As per the below link
https://github.com/spring-projects/spring-boot/issues/6164, the following features are removed from tomcat 8.5
a) Class org.apache.tomcat.util.net.ServerSocketFactory no longer exists
b) Class org.apache.tomcat.util.net.jsse.JSSESocketFactory no longer exists
c) Method JSSEImplementaton.getServerSockerFactory(AbstractEndpoint) no longer exists
d) Method JSSEImplementaton.getSSLUtil(AbstractEndpoint) no longer exists
These make our upgrade from tomcat 8.0 to tomcat 8.5.x difficult.
We have two requirements
Tomcat AJP protocol receives encrypted content coming from the HTTP server and gives an encrypted response. This was possible with tomcat 8, by using custom classes implementing tomcat's ServerSocketFactory interface.
Store certificates file for tomcat https in a custom keystore (an XML file)
How these can be achieved in tomcat 8.5? Any suggestions appreciated. (We were doing it in Tomcat 8 using custom SocketFcatory implementing tomcat's interface)
After the connector refactoring the JIoEndpoint that allowed to specify arbitrary ServerSocketFactory is no longer available.
However the AJP connector is almost ready to accept SSL connections if you allow some changes to Tomcat's codebase: the AbstractAjpProtocol class just lacks an implementation of the addSslHostConfig and findSslHostConfigs or better it has implementations that don't store or return anything with a very explicit comment:
SSL is not supported in AJP
If you change them as in AbstractHttp11Protocol, you'll be able to configure an AJP connector the same way you configure a HTTP/1.1 connector:
<Connector SSLEnabled="true" port="8009" protocol="AJP/1.3">
<SSLHostConfig ...>
<Certificate ... />
</SSLHostConfig>
</Connector>
Regarding the certificate storage you can implement your own KeyStoreSpi and security provider and use:
<Certificate certificateKeystoreProvider="your_provider"
certificateKeystoreType="your_type"
... />
Related
The application is using Single sign-on and previously we were using tomcat v7 AJP connector to connect Apache server with tomcat. After upgrading to Tomcat v9, the AJP connector is disabled by default in server.xml
<Connector protocol="AJP/1.3"
address="::1"
port="8009"
redirectPort="8443" />
Will uncommenting this property solve the issue? Also I have read that AJP is disabled due to vulnerabilities :
https://community.microstrategy.com/s/article/Addressing-the-Apache-Tomcat-JServ-Protocol-AJP-Security-Vulnerability?language=en_US
If that is the case then is there an alternative to connect Apache server with Tomcat? Does this impact single sign-on functionality? Also, is there any configuration that can be done to mitigate the vulnerability and still use AJP?
This question already has answers here:
Enable TLS 1.2 only in apache-tomcat-9 and Java 8
(3 answers)
Closed 1 year ago.
I'm new to tomcat. I've seen many links regarding changing the tls version in tomcat. All of them do one thing in common (ie) to configure the sslProtocol field in the below connector (in server.xml):
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLSv1.2" />
However I've changed this line to so many times to different versions. But whenever I test this using openssl, the server works only on TLSv1.2 and not any other versions. It seems that the field sslProtol in connector takes no effect on changing the TLS version. Is there anything that one needes to configure other than changing the version in the connector ? I've searched all over the web and stackoverflow and numerous answers. All seems to change the connector.
Is there anything other than configuring the connector to change the ssl/tls version like adding any external libraries or configuring the jdk or something like that .
Tomcat doesn't implemented SSL/TLS itself. Instead it relies on something external.
If you are using APR connectors, it uses on the OpenSSL engine installed on your platform.
If you are using BIO or NIO connectors, it uses the JSSE provider that your JVM is configured to use. That could either be the JSSE provider distributed as part of Java SE, or it could be a 3rd-party provider such as BounceCastle.
So ... if you can't get the "sslProtocol" parameter to actually select what you want, check that your JVM, JSSE provider or OpenSSL implementation actually supports the version you are trying to use.
Note that if you are using a "stack" that doesn't support (say) TLSv1.3, specifying that in the Connector config is not going to magically make it work. The SSL implementation code has to support it.
References:
How to find what SSL/TLS version is used in Java
Note that the above says what versions of SSL / TLS are supported by older versions of Java. It also provides some tips one figuring out what version is actually being used.
If you had told us clearly ...
what versions of SSL / TLS you were trying to use,
what Tomcat Connector class you were using, and
what versions of the respective software you were using ...
then I might have been able to give you more specific advice.
I have deployed my web application in Apache Tomcat 9.x.x and I have two options for Java
Openjdk version 1.8.x
Oracle Java 1.8.x
I need to allow TLS 1.2 only.
Please help guide me to achieve this.
I have tried to follow the following links(Not sure if they are outdated).
But https://www.ssllabs.com/ssltest/analyze.html?d=<< my public IP >> says : TLS 1.1 & TLS 1.0 are still enabled.
how to enable TLS v1.2 in Apache tomcat 8 , I am using Java 8
How do I disable SSLv3 in tomcat?
