How to configure HTTPS in Tomcat for Liferay DXP 7.3

Introduction

Liferay Support does not recommend or endorse specific third-party products over others. Liferay is not responsible for any instructions herein or referenced regarding these products. Any implementation of these principles is the responsibility of the subscriber.

This article will describe an example way to set up HTTPS in Tomcat without using an external server like Apache. The following steps are for Liferay DXP 7.3 though minor changes could be made to apply it to other versions of Liferay DXP, the primary change is the contents of the Tomcat's server.xml <Connector> configurations.

Environment

  • DXP 7.3
  • Apache Tomcat 9.x

Resolution

Create a self-signed certificate using keytool

  1. Open a terminal to the tomcat folder of the Liferay DXP 7.3 bundle. Example: /home/user/Liferay/Bundles/liferay-dxp-7.3.10-ga1/tomcat-9.0.37
  2. Within that terminal use the following command: keytool -genkey -alias tomcat -keyalg RSA -keystore keystore
  3. Fill out the requested information and provide new passwords as required. An example of the questions that will be asked for:

What is your first and last name?

  [Unknown]:  joe bloggs

What is the name of your organizational unit?

  [Unknown]:  liferay

What is the name of your organization?

  [Unknown]:  liferay inc

What is the name of your City or Locality?

  [Unknown]:  Chicago

What is the name of your State or Province?

  [Unknown]:  IL

What is the two-letter country code for this unit?

  [Unknown]:  us

Is CN=joe bloggs, OU=liferay, O=liferay inc, L=Chicago, ST=IL, C=us correct?

  [no]:  y

Now that the keystore has been created, export the server's certificate:

4. To do that use the following command from the same terminal as in step 3: keytool -export -alias tomcat -keypass changeit -file server.crt -keystore keystore

Next, import the server's certificate into the JDK’s default trustStore file called cacerts:

5. It is important to note that the terminal being used should be opened to the Liferay bundle’s Tomcat folder. However the target of the command will be the JDK's cacerts file. An example: keytool -import -alias tomcat -file server.crt -keypass changeit -keystore "/usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts"

NOTE - If this process has been completed previously the JVM may be expecting the previously used password, which may be “changeit”

Update Tomcat's server.xml file and configure SSL:

6. Next update the Tomcat’s server.xml file (/tomcat-9.0.37/conf/server.xml) with the following. As noted above the following is for the version of Tomcat bundle with Liferay DXP 7.3 older versions of Tomcat may require different Connector settings.

 

6A. Remove the following <Connector: 

   <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

6B. Add the following and update the keystoreFile and keystorePass values as needed:

<Connector
          protocol="org.apache.coyote.http11.Http11NioProtocol"
          port="8443" maxThreads="200"
          scheme="https" secure="true" SSLEnabled="true"
          keystoreFile="${user.home}/.keystore" keystorePass="changeit"
          clientAuth="false" sslProtocol="TLS"/>

Update the Liferay DXP 7.3 bundle to expect SSL communications:

  1. Within the Liferay DXP 7.3 bundle’s portal-ext.property file add the following property which tells the DXP to use https:
web.server.protocol=https

Accessing the initialized bundle:

  1. Access the bundle at https://localhost:8443, it may be necessary to accept browser security notifications and warnings as self-signed certificates are not trusted by most modern browsers.

 

Additional Information

To set the entire site to use HTTPS, set this in portal-ext.properties: web.server.protocol=https

To set only the login page to be HTTPS, set this in portal-ext.properties: company.security.auth.requires.https=true

Within an SSL production environment, if you receive a "Certificate Error" that defines your SSL certificate as not a "Trusted Root", you may need to obtain a digital signature from a certificate authority provider.

Related resources

Was this article helpful?
3 out of 3 found this helpful