Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Snakeoil SSL and Tomcat 7

Posted on 2014-01-17
4
Medium Priority
?
468 Views
Last Modified: 2014-01-24
Hello Experts,

I'm a newbie to SSL so be gentle with me! I'm not sure about terminology yet but here goes...

I want to add SSL security to a web application written as a servlet and running under Tomcat 7.0 (Windows 32-bit). We are developing the application ourselves and want to set up a test system that operates SSL but with minimum cost. Later we will go to a production system and the customer will pay for a certificate(?) for whatever level of 'Assurance' he/she wants.

I'm told that there is a 'product' (?) called Snakeoil SSL which is free and but provides some kind of basic SSL functionality - my hope is that it will allow us to go through the process of 'installing' SSL on Tomcat, pointing a browser at the servlet URL and bringing up the https://  prefix in the address bar. That would do the job for us.

I've googled 'Snakeoil SSL Installation' and can't get any clear info about where to start - all the references I see deal with Linux and rely on having a Snakeoil package available with the O.S.

Does a version of Snakeoil for Tomcat (Windows 32-bit) exist?
Where are the instructions for installation?

Thank you very much.
Stephen
0
Comment
Question by:SteveFarndon2000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 1500 total points
ID: 39790063
Tomcat requires a certificate in a java keystore - you *can* issue those yourself, and that still isn't snakeoil.

I suspect you are referring to the default keys that come with apache; those are literally called snakeoil in the file system and documentation, because anyone with a copy of apache has them (so can decode the traffic)

You should (if you wish to test Tomcat without paying for keys) issue your own keys using the keytool IUI tool, the standard Java keytool, openssl, or whatever you prefer (I recommend the gui keytool IUI, but the end result is the same no matter how you do it)

By custom, the key should be in the keystore with a name of "tomcat" - you configure the tomcat installation to know where to find its keystore (which is a JKS type java keystore for purposes of KT IUI) and what the password is.  The CN on the certificate with the key should match the expected name of the website once it is entered into a browser.

Official documentation can be found here
0
 

Author Comment

by:SteveFarndon2000
ID: 39794096
Thanks, Dave. Just waiting for any other comments.
0
 

Author Comment

by:SteveFarndon2000
ID: 39803723
That's fine. Dave. I 'll try the gui keytool IUI as you recommend. You have the points. Thank you.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39806252
Feel free to ask for further clarification here if you hit any speed bumps - always happy to help :)
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question