Does Tomcat support TLS v1.2? (The two steps mentioned by oraclesoon doesn't seem to work)
How do I disable SSLv3 support in Apache Tomcat?
Also HOW TO -- Disable weak ciphers in Tomcat 7 & 8 says sslProtocol is no longer used in java 8
I use tomcat 9.0.14 and JSSE. it works fine. (using TLSV1.1 and TLSV1.2)
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig protocols="TLSv1.1,TLSv1.2">
<Certificate certificateKeystoreFile="conf/keystore.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
See: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support
You have to configure the Connector in the $CATALINA_BASE/conf/server.xml file. An example of an APR configuration is:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
SSLVerifyClient="optional" SSLProtocol="TLSv1.2"/>
Please refer this configuration guide and try that out.
If you need to check on a request by request basis to ensure that someone hasn't misconfigured your server, you can add a ContainerRequestFilter and then inside the filter(RequestContext requestContext) method insert a check that verifies that the TLS connection adhere's to your requirement.
if("TLSv1.2".equals(requestContext.getProperty("org.apache.tomcat.util.net.secure_protocol_version"))
{
throw new IllegalStateException("Invalid TLS version");
}
This example is from Tomcat 8, but I suspect an option may be available for other containers.
I am creating spring rest service. I wanna secure it with https.
I know that using following solution:
http
.authorizeRequests()
.antMatchers("/secure/**").hasRole("ADMIN")
.anyRequest.hasRole("USER")
.and()
.requiresChannel()
.anyRequest().requiresSecure();
I can force using https. But I do not know what else I have to do. Should I configure something else in spring security or it is enough? I am using tomcat. Should I install certificate? If yes, is existing possibility to install "test certificate"? How it works?
I don't have enough rep to add a comment, so you'll probably need to provide more information to get the answer you really want.
First off, to enable HTTPS, you will need an SSL certificate. If you're just testing/developing, you can generate your own self-signed certificate and ignore certificate warnings from your browser. If however this is a public-facing server, you'll need a valid SSL certificate from a certificate authority like GoDaddy or similar. Generating an SSL cert is probably outside the scope of this question, and there are a lot of guides out there for this (I would post links, but don't have enough rep).
The config you have shown is a valid way to force your application server to only communicate over HTTPS, however, it is not sufficient to actually enable HTTPS for your Tomcat server.
Depending on your setup, you have a few different options for enabling HTTPS.
If you're using Spring Boot with an embedded Tomcat server, then you can enable SSL by setting the server.ssl.* properties of your application.properties file, for example:
server.port=8443
server.ssl.key-store=classpath:keystore.jks
server.ssl.key-store-password=secret
server.ssl.key-password=another-secret
Where keystore.jks is the path to your Java keystore that holds your SSL certificate. See Spring Boot Docs for more info.
If you're using a standalone Tomcat server, you'll need to modify Tomcat's server.xml in $CATALINA_BASE/conf/server.xml and add an SSL connector. For example:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
This example is for Tomcat 7, but the process is similar for other Tomcat versions. See Tomcat SSL for more information.
If you are using a proxy/load balancer (like NGINX) you can add an SSL termination there. The proxy/load balancer then intercepts all HTTPS traffic and communicates over non-HTTPS connections to your application servers. This has the added bonus of not having to interfere with your application server to perform SSL-related maintenance like changing your certificate or config.
I have hosted my spring application in tomcat 7 server .tomcat 7 server that is installed in our own server.our server ip address already map with domain.for now how to map a domain for my spring application. for now i am accessing url like
http:ipaddress:100/appname
If you run your application on port 80 then automatically using your domain you can access your application.
Eg. Your IP: 172.26.87.133
Domain: www.xyz.com
Port:80
Now you can access your application by www.xyz.com/index
Spring is domain agnostic in this case and all configuration are at the tomcat level. This should work out of the box by default, but as I see that you are using port 100, so I assume that someone already played with the configurations.
Note that if you are using Linux OS using port under 1023 maybe an issue look here.
By default tomcat assign the http connector to all IP addresses associated with the server. As your server ip address already map with domain I would expect it to just work. See How do you configure tomcat to bind to a single ip address (localhost) instead of all addresses?
If you are having an issue you should look at your tomcat server.xml file under $CATALINA_BASE/conf
Look for the connector element associated with your port (100) should look similar,if you are using catalina.properties look for bio.http.port.
<Connector acceptCount="100"
connectionTimeout="20000"
executor="tomcatThreadPool"
maxKeepAliveRequests="15"
port="${bio.http.port}"
**address="something-here"**
protocol="org.apache.coyote.http11.Http11Protocol"
redirectPort="${bio.https.port}"/>
If you find the optional address attribute you can comment it out and it should work (assuming you solved linux configurations issue, if exits).
If you what to be more specific (for example from security reason when you have more then one interface) you can specify the IP or domain name here.
See the tomcat documentation for the address attributre here.