Configuring HTTPS in Tomcat and Jetty: A Practical Guide

A concise guide to securing your Java web applications with SSL/TLS certificates

Securing web applications with HTTPS is essential for protecting data in transit and building user trust. Both Tomcat and Jetty, as popular Java web servers, provide robust support for SSL/TLS encryption. This guide walks you through the practical steps to configure HTTPS in both environments, ensuring your applications maintain confidentiality and integrity while meeting modern security standards.

📦 HTTPS and SSL Basics

HTTPS (Hypertext Transfer Protocol Secure) encrypts data between a client and server using SSL/TLS protocols. An SSL certificate is a digital certificate that authenticates a website’s identity and enables an encrypted connection . These certificates ensure passwords, credit card numbers, and personal data remain secure during transmission .

🔧 Configuring HTTPS in Tomcat

Generate SSL Certificate

Tomcat uses Java’s keytool to manage certificates. Generate a keystore and certificate with:

keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore tomcat.p12 -validity 3650

This creates a PKCS12 format keystore file (tomcat.p12) with a self-signed certificate valid for 10 years .

Configure server.xml

Edit Tomcat’s conf/server.xml file to add a secure connector:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="/path/to/tomcat.p12"
           keystorePass="your_keystore_password"
           keystoreType="PKCS12" />

Key parameters:

• port: HTTPS listening port (usually 443 or 8443)
• keystoreFile: Path to your keystore file
• keystorePass: Password for the keystore
• keystoreType: Storage format (PKCS12 or JKS)

Force HTTPS Redirect

Add this security constraint to web.xml to redirect HTTP to HTTPS automatically:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>SecureWebApp</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Also add redirectPort="8443" to your HTTP connector in server.xml .

🚀 Configuring HTTPS in Jetty

Enable SSL Module

Jetty takes a modular approach. Add HTTPS support using:

java -jar start.jar --add-to-start=https
java -jar start.jar --add-to-start=ssl

These commands enable the necessary modules in Jetty’s configuration .

Configure SSL Properties

Set these JVM system properties for Jetty’s SSL configuration:

org.eclipse.jetty.ssl.keystore=/path/to/keystore
org.eclipse.jetty.ssl.password=your_keystore_password
org.eclipse.jetty.ssl.keypassword=your_key_password

These properties specify the keystore location and access passwords .

Using Camel JSSE (Advanced)

For programmatic configuration, use Camel’s JSSE utility:

KeyStoreParameters ksp = new KeyStoreParameters();
ksp.setResource("/users/home/server/keystore.jks");
ksp.setPassword("keystorePassword");

KeyManagersParameters kmp = new KeyManagersParameters();
kmp.setKeyStore(ksp);
kmp.setKeyPassword("keyPassword");

SSLContextParameters scp = new SSLContextParameters();
scp.setKeyManagers(kmp);

JettyComponent jettyComponent = getContext().getComponent("jetty", JettyComponent.class);
jettyComponent.setSslContextParameters(scp);

This approach provides fine-grained control over SSL parameters .

✅ Verify Your Configuration

After configuring HTTPS, verify your setup:

1. Access your application via https://yourdomain:port
2. Look for the lock icon in the browser’s address bar
3. Check that all resources load securely without mixed content warnings

For comprehensive security validation, use online tools like SSL Labs SSL Server Test or the free ScyScan SSL Checker to analyze your SSL certificate’s status, expiration date, issuer information, and overall configuration security .

💡 Best Practices

1. Renew early: Don’t wait until the last minute to renew certificates
2. Use strong encryption: Select certificates with robust encryption algorithms
3. Check for mixed content: Ensure all elements load via HTTPS
4. Implement HSTS: Force HTTPS connections for increased security
5. Monitor expiration dates: Set up alerts to prevent unexpected downtime

🔚 Conclusion

Configuring HTTPS in both Tomcat and Jetty involves generating SSL certificates, modifying server configuration files, and optionally setting up HTTP to HTTPS redirects. While the specific implementation details differ between the two servers, the fundamental principles of SSL encryption remain consistent.

Regular verification of your SSL configuration ensures ongoing security compliance and protects your users’ data effectively. Tools like ScyScan SSL Checker provide convenient ongoing monitoring to maintain your site’s security posture.

For more detailed instructions and advanced configurations, consult the official Tomcat and Jetty documentation.