Liferay Support does not recommend or endorse specific third-party products over others. Liferay is not responsible for any instructions herein or referenced regarding these products. Any implementation of these principles is the responsibility of the subscriber.
This article will describe how to set up HTTPs on Tomcat without using an external server like Apache. There is an existing wiki on the public wiki page that is available, but what follows is a more user-friendly guide to HTTPs setup.
Environment
- Liferay DXP 7.0
- Liferay Portal 6.2 EE
Resolution
Create a self-signed certificate using keytool.
- Open up command prompt in your tomcat folder (e.g.
C:\liferay\bundles\liferay-portal-6.0-ee\tomcat-6.0.29
) and type in the following command:keytool -genkey -alias tomcat -keyalg RSA -keystore keystore
- It will now prompt you for some information. It doesn't matter what you use for the different fields but make sure to use changeit as the password.
- Enter keystore password: changeit
- Re-enter new password: changeit
- What is your first and last name?
- [Unknown]: joe bloggs
- What is the name of your organizational unit?
- [Unknown:] liferay
- What is the name of your organization?
- [Unknown]: liferay inc
- What is the name of your City or Locality?
- [Unknown]: diamond bar
- What is the name of your State or Province?
- [Unknown]: ca
- What is the two-letter country code for this unit?
- [Unknown]: us
CN=joe bloggs, OU=liferay, O=liferay inc, L=diamond bar, ST=ca, C=us correct? [no]: yes
Now, Configure Tomcat to use the certificate we just generated. Edit TOMCAT_HOME\conf\server.xml
.
Uncomment the SSL section and add in the keystoreFile parameter so that it looks like this:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:/liferay/bundles/liferay-portal-6.0-ee/tomcat-6.0.29/keystore" keystorePass="changeit" />
Now we'll be importing the certificate into the JVM's keystore. This tells the JVM that this is a "trusted" certificate so that when Liferay makes https requests to Tomcat it will proceed without errors:
Export the key from the keystore you generated in step 1. This extracts the certificate so that you can import it into the JVM's store
keytool -export -alias tomcat -keypass changeit -file server.crt -keystore keystore
Import the cert into the JVM. "cacerts" is the filename of the JVM keystore. (should be in %JAVA_HOME%\jre\lib\security\cacerts
)
keytool -import -alias tomcat -file server.crt -keypass changeit -keystore "C:\Program Files\Java\jre6\lib\security\cacerts"
*Depending on your local configuration, you may have to change access permissions for the cacerts file.
You should now be able to access the website using https://localhost:8443
Additional Information
- To set the entire site to use HTTPS, set this in portal-ext.properties:
web.server.protocol=https
- To set only the login page to be HTTPS, set this iin portal-ext.properties:
company.security.auth.requires.https=true
- Within an SSL production environment, if you receive a "Certificate Error" that defines your SSL certificate as not a "Trusted Root", you may need to obtain a digital signature from a certificate authority provider.
- See also: How to Configure HTTPS in Tomcat for Liferay DXP 7.3