Welcome to Headwind MDM Q&A, where you can ask questions and receive answers from other members of the community.
0 votes
How to setup a certificate on Tomcat so mobile devices access the server via SSL?
by (2.9k points)

1 Answer

0 votes

Tomcat uses a proprietary key format "JKS" (Java Key Store).

Certificate (public key), certification chain (if available) and a private key are converted to JKS in the following way:

1. Convert the key and the certificates into the PKCS12 format

openssl pkcs12 -export -out server.p12 -inkey domain.com.key -in ServerCertificate.cer [-certfile CAchain.crt]

The certificate chain of authority centers must be entered if it is available. This chain is created by concatenation of all available certificates into one file:

cat CACertificate-ROOT-2.cer CACertificate-INTERMEDIATE-1.cer > CAchain.crt

2. Convert PKCS12 into JKS

keytool -importkeystore -destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12

Here the passwords for source and destination keystore must be entered.

3. Add path to the JKS file and password to the Tomcat settings (/etc/tomcat8/server.xml):

 <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"               maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="your-domain.com">

        <SSLHostConfig hostName="your-domain.com">

                <Certificate certificateKeystoreFile="/var/lib/tomcat8/ssl/server.jks" type="RSA" certificateKeystorePassword="******" />

        </SSLHostConfig>

    </Connector>

4. Change the URL in the Headwind MDM configuration file (ROOT.xml or hmdm.xml) from HTTP to HTTPS

<Parameter name="base.url" value="https://your-domain.com"/>

5. Restart tomcat

service tomcat8 restart

6. Forward the port 443 to 8443, also for the local network interface (here's why):

/sbin/iptables -A PREROUTING -t nat -i eno1 -p tcp -m tcp -d your-domain.com --dport 443 -j REDIRECT --to-ports 8443

/sbin/iptables -A OUTPUT -t nat -o lo -p tcp -m tcp -d your-domain.com --dport 443 -j REDIRECT --to-ports 8443

7. Check that the iptables setup is restored after reboot. Make iptables settings permanent if required.

by (2.9k points)
edited by
...