Liferay Tomcat SSL Configuration: Keystore and SSLCertificateFile

Liferay Tomcat HTTPs Configuration

Keystore and SSLCertificateFile Approaches


Overview

This article explains how to configure HTTPs/SSL for Liferay bundled with Tomcat, using two different approaches: 

  • “Keystore” approach - for the generated “self-signed” certificates;

  • “SSLCertificateFile” approach - for certificates obtained externally.


SSL Configuration with Keystore


Use this approach, when you don’t have a real SSL certificate, but you need to enable the HTTPs for your Tomcat server (e.g. on a local machine or the development server). 


  1. Generate keystore


First, you need to generate a keystore with the keytool command:


cd $JAVA_HOME/bin

keytool -genkey -alias ALIAS -keyalg RSA keystore PATH_TO_KEYSTORE/.keystore 


ALIAS - alias for you certificate;

PATH_TO_KEYSTORE - path to the directory, where .keystore will be created


  1. Export keystore:


keytool -export -alias ALIAS -keystore PATH_TO_KEYSTORE/.keystore -file server.crt



  1. Import keystore:


keytool -import -alias ALIAS -file server.crt -keystore $JAVA_HOME/jre/lib/cacerts


  1. Configure SSL in Tomcat


Go to ${TOMCAT}/conf directory, and modify server.xml file.


Comment the following line:


<!--<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />-->


Uncomment the SSL Connector code:


<!-- <Connector port="8443" ...


and configure it in this way:


<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

          maxThreads="150" scheme="https" secure="true"

          clientAuth="false" sslProtocol="TLS"

          keystoreFile="PATH_TO_KEYSTORE"

          keystorePass="KEYSTORE_PASSWORD"

/>


, where PATH_TO_KEYSTORE - path to generated .keystore file, 

PASSWORD - keystore password.


  1. Restart TOMCAT, check URL in browser: https://localhost:8443



SSL Configuration with Certificate Files


Use this approach, if you have SSL certificate files, and need to configure HTTPs for your Tomcat server using those certificates.


Note: this article describes instructions for Linux, they may differ for Windows/MacOS.


  1. Copy certificates


You should have two files:

  • xxx.crt - certificate file;

  • xxx.key - private key file.

Copy them both into the TOMCAT/conf folder.


  1. Install the following libraries (if missing):


sudo apt-get install libtcnative-1

sudo apt-get install libapr1-dev libssl-dev 

sudo apt-get install gcc

sudo apt-get install make


  1. Apache Portable Runtime (APR) Configuration


3.1. Download APR from https://apr.apache.org/download.cgi

(download link: https://www2.apache.paket.ua//apr/apr-1.7.0.tar.gz )


3.2. Unpack apr-1.7.0.tar.gz to the TOMCAT/bin folder.


3.3. Run the configure command:

sudo ./configure


Note: it you have “rm: cannot remove XXX” error during the command above - modify the “configure” file and change $RM "$cfgfile" to $RM -f "$cfgfile" and run the command again.


3.3. Run make commands:

sudo make

sudo make install 


  1. Tomcat Native Configuration


4.1. Go to TOMCAT/bin folder.


4.2 Unpack the tomcat-native:

tar xf tomcat-native.tar.gz

4.3. Go to tomcat-native-src/native folder:

cd tomcat-native-1.2.24-src/native


4.4. Run the configure command


./configure --with-apr=/usr/bin/apr-1-config \

            --with-java-home=/home/user/java/jdk1.8.0_144/ \

            --with-ssl=yes \

            --prefix=/home/user/liferay/tomcat-9.0.37

(change Java and Tomcat paths to your ones)


