Configuring Tomcat to Support SSL

From MircWiki
Revision as of 22:07, 12 April 2007 by JukX7x (talk | contribs)
Jump to navigation Jump to search

This article describes how to enable Secure Sockets Layer (SSL) communication on MIRC sites. This allows browsers to access the site via both HTTP and HTTPS. It also supports encryption of data transfers between field centers and storage services that participate in clinical trials. The intended audience for this information is MIRC system administrators.

1 System Configuration

This document applies to Windows systems running Tomcat 5.5, not Tomcat 4.1, so it should only be used for sites running MIRC T27 or later. Further, these instructions apply to Tomcat sites running the Apache Portable Runtime (APR). On a Windows computer, this is a dynamically linked library (DLL) that is installed automatically during a Tomcat installation if the user selects the Native option. The APR is strongly recommended, especially on high volume sites, because it is much more efficient than the normal Tomcat web server.

You can check whether your system has the APR installed by looking for Tomcat/bin/tcnative-1.dll. If that file is present, Tomcat will automatically use the APR. If your Windows system does not have the APR, you can get it at:

2 Overview of the Process

When an application (A) establishes an SSL connection to another application (B), it receives encrypted information that identifies B. This information is called a certificate. Certificates are encoded mathematically with keys.

Enabling SSL on a Tomcat installation that is running the APR involves the following steps:

  • Create a private key for Tomcat.
  • Create a certificate for Tomcat.
  • Place the private key and the certificate where Tomcat can find them.
  • Configure Tomcat to enable SSL and use the key and certificate.
  • Do any MIRC configuration necessary for clinical trials.

The first two steps require the use of an open source SSL tool called OpenSSL.

3 Getting OpenSSL

OpenSSL is developed by the OpenSSL Project. Its web site is:

A special OpenSSL installer for Windows is available on the Shining Light site at:

After downloading the installer, run it. The result is a directory called OpenSSL. Inside that directory is a bin directory. Although the installer will create entries in the Programs menu, those entries only point to documentation and to the uninstaller. The OpenSSL program is a command-line utility. In the instructions that follow, it is assumed that the OpenSSL directory is located in the root of the D drive (D:\OpenSSL).

4 Creating a Private Key for Tomcat

To enable SSL communication, Tomcat must have a certificate. To create a certificate for Tomcat, you must first have a private key. This section will demonstrate how to create a private key using OpenSSL.

To start, create a directory in which to work. In this example, the directory is called sandbox.

  • Launch a DOS window. (Click Start