Roger$ keytool -genkey -alias MyKeyAlias -keyalg RSA -keystore /Users/Roger/tmp/roger.keystore
Enter keystore password: 
Re-enter new password:
What is your first and last name?
  [Unknown]:  localhost
What is the name of your organizational unit?
  [Unknown]:  MyDepartmentName
What is the name of your organization?
  [Unknown]:  MyCompanyName
What is the name of your City or Locality?
  [Unknown]:  Stafford
What is the name of your State or Province?
  [Unknown]:  NA
What is the two-letter country code for this unit?
  [Unknown]:  UK
Is CN=localhost, OU=MyDepartmentName, O=MyCompanyName, L=Stafford, ST=UK, C=UK correct?
  [no]:  Y

Enter key password for 
     (RETURN if same as keystore password): 

<Connector SSLEnabled="true" keystoreFile="/Users/Roger/tmp/roger.keystore" keystorePass="password" port="8443" scheme="https" secure="true" sslProtocol="TLS"/> 

Note that the password "password" is in plain text, which isn't very secure. There are ways around this, but that's beyond the scope of this blog.
If you're using Spring's tcServer, then you'll find that it already has a SSL connector that's configured something like this:

<Connector SSLEnabled="true" acceptCount="100" connectionTimeout="20000" executor="tomcatThreadPool" keyAlias="tcserver" keystoreFile="${catalina.base}/conf/tcserver.keystore" keystorePass="changeme" maxKeepAliveRequests="15" port="${bio-ssl.https.port}" protocol="org.apache.coyote.http11.Http11Protocol" redirectPort="${bio-ssl.https.port}" scheme="https" secure="true"/>

…in which case it's just a matter of editing the various fields including keyAlias, keystoreFile and keystorePass.

Configuring your App

If you now start tomcat and run your web application, you'll now find that it's accessible using HTTPS. For example typing https://localhost:8443/my-app will work, but so will http://localhost:8080/my-app This means that you also need to do some jiggery-pokery on your app to ensure that it only responds to HTTPS and there are two approaches you can take.

If you're not using Spring Security, then you can simply add the following to your web.xml before the last web-app tag:

If you are using Spring Security, then there are a few more steps to getting things going. Part of the general Spring Security setup is to add the following to your web.xml file. Firstly you need to add a Spring Security application context file to the contextConfigLocation context-param:

<context-param>
          <param-name>contextConfigLocation</param-name>
          <param-value>/WEB-INF/spring/root-context.xml
           /WEB-INF/spring/appServlet/application-security.xml           
          </param-value>
     </context-param>

Secondly, you need to add the Spring Security filter and filter-mapping:

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

Lastly, you need to create, or edit, your application-security.xml as shown in the very minimalistic example below:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
  xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security-3.1.xsd">

       <http auto-config='true' >
          <intercept-url pattern="/**" requires-channel="https" />    
       </http>

       <authentication-manager>
       </authentication-manager>

</beans:beans>

In the example above intercept-url element has been set up intercept all URLs and force them to use the https channel.

The configuration details above may give the impression that it's quicker to use the simple web.xml config change, but if you're already using Spring Security, then it's only a matter of adding a requires-channel attribute to your existing configuration.

---

A sample app called tomcat-ssl demonstrating the above is available on git hub at: https://github.com/roghughe/captaindebug