Tomee Tomcat

Posted : admin On 1/25/2022

Apache TomEE is a Java EE Web Profile-certified stack which is built on top of an Apache Tomcat base integrated with additional related technologies. It adds implementations for the following specifications (using the Apache project shown in parentheses): CDI - Apache OpenWebBeans EJB - Apache OpenEJB. Apache TomEE, pronounced 'Tommy', is an all-Apache Java EE 6 Web Profile certified stack where Apache Tomcat is top dog. Apache TomEE is assembled from a vanilla Apache Tomcat zip file. We start with Apache Tomcat, add our jars and zip up the rest. The result is Tomcat with added EE features - TomEE. On the other hand, Apache TomEE a certified Java Enterprise Edition (EE) stack that was developed on top of Tomcat plus integrated and bundled with additional Java EE related technologies. TomEE supports and implements the following specifications: CDI – Apache OpenWebBeans EJB – Apache OpenEJB.

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer(SSL), are technologies which allow web browsers and web servers to communicateover a secured connection. This means that the data being sent is encrypted byone side, transmitted, then decrypted by the other side before processing.This is a two-way process, meaning that both the server AND the browser encryptall traffic before sending out data.

Another important aspect of the SSL/TLS protocol is Authentication. This meansthat during your initial attempt to communicate with a web server over a secureconnection, that server will present your web browser with a set ofcredentials, in the form of a 'Certificate', as proof the site is who and whatit claims to be. In certain cases, the server may also request a Certificatefrom your web browser, asking for proof that you are who you claimto be. This is known as 'Client Authentication,' although in practice this isused more for business-to-business (B2B) transactions than with individualusers. Most SSL-enabled web servers do not request Client Authentication.

Probably in most of your Java EE projects you will have part or whole system with SSL support (https) so browsers and servers can communicate over a secured connection. This means that the data being sent is encrypted, transmitted and finally decrypted before processing it.
The problem is that sometimes the official 'keystore' is only available for production environment and cannot be used in development/testing machines. Then one possible step is creating a non-official 'keystore' by one member of the team and share it to all members so everyone can locally test using https, and the same for testing/QA environments.
But using this approach you are running to one problem, and it is that when you are going to run the application you will receive a warning/error message that the certificate is untrusted. You can live with this but also we can do it better and avoid this situation by creating a self-signed SSL certificate.
In this post we are going to see how to create and enable SSL in Apache TomEE (and Tomcat) with a self-signed certificate.
The first thing to do is to install openssl. This step will depend on your OS. In my case I run with an Ubuntu 14.04.
Then we need to generate a 1024 bit RSA private key using Triple-DES algorithm and stored in PEM format. I am going to use {userhome}/certs directory to generate all required resources, but it can be changed without any problem.

TomeeGenerate Private Key
openssl genrsa -des3 -out server.key 1024
Here we must introduce a password, for this example I am going to use apachetomee (please don't do that in production).

Generate CSR
Next step is to generate a CSR (Certificate Signing Request). Ideally this file will be generated and sent to a Certificate Authority such as Thawte or Verisign, who will verify the identity. But in our case we are going to self-signed CSR with previous private key.

Tomee Tomcatopenssl req -new -key server.key -out server.csr
One of the prompts will be for 'Common Name (e.g. server FQDN or YOUR name)'. It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. In case of development machine you can set 'localhost'.

Now that we have the private key and the csr, we are ready to generate a X.509 self-signed certificate valid for one year by running next command:
Generate a Self-Signed Certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Tomee 8 Tomcat Version

To install certificate inside Apache TomEE (and Tomcat) we need to use a keystore. This keystore is generated using keytool command. To use this tool, the certificate should be a PKCS12 certificate. For this reason we are going to use openssl to transform the certificate to a PKCS12 format by running:

Prepare for Apache TomEE
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name test_server -caname root_ca
We are almost done, now we only need to create the keystore. I have used as the same password to protect the keystore as in all other resources, which is apachetomee.

keytool -importkeystore -destkeystore keystore.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcalias test_server -destalias test_server
And now we have a keystore.jks file created at {userhome}/certs.
Installing Keystore into Apache TomEE
The process of installing a keystore into Apache TomEE (and Tomcat) is described in But in summary the only thing to do is open ${TOMEE_HOME}/config/server.xml and define the SSL connector.

<Service name='Catalina'>
<Connector port='8443' protocol='HTTP/1.1'
maxThreads='150' SSLEnabled='true' scheme='https' secure='true'
keystoreFile='${user.home}/certs/keystore.jks' keystorePass='apachetomee'

Tomee Tomcat Model

clientAuth='false' sslProtocol='TLS' />
Note that you need to set the keystore location in my case {userhome}/certs/keystore.jks and the password to be used to open the keystore which is apachetomee.

Preparing the Browser

Tomee Tomcat Difference

Before starting the server we need to add the server.crt as valid Authorities in browser.

Apache Tomcat Tomee

In Firefox: Firefox Preferences -> Advanced -> View Certificates -> Authorities (tab) and then import the server.crt file.
In Chrome: Settings -> HTTPS/SSL -> Manage Certificates ... -> Authorities (tab) and then import the server.crt file.
And now you are ready to start Apache TomEE (or Tomcat) and you can navigate to any deployed application but using https and port 8443.
And that's all, now we can run tests (with Selenium) without worrying about untrusted certificate warning.
We keep learning,
Dog goes woof, Cat goes meow, Bird goes tweet and mouse goes squeek (What Does the Fox Say - Ylvis)