This FlashGuide^TM covers adding SSL capabilities to Tomcat 4.1.x on Unix.

1. Installing Tomcat 4 on Linux

1. Download the latest Tomcat binary from the Tomcat 4 section of http://jakarta.apache.org/site/binindex.cgi. Currently, Tomcat 4.1.31 is the latest.
2. Install Tomcat by unzipping/untaring the download file and placing in the desired directory (I used /usr/local)

   cd /usr/local
   tar zxf ./jakarta-tomcat-4.1.31.tar.gz
      

3. Note the location of your Tomcat installation - we will refer to this as $CATALINA_HOME
4. Optionally, save time on typing by creating a symbolic link like this:

   ln -s jakarta-tomcat-4.1.31 tomcat4
      

2. Configuring Tomcat 4 for SSL (with keytool)

1. If you are using Java 1.3.x, download the latest Java Secure Sockets Extension (JSSE) 1.0.2 at http://java.sun.com/products/jsse/
2. Install JSSE by unpacking it into the desired directory
3. Copy jcert.jar, jnet.jar and jsse.jar to $JAVA_HOME/jre/lib/ext

   cd jsse1.0.2/lib
   cp *.jar $JAVA_HOME/jre/lib/ext
     

4. Add the bin directory of the JSSE installation to your $PATH:

   export PATH=$PATH:/usr/local/jsse1.0.2/bin
     

5. Generate a certificate:

   cd jsse1.0.2/bin
   keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/keystore -storepass mysecretpass
     

   Set the -keystore parameter to wherever you want the generated keys to be stored. Set the -storepass to whatever password you want. When prompted, provide the other requested info (name, company, location, etc.).

6. Edit $CATALINA_HOME/conf/server.xml and undefine the SSL connector:

       
   <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
     port="8443" minProcessors="5" maxProcessors="75" enableLookups="true"
     acceptCount="100" debug="0" scheme="https" secure="true"
     useURIValidationHack="false" disableUploadTimeout="true">
    <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
      clientAuth="false" protocol="TLS" 
      keystoreFile="/etc/.keystore" keystorePass="mysecretpass"/>
   </Connector>
     

   Set port and the other parameters as desired. Note that if you change the port you should also change the "redirect" parameter for the non-HTTPS connector to the same value. In the Factory tag, set keystoreFile to point to the location where you placed the keystore. You'll need to set keystorePass if you changed the password from the default of "changeit" to something else.

3. Testing

1. Start Tomcat:

   cd $CATALINA_HOME/bin
   catalina.sh start
     

2. Point your browser to the http://localhost:8443 (or whatever port you choose). If everything works right, you'll get prompted to accept the certificate and you should see the Tomcat splash page.