In this article we will look at reasons why we would want to run Tomcat webserver on Linux Platform. We will also look into securing Tomcat webserver with SSL. This will include creating CSR for certificate, installing new certificate and making configuration changes to server.xml file.
Without SSL on Tomcat, you’re exposing user data, your application, and your reputation to serious risks. Securing it with SSL is not just a best practice — it’s a necessity.
Without further ado, let’s begin looking into securiung our Tomcat server with SSL.
Tomcat and Linux
If you’re running a production-grade Java application on Tomcat, Linux is typically the recommended platform unless there’s a specific reason to use Windows (e.g., integration with Active Directory or Windows-specific services).
Running Apache Tomcat on Linux comes with several advantages, especially in production or performance-critical environments. Here’s a breakdown of the key benefits:
Lower overhead: Linux generally uses fewer system resources than Windows, allowing Tomcat to run more efficiently.
Faster I/O: Linux file systems and memory management often outperform Windows under load.
Granular permissions: Linux provides fine-grained control over file and user permissions.
SELinux/AppArmor: Advanced security modules help enforce security policies on applications like Tomcat.
Minimal installs: You can strip down the OS to just what’s needed, reducing the attack surface.
Powerful CLI tools: Easier to manage Tomcat and system services via terminal scripts.
Systemd integration: Easily manage Tomcat as a service using systemctl with auto-restart and logging support.
Cron jobs: Easily automate backups, log rotations, or health checks.
Free to use: Most Linux distros are open-source and free.
Community and enterprise support: Options like Ubuntu, CentOS, or RHEL depending on your needs and budget.
Linux is well-suited for headless servers where no GUI is needed — ideal for server deployments of Tomcat.
Native support for tools like Docker, Ansible, Jenkins, Kubernetes, etc.
Easier to deploy CI/CD pipelines, containers, and orchestration solutions.
Use apt, yum, or dnf to easily install and update dependencies or Tomcat itself.
Easier to script repeatable deployments or spin up identical environments.
Why secure tomcat with SSL
Without SSL on Tomcat, you’re exposing user data, your application, and your reputation to serious risks. Securing it with SSL is not just a best practice — it’s a necessity.
Securing Apache Tomcat with SSL (Secure Sockets Layer) – or more accurately TLS (Transport Layer Security), the modern version of SSL – is important for several key reasons:
Encrypt Data in Transit
SSL/TLS encrypts the data exchanged between the client (like a browser) and your Tomcat server. This protects:
Usernames, passwords
Session cookies
Sensitive application data From being intercepted by attackers via man-in-the-middle (MITM) attacks.
Authentication
When you use an SSL certificate, clients can verify that they are talking to the authentic server (thanks to the certificate authority). This prevents:
Spoofing
Impersonation attacks
Data Integrity
TLS ensures that data isn’t altered in transit. If it is, the connection fails. This:
Prevents tampering
Preserves trust and application logic
Compliance Requirements
Many regulations (like GDPR, HIPAA, PCI-DSS) require encryption of data in transit. SSL/TLS helps meet those requirements.
Setup SSL(HTTPS) for Apache Tomcat on Linux system.
To set up SSL (HTTPS) for Apache Tomcat, we will need to configure it with a certificate (self-signed or from a CA in our case) and update the server.xml file to enable SSL. Here’s a step-by-step guide:
Generating a CSR for Tomcat on Linux system using a keytool
First, we will need to create the keystore for the certificate and generate Private Key. This will be done in Linux console using commands below. In the example below we will create keystore name mykeystore with alias tomcat.
Note: When keytool prompts you for your first and last name you will need to enter Common Name for your site domain.com
keytool -genkey -keysize 2048 -keyalg RSA -alias tomcat -keystore mykeystore.jks
Once the keystore and Private key are generated we will need to generate the CSR itself. To generate the CSR file named mycsr.csr, we will run the command below using the keystore with the Private Key we established in the step above:
keytool -certreq -alias tomcat -file mycsr.csr -keystore mykeystore.jks
Submit CSR to your CA
During this step you simply submit mycsr.csr file to your Certificate Authority and go through verification process to get your certificate. We will look at Namecheap as an example in this case but the process will be similar for other CA Authorities.
Ones verified you will get 2 files. One in .crt format which will be your certificate and bundle file which will include your chain certificates.
Convert Certificate to p7b format
Nest step will be combining our .crt certificate file and bundle crt file into one .p7b certificate file.
In the example below we assume that Namecheap Certificate Authority issued file called newcert.crt as our certificate and bundle_file as our chain certificate. As a result we will create file called newcert.p7b
openssl crl2pkcs7 -nocrl -certfile newcert.crt -out newcert.p7b -certfile bundle_file
Importing the Certificate
Now that we have our newcert.p7b Certificate file we can import it into our local keystore.
keytool -import -trustcacerts -alias tomcat -file newcert.p7b -keystore mykeystore.jks
Edit server.xml
And finally we edit out Tomcat configuration file. This file is typically located in TOMCAT_HOME/conf/server.xml but the location could be different based on your setup.
Find the section with the default connector (<Connector port=”8080″ … />) and add or uncomment and modify the SSL Connector (usually around port 8443):
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/mykeystore.jks"
type="RSA"
certificateKeystorePassword="your_keystore_password" />
</SSLHostConfig>
</Connector>
Replace “your_keystore_password” with the password used in step above.
Restart Tomcat
sudo systemctl restart tomcat
##### Or if you're using the startup script:
$CATALINA_HOME/bin/shutdown.sh
$CATALINA_HOME/bin/startup.sh
Final TEST
Visit: https://your-domain.com:8443
If you want SSL to run on port 443, either:
Change port=”8443″ to port=”443″ (requires root privileges or port forwarding).
Or use a reverse proxy (e.g., Apache/Nginx) to forward 443 to 8443.
Looking for Linux support services?
Talk to us about your current Linux Support needs.