Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 475
  • Last Modified:

Snakeoil SSL and Tomcat 7

Hello Experts,

I'm a newbie to SSL so be gentle with me! I'm not sure about terminology yet but here goes...

I want to add SSL security to a web application written as a servlet and running under Tomcat 7.0 (Windows 32-bit). We are developing the application ourselves and want to set up a test system that operates SSL but with minimum cost. Later we will go to a production system and the customer will pay for a certificate(?) for whatever level of 'Assurance' he/she wants.

I'm told that there is a 'product' (?) called Snakeoil SSL which is free and but provides some kind of basic SSL functionality - my hope is that it will allow us to go through the process of 'installing' SSL on Tomcat, pointing a browser at the servlet URL and bringing up the https://  prefix in the address bar. That would do the job for us.

I've googled 'Snakeoil SSL Installation' and can't get any clear info about where to start - all the references I see deal with Linux and rely on having a Snakeoil package available with the O.S.

Does a version of Snakeoil for Tomcat (Windows 32-bit) exist?
Where are the instructions for installation?

Thank you very much.
Stephen
0
SteveFarndon2000
Asked:
SteveFarndon2000
  • 2
  • 2
1 Solution
 
Dave HoweCommented:
Tomcat requires a certificate in a java keystore - you *can* issue those yourself, and that still isn't snakeoil.

I suspect you are referring to the default keys that come with apache; those are literally called snakeoil in the file system and documentation, because anyone with a copy of apache has them (so can decode the traffic)

You should (if you wish to test Tomcat without paying for keys) issue your own keys using the keytool IUI tool, the standard Java keytool, openssl, or whatever you prefer (I recommend the gui keytool IUI, but the end result is the same no matter how you do it)

By custom, the key should be in the keystore with a name of "tomcat" - you configure the tomcat installation to know where to find its keystore (which is a JKS type java keystore for purposes of KT IUI) and what the password is.  The CN on the certificate with the key should match the expected name of the website once it is entered into a browser.

Official documentation can be found here
0
 
SteveFarndon2000Author Commented:
Thanks, Dave. Just waiting for any other comments.
0
 
SteveFarndon2000Author Commented:
That's fine. Dave. I 'll try the gui keytool IUI as you recommend. You have the points. Thank you.
0
 
Dave HoweCommented:
Feel free to ask for further clarification here if you hit any speed bumps - always happy to help :)
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now