4.4. Run make commands:

sudo make

sudo make install 


4.5. The following files should be generated in TOMCAT/lib folder:


    libtcnative-1.a

    libtcnative-1.la

    libtcnative-1.so 

    libtcnative-1.so.0 

    libtcnative-1.so.0.2.24


4.6. Copy generated files to the TOMCAT/bin folder, verify permissions on them.



  1. Tomcat Configuration


5.1. Modify TOMCAT/bin/setenv.sh in the following way:

CATALINA_OPTS="$CATALINA_OPTS -Djava.library.path=/home/user/liferay/tomcat-9.0.37/bin ..."

export LD_LIBRARY_PATH='$LD_LIBRARY_PATH:/usr/local/apr/lib'

export JAVA_HOME=/home/user/java/jdk1.8.0_144

export JRE_HOME=/home/user/java/jdk1.8.0_144/jre

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/apr/lib

export LD_RUN_PATH=$LD_RUN_PATH:/usr/local/apr/lib

- add -Djava.library.path param pointing to TOMCAT/bin;

- export LD_LIBRARY_PATH / JAVA_HOME / JRE_HOME / LD_LIBRARY_PATH / LD_RUN_PATH variables.


5.2. Modify TOMCAT/conf/server.xml file.


Make sure AprLifecycleListener is enabled:


<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />


Add SSL Connector configuration:

<Connector

       protocol="org.apache.coyote.http11.Http11AprProtocol"

       port="8443" maxThreads="200"

       scheme="https" secure="true" SSLEnabled="true"

       SSLCertificateFile="PATH_TO_CERT/my-cert.crt"

       SSLCertificateKeyFile="PATH_TO_CERT/my-cert.key"

       SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" />


, where PATH_TO_CERT - path to folder with your certificates.


5.3. Restart TOMCAT, check URL in browser: https://localhost:8443


Enjoy 😏

Comments

Post a Comment

Popular posts from this blog

Liferay Search Container Example

Or how to implement a custom search container in Liferay Overview   Search Containers are used in Liferay to display the table data. This article shows a simple example of how to implement a custom search container.  Example < liferay-portlet :renderURL varImpl ="iteratorURL" /> < liferay-ui :search-container total =" <%= ProjectLocalServiceUtil. getProjectsCount (scopeGroupId) %> "                              delta ="10"                              emptyResultsMessage ="no-projects-found"                              iteratorURL =" <%= iteratorURL %> " >     < liferay-ui :search-container-results             results =" <%= ProjectLocalServiceUtil. getProjects (scopeGroupId, searchContainer.getStart(), searchContainer.getEnd()) %> " />     < liferay-ui :search-container-row className ="com.sample.sb.model.Project" modelVar ="project" keyP
Read more

Liferay DXP - max upload file size

Image
Liferay DXP - increase Maximum Upload Request Size By default, Liferay has limit to 100 MB for file upload. Sometimes you need to upload larger files, and this restriction can be changed in configuration. Go to Control Panel -> Configuration -> System Settings -> Infrastructure. Click on "Upload Servlet Request". Modify " Overall Maximum Upload Request Size"  value and set which you need: Save the configuration. Now you should be able to upload large files to your Liferay DXP instance.
Read more

Liferay Keycloak integration

Image
Liferay Keycloak integration using OpenID Overview This tutorial explains how to configure OpenID SSO between Liferay 7.2 and Keycloak 7.0.1 Installation instructions KeyCloak Configuration 1. Install and startup Keycloak server Download latest Keycloak server:  https://www.keycloak.org/downloads.html Unzip keycloak-7.0.1.zip folder. Run  keycloak-7.0.1/bin/standalone.sh  (or  keycloak-7.0.1/bin/standalone.bat ) file. Keycloak should be started on 8080 port:  http://localhost:8080 2. Create default admin user: and sign in to Admin Console. 3. Check OpenID configuration Click on "OpenID Endpoint Configuration": JSON configuration should appear, like this: { "issuer": "http://localhost:8080/auth/realms/master", "authorization_endpoint": "http://localhost:8080/auth/realms/master/protocol/openid-connect/auth", "token_endpoint": "http://localhost:8080/auth/realms/master/protocol/openid-con
Read more