 |
|
Configure HTTPS
|
|
"Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP).
It is used for secure communication over a computer network, and is widely used on the Internet.
In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, its predecessor, Secure Sockets Layer (SSL).
The protocol is therefore also often referred to as HTTP over TLS or HTTP over SSL."[ref]
|
The cryptography is accomplished through digital certificates. In our project we will use a certificate purchased from Dynu for $19.00.
In the past, digital certificates would cost hundreds or even thousands of dollars.
|
In Java, digital certificates are stored in a keystore. Let's begin by creating a keystore in the same folder as our Tomcat application.
In Windows Explorer create the folder c:\opt\dynu
|
|
In Windows 11 open a command prompt as an administrator by clicking on the Window button, typing "cmd" and selecting "Run as administrator".
|
You can copy and paste the following commands [with modifications] directly into your Command Prompt.
CD %JAVA_HOME%\bin
This command takes you to the directory where the Keytool executable is stored.
keytool -genkey -alias tomcat -keyalg RSA -keystore c:\opt\dynu\webauthnplus_2023.keystore
This command generates the webauthnplus_2023.keystore file.
But first it asks you some questions:
Enter keystore password: [create a new password]
Re-enter new password: [reenter the password]
What is your first and last name?
[Unknown]: webauthnplus.com [enter the name of your website]
What is the name of your organizational unit?
[Unknown]: web
What is the name of your organization?
[Unknown]: Trust Nexus
What is the name of your City or Locality?
[Unknown]: Austin
What is the name of your State or Province?
[Unknown]: TX
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=www.webauthnplus.com, OU=web, O=Trust Nexus, L=Austin, ST=TX, C=US correct?
[no]: y
|
keytool -certreq -keyalg RSA -alias tomcat -file c:\opt\dynu\certreq.csr -keystore c:\opt\dynu\webauthnplus_2023.keystore
This command generates your "Certificate Signing Request": certreq.csr
The text from this file will be copied and pasted into a web form on the Dynu website.
|
|
At the end of the process your command prompt should look something like this:
|
|
|
Your Windows Explorer should look something like this:
|
|
|
Log in to your Dynu account; the "Control Panel" is displayed.
|
|
|
Click on "Services" and select "SSL CERTIFICATES".
|
|
|
The different types of SSL certificates are displayed.
|
|
|
Click on the "Certified Domains" tab. The two domain types are displayed.
|
|
|
Select "Single Domain". Purchase options are displayed
|
|
|
Select "Get Started" under the "COMODO Positive SSL". The "Add SSL Certificate" screen is displayed.
|
|
Enter your "Domain Name" and accept the default "Type".
Make sure the "AutoGenerate CSR" switch is set to "OFF".
Click "Add"; the "My Cart" screen is displayed.
|
|
|
"Checkout". Once payment is made you will receive an email response with a link to the "SSL Certificates" screen.
|
|
|
Click on the "Domain Name" for the cert that has a status of "Awaiting CSR" (there will probably be only one cert in your list).
|
|
The "Manage SSL Certificate" screen will be displayed.
|
|
Open the file "c:\opt\dynu\certreq.csr"; copy the data into the "Certificate Signing Request (CSR)" input box.
Set the "Web Server Type" to"Tomcat".
|
|
|
Click "Save". The screen will trans form and a message regarding email will be displayed in the blue box.
|
|
If you need an email address, click on the link in the blue box: https://www.dynu.com/Email/Forwarding
The "Email Forward" screen will be displayed in a new tab.
|
|
|
Click on "Get Started". The "Add Email Service" screen will be displayed.
|
|
Enter your "Domain Name". Accept the default "Type" of "Email Forward". Click "Add".
The "My Cart" screen is displayed.
|
|
"Checkout." Almost immediately you will receive an email notifying you that your Email Forward service has been activated.
Go back to your "Manage SSL Certificate" screen.
|
|
|
Select an "Approver Email" and click "Save".
You will get a notification screen with the message that an email has been sent. "Please follow the instructions..."
|
|
|
When you receive your confirmation email click on the link. The "Domain Control Validation" screen will be displayed with the validation code filled out.
|
|
|
Click "Submit". The Domain Control Validated" screen will be displayed.
|
|
|
It will take about an hour for you to receive your confirmation email that your SSL certificate has been approved. Click on the link in the email and you will be taken to your "Control Panel".
|
|
|
|
From the Control Panel click on "SSL Certificates" and then click on the "Domain Name" for the cert that has a status of "Completed" (there will probably be only one cert in your list).
|
|
The "Manage SSL Certificate" screen will be displayed with a notice that your SSL Certificate has been issued.
|
|
|
Click on the "Download SSL Certificate" link and save the zip file to the folder c:\opt\dynu. If the file name is not already in this format, rename the file [your domain]_2023. Most certs are good for a year; adding the "_2023" will help keep things organized. Unzip the file.
|
|
Go to your command prompt (opened above) and run the following commands:
keytool -import -alias intermed1 -keystore c:/opt/dynu/webauthnplus_2023.keystore -trustcacerts -file C:/opt/Dynu/webauthnplus.com_2023/Intermediate1.crt
keytool -import -alias intermed2 -keystore c:/opt/dynu/webauthnplus_2023.keystore -trustcacerts -file C:/opt/Dynu/webauthnplus.com_2023/Intermediate2.crt
keytool -import -alias tomcat -keystore c:/opt/dynu/webauthnplus_2023.keystore -trustcacerts -file C:/opt/Dynu/webauthnplus.com_2023/webauthnplus.com_2023.crt
After the final command the following message should be displayed: "Certificate was added to keystore."
|
In a text editor, open the file C:\opt\apache-tomcat-[x.x.xx]\conf\server.xml and make the following edits:
Change:
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
maxParameterCount="1000" />
to
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443"
maxParameterCount="1000" />
Find the Connector for protocol="org.apache.coyote.http11.Http11NioProtocol"; that section should be commented out (<!-- -->).
Just above that section add the following (with your keystorePass):
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false" maxThreads="150"
port="443" keystoreFile="c:\opt\dynu\webauthnplus_2023.keystore" keystorePass="tnx123"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true" sslProtocol="TLS" />
|
"Bounce" (shutdown/startup) your server. Open your browser and go to
https://www.[your domain].com/foundation/displayTestOverview.action
|
|
|
Notice that the red error icon is gone from the address bar and the URL begins with "https://".
|
|
You are now a "full stack" developer with a cryptographically secure application and website. Very cool!
|
|
Wouldn't it be even cooler if you had an Android application that interacted with your web application?
|
|
If your resume includes "full stack developer", "cryptography" and "Android", you can move to Austin, TX and get a job with a starting salary in the mid six figures
(not an absolute guarantee, but your chances will certainly be very good, especially if you are positive and optimistic).
|
|
|
|
|
|