Enabling TLS/SSL on Tomcat

By default the Apache Tomcat application server supplied with OnTime Group Calendar for Microsoft is delivered without TLS/SSL configured and/or enabled. Enabling it is however very easy but requires that you have a valid, signed, certificate and the corresponding private key. Describing how to obtain a private key and a valid, signed, certificate is outside the scope of this FAQ and there are lots of resources available on the web describing the process. Please note that you need both the private key and the certificate in PEM-format (https://en.wikipedia.org/wiki/Privacy-enhanced_Electronic_Mail).

To get the best performance the Apache Tomcat application delivered with OnTime Group Calendar uses the Apache Portable Runtime (APR). This is important as the process to securing a Tomcat server using APR is slightly different from a Tomcat server not using APR.

For the following we assume that the Apache Tomcat server is installed in C:\Program Files\IntraVision\OnTimeMS-\otd-apache-8.0.14. Following this we'll refer to this location as "<Tomcat>".

To configure your Apache Tomcat server for TLS/SSL do the following:

  • Copy the private key in PEM-format to <Tomcat>\conf
  • Copy the signed certificate in PEM-format to <Tomcat>\conf
  • Edit the server.xml from <Tomcat>\conf and scroll down to about line 70. Here you'll see a <Connector>-tag describing the HTTP transport for the server. Beneath this <Connector>-tag paste the below snippet:
    <Connector protocol="org.apache.coyote.http11.Http11AprProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" SSLCertificateFile="<path to certificate>" SSLCertificateKeyFile="<path to private key>" SSLVerifyClient="no" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" />

    Replace <path to certificate> with the actual path to your certificate in PEM-format. If the file is called server.crt that path would be "C:\Program Files\IntraVision\OnTimeMS-\otd-apache-8.0.14\conf\server.crt".
    Replace <path to private key> with the actual path to your private key in PEM format. If the file is called server.key that path would be "C:\Program Files\IntraVision\OnTimeMS-\otd-apache-8.0.14\server.key".
  • Save and close the file.

Restart the Apache Tomcat server. Now you should be able to access OnTime Group Calendar for Microsoft using TLS/SSL on port 8443.

More information about the <Connector>-tag may be found at the Apache Tomcat website at https://tomcat.apache.org/tomcat-8.0-doc/config/http.html

Sunday, 15 May 2016 Posted in Security