Category Archives: Tomcat

Certificates, what to know…

Certificates is a tough and complex world to be in.

Here are the main things to remember when renewing old certificates, or requesting new ones 🙂

  • CAis a short for “Certificate Authority” and is usually a party that ‘Signs’ certificates on behalf of the requester. Because someone other then the party hosting a site signed the certificate it is assumed that dualism applies.
  • CSR is a short for “Certificate Signing Request” and contains the hash needed by any CA to create a “Signed” certificate.
  • Private Key Is the server keyportion of the certificate that enables the server to “Decrypt” traffic generated by a remote client using the provided certificate. This part of the certificate should always be kept save, and should never be exchanged with any 3rd party. He who has the private key can assume the identity of the server/service on which the certificate applies.
  • Public KeyIs the client keyportion of the certificate that allows a client to decrypt the traffic that is generated by the remote server. This key is exchanged encrypted using the certificate during connection time, and because only the server holds the server portion of the privatekey, he is the only one in the world who can theoretically decode this traffic containing the key.
  • Certificates CN (Common Name) should always comply with the url used by the visiting client. i.e. for google the CN would be
  • Certificates O (Organization) should match the company listed in the whois that is performed on the domain name. i.e. for google it would be “Google Inc.”
  • When you want to use the Certificates for Mobile Devices, a special certificate should be used. Check for more information.
  • SAN – is a short for “Subject Alternative Name” not to be mistaken with “Storage Active Network”, it is a special certificate that allows for multiple CNs. (multiple sites), also used in a number of Microsoft products.
  • If you have an option on this point dont use certificates that use MD5 cryptographic hash . These are considered to be weak, and might be blocked by future browsers being insecure. Weaknesses allow hackers to create a ‘valid’ certificate and steal the identity of you site by applying it. (though read, for the wiz-kids

This should help you on your way 🙂

this might also be usefull, CSR Checker that will also perform a few checks to make sure all the info inside the CSR adds up.


Tomcat https and automatic redirect

Here is an example tomcat configuration that configures SSL and a automatic redirect from TCP 80 (HTTP) to TCP 443 (HTTPS).

This may sound obvious, but in order to allow the automatic redirect to work you need to be sure that you also configure the connector for port 80 in conjunction with the 443 port in the server.xml configuration file.

Next create an ssl directory inside the tomcat directory. If you are going to use a different path, make sure tomcat can access these files. I usually try to keep all application server related files inside the catalina home.

cd /opt/tomcat   #or any other path you used
mkdir ./ssl

First create the keyfile and a csr file for the certificate using openssl. My advice would be to execute the following command inside the ssl directory you created previously.

cd /opt/tomcat/ssl #or any other directory you used.
#alter the names to match your requirements
openssl req -newkey 4096 -nodes -keyout -out

This file will output a file and (after answering the questions) an file. In the configuration i have also added a date portion to the file names for future reference. You can use the CSR (Certificate Request File) to either get a valid public certificate or generate a self signed certificate (google the answer on how this is done). Make sure you finally get these files available in the ${catalina.base}\ssl directory.

#alter the names to match your own requirements, best practice usually includes creating self descriptive filenames.

If you have the private-key and certificate in place you can create the connectors inside the server.xml needed by Catalina (tomcat) to handle the network requests that will be made by remote users on ports 80(http), 443(https). Default Catalina is configured on port 8080. You can safely delete the default entry and replace it with the config below.

Make sure that the <Connector> entries are added between the <Service name=”Catalina”> XML Tags.

Open the server.xml file and create the following connectors. Tweak the settings to match you own requirements.

<!-- Connector definition for TCP port 80 -->
<Connector port="80"
           noCompressionUserAgents="gozilla, traviata"

<!-- Connector definition for SSL port 443 -->
    <Connector port="443"
               compressableMimeType ="text/html,text/xml,text/plain,text/css,text/javascript"/>

In some occasions you want tomcat to automatically redirect any incomming request on TCP port 80 (HTTP) to be redirected to TCP port 443 (HTTPS). If this is required then this this behavior can be forced by adding the following to the web.xml configuration located in
${catalina.base}/conf/ directory

Make sure you add this entry just before the ending </web-app> tag.

  <!-- Automatisch alle requests redirecten naar https -->
                <web-resource-name>Automatic SSL Forward</web-resource-name>

If you also want to redirect someone from the /* (ROOT) location to a deployed application in a tomcat subdir you might add the following to the default index.jsp inside the ${catalina.base}/webapps/ROOT directory. Make sure this is added in the top of the file before any content is send to the receiving browser. Else an error will occur. The cleanest way is to remove all content except the entry below.

    String redirectURL = "/appname";

Hope this helped, any comments clarifications please post them below 🙂 🙂

RHEL5 init script for tomcat catalina

I have written an init script for Tomcat Catalina running in RHEL version 5. I have tested this script using Oracle Enterprise Linux 5.5 Carthage. The script should comply to the init standards defined for RedHat Enterprise Linux using the INIT Functions lib.

The script also alows the use of chkconfig eventhough you might want to alter the used priorities (56 10)

# "$Id: catalina ,v 1.0 2010/08/10 Chris_g Exp $"
#   Startup/shutdown script for tomcat(Catalina) Application server.
#   Linux chkconfig stuff:
#   chkconfig: 2345 56 10
#   description: Startup/shutdown script for the tomcat application server.

# Source function library.
. /etc/init.d/functions

# Define where the script is located.
CATALINA_BIN='/u01/tomcat/bin/ 1> /dev/null';

# Find the catalina process using ps / awk.
# The match function will return 0 when no match is found with the string "java".
# Position $9 should contain the path to the Java executable used by catalina.
PROC=`ps -efc | grep apache.catalina | awk 'BEGIN { FS=" "}; { if( match($9, "java") != 0 ) print $9;}'`

# Replace a potential empty string with a fake process so the RH daemon functions are able to parse
# it properly
if [[ "$PROC" == '' ]]; then

# Define the application name that is listed in the daemonize step.
PROG='Tomcat JVM';


start () {
        echo -n $"Starting $PROG: "

        # start daemon
        daemon $CATALINA_BIN start
        [ $RETVAL = 0 ] && touch $LOCK
        return $RETVAL

stop () {
        # stop daemon
        echo -n $"Stopping $PROG: "
        killproc $PROC
        [ $RETVAL = 0 ] && rm -f $LOCK

restart() {

case $1 in
                status $PROC

        echo $"Usage: $prog {start|stop|restart|status}"
        exit 3

exit $RETVAL

1. Touch a new tomcat file in your init directory.
>touch /etc/init.d/tomcat
2. Copy paste the code above into this file using vi
vi /etc/init.d/tomcat
(putty users)
press the insert button (this should put vi in insert mode)
Alter the tomcat path and copy the altered code to your clipboard and paste it into putty using a richt mouse click.
press esc (this should get you out of insert mode)
next press ” shift + : “, “w”, “enter” (this should save the file)
3. If was able to start tomcat (all vars/java configured) then now the tomcat script should be able to handle the startup.
4. If catalina was allready running, try;

     service tomcat status
     This should allready give a result equal to;
     java (pid 14389) is running…

5. Add tomcat to the chkconfig for automatic startup
     chkconfig –level 2345 tomcat on

Hope this helps 😉

Compiling Tomcat APR-Native on OEL5.2

This is just a short tutorial on how to compile APR on Oracle Enterprise Linux 5.2. If you ever need to install Apache Portable Runtime on a Oracle Enterprise linux machine, Then this is what you need, and how to configure it.

Read the rest of this entry