Page tree
Skip to end of metadata
Go to start of metadata

This article describes how to set up server-side and client-side https authentication in Tomcat. 

Expand/Collapse All

Prerequisites

 Prerequisites
  • An SSL server certificate needs to be available in Pkcs#12 format. Make sure that the intended hostname of the PRIME Server is included as CN or SAN DNS in the certificate (all expected names/aliases in the HTTPS URL should be included). Typically the customer provides this certificate, issued in the customers PKI environment.
  • The certificate revocation list (CRL) in the server certificate needs to be accessible on the PRIME clients

For client-side authentication only:

  • Client certificates for the end users need to be issued.
  • The public part (X.509 certificates) of all issuing CAs that will issue client certificates are required. To build a truststore file for the Tomcat. Only client certificates that match to one of the issuing CAs in that truststore will be able to login later.

Step-by-step instruction

 Set up server-side authentication

The most basic HTTPS configuration is the server-side authentication and encrypted connection. This means that the Tomcat server will get an SSL server certificate to authenticate to the clients and trigger the HTTPS-encrypted connection.

To set up server-side authentication:

  1. Copy the server certificate (.p12 or .pfx file) to the Tomcat Application server.
  2. Check which port to use for the HTTPS connection. The default HTTPS port is 443. Tomcat default is 8443, but any other port is allowed as long as there is no collision with any other service on the application server.

    The port must be allowed in the firewall settings of the customer.
  3. Edit the file server.xml in <TomcatHome>\conf and add a corresponding HTTPS connector. Adapt the .p12 filename, password and HTTPS port to your environment.

    Example: server.xml connector
    <Connector port="18443" protocol="HTTP/1.1" SSLEnabled="true"
    	maxPostSize="-1"
    	scheme="https" secure="true" sslProtocol="TLS" clientAuth="false"
    	keystoreFile="C:\myCerts\primeCert.p12" keystorePass="123456" keystoreType="PKCS12"
    />
  4. Restart Tomcat.

 Set up client-side authentication

If the end users are to authenticate with a client certificate to Nexus PRIME, a HTTPS connection with client authentication via a two-way SSL handshake, is required. This is typically used for login with smart card or soft token to Nexus PRIME. 

To set up client-side authentication:

  1. Create a truststore file. The easiest way to do this is using the java keytool which is part of the JRE and can be found in <java_home>\bin. For each issuing CA, execute the following command:

    Example: create truststore file
    "<java_home>\bin\keytool.exe" -importcert -alias <issuingCA01> -trustcacerts -file issuingCA01.cer -keystore prime.truststore –storepass 123456

    where <java_home> is replaced with the path to java, and <issuingCA01> is replaced with the unique name of each corresponding certificate. Always use the same prime.truststore file.

  2. Copy the server certificate .p12 or .pfx file and the truststore file created in the previous step, to the Tomcat application server.

  3. Check which port to use for the HTTPS connection. The default HTTPS port is 443. Tomcat default is 8443, but any other port is allowed as long as there is no collision with any other service on the application server.

    The port must be allowed in the firewall settings of the customer.
  4. Edit the file server.xml in <TomcatHome>\conf and add a corresponding HTTPS connector. Adapt the .p12 filename, truststore filename, passwords and HTTPS port to your environment.

    Example: server.xml connector
    <Connector port="18444" protocol="HTTP/1.1" SSLEnabled="true"
    	maxPostSize="-1"
    	scheme="https" secure="true" sslProtocol="TLS" clientAuth="true"
    	keystoreFile="C:\cert\primeCert.p12" keystorePass="123456" keystoreType="PKCS12"
    truststoreFile="C:\cert\prime.truststore" truststorePass="123456" truststoreType="JKS"
    />
  5. Restart Tomcat.