Running SpringBoot with SSL on NON-Embedded Tomcat

Question

I have an application stack where, because we want to eventually rollover to continuous delivery and rollover of the application with 0 downtime, we have a Tomcat 9 Server. The Tomcat is hosting some applications such as

Main application
Microservice that helps with some fundemental code that we want to partition for easy maintenace and updating (the microservice for the record is using SpringBoot as well, as a deployable WAR)

I also want to deploy the Main application as a WAR and let my Tomcat host it. Our application uses ActiveMQ for messaging, and I am having a hard time figuring out the best way to configure SpringBoot, and my Tomcat 9 for the service

Before I was using embedded Tomcat where, after a painful amount of time generating keys (a very painful process), I was able to simply add this to the application.properites:

##################################################################################################################
# SPRING SSL PROPERTIES
# Properties related to SSL settings (used by ActiveMQ, potentially also by other secure areas in the application
##################################################################################################################
server.ssl.key-store=classpath:tomcat.jks
server.ssl.key-store-type=JKS
server.ssl.key-store-password=changeit
server.ssl.key-alias=tomcat
server.ssl.key-store-provider=SUN
server.ssl.trust-store=classpath:tomcat.ts
server.ssl.trust-store-type=JKS

Since this was running locally and had all my files this works. Now? I need a similar config to work on Tomcat 9 rather then embedded Tomcat

Trying to move my keys over I tried to modify Tomcat's server.xml to have the following

    <Connector port="8443"
               maxThreads="150"
               scheme="https"
               secure="true"
               SSLEnabled="true"
               keyAlias="tomcat"
               keystoreFile="conf/tomcat.jks"
               keystorePass="changeit"
               keystoreType="JKS"
               clientAuth="false"
               sslProtocol="TLS"/>

But sadly this not work. The stacktrace is a classic case of "Your cert sucks...":

SEVERE: Could not refresh JMS Connection for destination 'jms/queue/xxx/general' - 
retrying using FixedBackOff{interval=5000, currentAttempts=3, maxAttempts=unlimited}. 
Cause: Could not connect to broker URL: ssl://virtlocal.xxx.com:61617. Reason: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I have looked at some answers to this issue, but they all say the same thing (and they're using p12 or p57 when I'm trying to use JKS, and yes, that's pretty outdated)

I will keep looking around but my question is two-fold

How can I enable Tomcat 9 to listen to the server via SSL correctly
Does SpringBoot need the same information to listen , or will tomcat 9 be smart enough to redirect this to the hosted application?

Thanks to everyone in advance. If I figure out an answer on my own I will update this question

Update 12/16/2019 After discussion and making things clear, it seems that we don't need to enable the SSL in Spring Boot if the intent is to have both the main application and the microservice hosted on a Tomcat 9 Server. We can simply just apply the Host Endpoint, and the credentials. So the good news is that I think I can ignore the SSL settings in my application.properties and remove them.

However, now I'm trying to make things work with my Tomcat upon startup, the documentation seems to be suggesting that you need to do this for your server.xml:

    <Connector port="8443" 
           protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" 
               SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeyAlias="localhost"
                         certificateKeystoreFile="conf/keystore/tomcat.jks"
                         certificateKeystorePassword="changeit"
                         certificateKeystoreType="JKS"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

where my key was gen'd with the following:

$JAVA_HOME/bin/keytool -genkey -alias localhost -keyalg RSA -keystore tomcat.jks

However, I'm getting the same error and am not sure how to go around fixing it. This is a local enviornment, so following Tomcat 9 Documentation has helped, but still am not sure what I'm doing wrong to have IntelliJ boot up the Tomcat with my WAR file correctly.

If you are not running the main application to Start the service can still be called Spring BOOT? — Carlos López Marí, Dec 16 '19 at 10:41

score 0 · Answer 1 · answered Dec 16 '19 at 05:39

So my answer was to perform the following to run my Spring Boot application on a NON-embedded Tomcat 9

Generated a self-signed key via the following command

sudo $JAVA_HOME/bin/keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -storetype PKCS12 -validity 3650 -keystore tomcat.p12 -storepass changeit

I pulled the certificate for my broker from my broker, and then imported it into a trust store using the followng command

sudo $JAVA_HOME/bin/keytool -import -alias broker -keystore tomcat.ts -file broker.crt

Now I have a generated cert, and a trust store that lets Tomcat know that my broker can be trusted. The next step was to modify my settings.xml file to provide the location and details of the keystore and trust store like so

    <Connector port="8443" 
           protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" 
               SSLEnabled="true">
        <SSLHostConfig>
            <Certificate
                         truststoreFile="conf/keystore/tomcat.ts"
                         truststorePassword="changeit"
                         truststoreType="JKS"
                         certificateKeyAlias="tomcat"
                         certificateKeystoreFile="conf/keystore/tomcat.p12"
                         certificateKeystorePassword="changeit"
                         certificateKeystoreType="PKCS12" />
        </SSLHostConfig>
    </Connector>

Lastly under IntelliJ for my Tomcat 9 configuration I added the following JAVA_OPS

-Djavax.net.ssl.trustStore=/opt/tomcat/conf/keystore/tomcat.ts
-Djavax.net.ssl.trustStorePassword=changeit

With this, I was able to produce an ActiveMQ listener locally on a Tomcat 9 Server, to which my SpringBoot application could send and receive message to.

Your needs and steps might differ, but hopefully this helps someone out down the road

Running SpringBoot with SSL on NON-Embedded Tomcat

1 Answers1