Solved

Snakeoil SSL and Tomcat 7

Posted on 2014-01-17
4
436 Views
Last Modified: 2014-01-24
Hello Experts,

I'm a newbie to SSL so be gentle with me! I'm not sure about terminology yet but here goes...

I want to add SSL security to a web application written as a servlet and running under Tomcat 7.0 (Windows 32-bit). We are developing the application ourselves and want to set up a test system that operates SSL but with minimum cost. Later we will go to a production system and the customer will pay for a certificate(?) for whatever level of 'Assurance' he/she wants.

I'm told that there is a 'product' (?) called Snakeoil SSL which is free and but provides some kind of basic SSL functionality - my hope is that it will allow us to go through the process of 'installing' SSL on Tomcat, pointing a browser at the servlet URL and bringing up the https://  prefix in the address bar. That would do the job for us.

I've googled 'Snakeoil SSL Installation' and can't get any clear info about where to start - all the references I see deal with Linux and rely on having a Snakeoil package available with the O.S.

Does a version of Snakeoil for Tomcat (Windows 32-bit) exist?
Where are the instructions for installation?

Thank you very much.
Stephen
0
Comment
Question by:SteveFarndon2000
  • 2
  • 2
4 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 39790063
Tomcat requires a certificate in a java keystore - you *can* issue those yourself, and that still isn't snakeoil.

I suspect you are referring to the default keys that come with apache; those are literally called snakeoil in the file system and documentation, because anyone with a copy of apache has them (so can decode the traffic)

You should (if you wish to test Tomcat without paying for keys) issue your own keys using the keytool IUI tool, the standard Java keytool, openssl, or whatever you prefer (I recommend the gui keytool IUI, but the end result is the same no matter how you do it)

By custom, the key should be in the keystore with a name of "tomcat" - you configure the tomcat installation to know where to find its keystore (which is a JKS type java keystore for purposes of KT IUI) and what the password is.  The CN on the certificate with the key should match the expected name of the website once it is entered into a browser.

Official documentation can be found here
0
 

Author Comment

by:SteveFarndon2000
ID: 39794096
Thanks, Dave. Just waiting for any other comments.
0
 

Author Comment

by:SteveFarndon2000
ID: 39803723
That's fine. Dave. I 'll try the gui keytool IUI as you recommend. You have the points. Thank you.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39806252
Feel free to ask for further clarification here if you hit any speed bumps - always happy to help :)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CA single sign on 2 73
WCAG (Web Content Accessibility Guidelines) levels 3 66
Creating csr file for SSL 4 48
Compliance check 1 12
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now