Applying Certificates to the Apache Tomcat Server

This guide covers the steps required to apply certificates to the Apache Tomcat Server

Apache Tomcat

It is the responsibility of the customer to ensure the Tomcat server is properly configured with the necessary SSL Certificates.

Ex Libris is unable to process any requests for this to be done on the customer’s behalf.

As such, the following document serves to outline the generic process, and will evolve to include F.A.Q.s.

Prerequisites:

1. Must have access to the Tomcat Server.

2. Must have permissions to navigate all folder structures, and to upload/move files.

3. Must know password for Java keychain if it is not the default (see guide for more details).

Process:

Access the Tomcat Server via console or SSH.

Attempt to locate the keystore location using the following command:

locate cacert

If a single location is returned, you now know the keystore you must navigate to. If multiple locations are returned, you must first determine which version of Java is in use, and then navigate to the corresponding path. Java version may be determined by entering the following command:

java -version

Having navigated to the path determined by the previous step, determine whether the certificate is already within the keystore with the following command:

keytool -list -v -keystore cacerts

You will be required to input the password. Enter the password if you know it, else the default is:

Changeit

Note: Keytool may not be usable on the command line. If this is the case you may use the following command and symbolic links will show you where the Keytool is located:

Which java

Note: You may also wish to use keystore explorer – http://keystore-explorer.org/

If the certificate is not already there, you will have import it using the following command format, having moved the certificate file into the directory:

keytool -import -trustcacerts -alias DesiredAlias -file FileName -keystore cacerts

i.e

keytool -import -trustcacerts -alias MySslCert -file MySSL.cer -keystore cacerts

Please note: This requires the certificate file being uploaded to be an X.509 certificate. If the cert file is not compliant, you may have to find a workaround such as adding it to the windows personal certificate and exporting it in an appropriate format.

Once again, run:

keytool -list -v -keystore cacerts

The cert you added should now appear in the list, otherwise you may run:

keytool -list -v -keystore cacerts | grep DesiredAlias

i.e.

keytool -list -v -keystore cacerts | grep *MySslCert*

If this has succeeded, you may restart the Tomcat Server

Repeat all steps as many time is required to have all nodes updated, if Connect Layer is on Load Balanced nodes.

Page tags: article:topicApacheTomcatsslcontent:Implementation_Guidesproduct:campusmlang:englishSSL Certificateservercommunity:training_materials