Configuring SSL in Tomcat & AWS Elastic Load Balancer (ELB)

Steps to configure SSL in Tomcat & integrate it with AWS Elastic Load Balancer (ELB)

1. Create Keystore using keytool.
2. Generate Certificate Signing Request (CSR)
3. Get RootCertificate, Intermidiate Certificate & Public Certificate.

4. Import above certificates in keystore

5. Configure keystore in tomcat

6. Integrate SSL certificate with AWS ELB –

– Generate RSA Private Key

– Provide RSA Private Key, Public Certificate in AWS


Detail Process:


1. Create Keystore using keytool.

“keytool” is binary / executable stored under $JAVA_HOME/bin

$JAVA_HOME/bin/keytool -genkey -alias company -keyalg RSA -keysize 2048

You can set any name for alias. Above command will create 2048 bit encrypted keystore file in your home directory.

For eg. if you have executed above command with root user then “.keystore” file will be generated under /root/

It will ask for Common Name (First or last name), Organizational Unit, Organization, State, Country Code and password.

Provide the same password whenever it ask using below steps.

2. Generate Certificate Signing Request (CSR)



$JAVA_HOME/bin/keytool -certreq -file abc.csr -alias company -keysize 2048 -keyalg RSA -keystore /root/.keystore

Above command will generate abc.csr in current directory.

Provide this file to your certification issuing authority such as godaddy, commodo, etc.


3. Once csr file is submitted, they will provide Root, Intermidiate & signed public certificate.

4. Import above certificates in keystore


$JAVA_HOME/bin/keytool -importcert -alias root -file <RootCertificate> -keystore cacerts

$JAVA_HOME/bin/keytool -importcert -alias root -file <RootCertificate> -keystore /root/.keystore

$JAVA_HOME/bin/keytool -importcert -alias intermediate -file <intermidiate certificate> -keystore /root/.keystore

$JAVA_HOME/bin/keytool -trustcacerts -importcert -alias company -file <public certificate>

-keystore /root/.keystore

$JAVA_HOME/bin/keytool -printcert -v -file <public certificate>

5. Configure keystore in tomcat

In $TOMCAT_HOME/conf/server.xml go to “<Connector port=”8443″ protocol=”org.apache.coyote.http11.Http11NioProtocol”

Add keystoreFile=”/root/.keystore” keystorePass=”<password>” this line to the connector setting. Connector settings will look like below:


<Connector port=”8443″ protocol=”org.apache.coyote.http11.Http11NioProtocol”

maxThreads=”150″ SSLEnabled=”true” scheme=”https” secure=”true”
keystoreFile=”/root/.keystore” keystorePass=”<password>”
clientAuth=”false” sslProtocol=”TLS” />


Restart Tomcat.

6. Integrate SSL certificate with AWS ELB –

– Generate RSA Private Key

To Generate RSA Private key, first PKCS12 key should be generated from keystore.

$JAVA_HOME/bin/keytool -v -importkeystore -srckeystore /root/.keystore -srcalias company

-destkeystore abc.p12 -deststoretype PKCS12

Generate RSA Private key from p12 key.

openssl pkcs12 -in abc.p12 -nocerts -nodes -passin pass:<password>|openssl rsa -out privkey.pem

– Provide RSA Private Key, Public Certificate in AWS

AWS ELB requires Public Certificate (PEM) and Private Key (PEM) & Certificate Chain (Optional)

– Copy content of privkey.pem and Paste it into Private key of ELB same with Public Certificate.

– If your SSL certificate is not self signed then copy content of Intermediate 2, Intermediate & Root certificate in “Certificate Chain”

<Content of Intermediate 2>

<Content of Intermediate>

<Content of Root Certificate>

– Select appropriate Cipher.

Basic Port Forwarding schema:

If you are running Tomcat-SSL on 8443 port and you want it on 443 then you can use below loadbalancer settings:

LB Protocol: TCP SSL

LB Port: 443

Instance Protocol: TCP SSL

Instance Port: 8443


And if you want both 443 then you can use below settings:

LB Protocol: HTTPS

LB Port: 443

Instance Protocol: HTTPS

Instance Port: 443

====

Generate keystore from ready certificate:

openssl pkcs12 -export -in <Signed Certificate> -inkey <PrivateKey> -out <FileName>.p12


keytool -importkeystore -srckeystore <FileName>.p12 -srcstoretype PKCS12 -destkeystore <KeystoreName>.jks -deststoretype JKS

This will create <KeystoreName>.jks in current directory.

Neelesh Gurjar has written 122 articles