Setup SSL for Tomcat and EM



1) Setup Keystore


Option 1: Self-signed


 $ cd /usr/lib/jvm/java-1.6.0-openjdk- $ keytool -genkey -alias tomcat -keyalg RSA

(You will have to setup a password and fill out some details here.)

 $ cp /root/.keystore /opt/entermedia/


Option 2: Commercial (Example: GoDaddy)


The following is a procedure for setting up an SSL Certificate from the provider GoDaddy. Below are some variables with example data used throughout the commands listed below. Alter them as they apply to you.
 DOMAIN="" ALIAS="demo" ORG_UNIT="EnterMedia" ORG="EnterMedia" COUNTRY="US" PASS="jif8hefe"

1. Generate New Key for your Domain.

 $ keytool -genkey -dname "cn=$DOMAIN, ou=$ORG_UNIT, o=$ORG, c=$COUNTRY" -keyalg RSA -keysize 2048 -alias $ALIAS -storepass $PASS -keypass $PASS -keystore private.keystore

2. This is a one time password change. (If needed.)

 $ keytool -storepasswd -storepass changeit -new $PASS -keystore private.keystore

3. Generate key to send to GoDaddy. (If you encounter a password error then run step 2 to change the store password.)

 $ keytool -certreq -alias $ALIAS -storepass qazwsxedc -keypass qazwsxedc -keystore private.keystore

4. Login to GoDaddy and request.
5. Open the email received from GoDaddy, then Download your Certificates in ZIP file.
6. Extract Certificates.
7. Import Certificates.

 $ keytool -import -alias cross -keystore private.keystore -storepass $PASS-trustcacerts -file gd_cross_intermediate.crt $ keytool -import -alias intermed -keystore private.keystore -storepass $PASS-trustcacerts -file gd_intermediate.crt $ keytool -import -alias bundle -keystore private.keystore -storepass $PASS -trustcacerts -file gd_bundle.crt $ keytool -import -alias $ALIAS -storepass $PASS-keystore private.keystore -file $ALIAS.crt -trustcacerts


2) Configure server.xml and IP tables

 $ vi /opt/entermedia/tomcat/conf/server.xml 

You will have to edit this server.xml file to enable SSL and point to the certificate.

 < Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="/opt/entermedia/.keystore" keystorePass="previouslyEnteredPassword" clientAuth="false" sslProtocol="TLS" /> $ service tomcat restart vi /etc/sysconfig/iptables

Add the following (Fill in the IP's as per your scenario).

 $ -A PREROUTING -d -p  $ tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443 -A OUTPUT -d -p  $ tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443 -A OUTPUT -d -p  $ tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443 service iptables save

This will save the new iptables config so that it won't dissappear on restart.