example, /usr/Tomcat-9.0.56/bin), execute the following command to shut down the Tomcat service.
./shutdown.sh
5. Execute the following command to ascertain whether there are any issues with the configuration.
./configtest.sh
If issues exist, please reconfigure or modify according to the provided suggestions.
If it does not exist, please proceed to the next step.
6. Execute the following command to start the Tomcat service, then you can access it through http://cloud.tencent.com.
./startup.sh
﻿
Name	Note
Server IP address	The server IP address, which is used to connect the PC to the server.
Username	The username used to log in to the server.
Password	The password used to log in to the server.
Installing an SSL Certificate (JKS Format) on a Tomcat Server (Linux)

On this page:

Scenario

Preparations

Instructions

Certificate Installation

(Optional) Security configuration for automatic redirect from HTTP to HTTPS
