NIH Resource for Macromolecular Modeling & Visualization University of Illinois at Urbana-Champaign

• Home

• Overview

• Publications

• Research

• Software

• NAMD

• VMD

• GPU Computing

• Lattice Microbes

• Atomic Resolution Brownian Dynamics

• MDFF

• QwikMD

• VND (Neuronal)

• Other

• Outreach

If you have a web server certificate signed by one of the recognized Certificate Authorities, you can install that certificate into your Tomcat server. These instructions may be followed whether or not you have set up a test certificate as described here.

We are going to call your install directory $BIOCORE_HOME. EVERYWHERE YOU SEE $BIOCORE_HOME REPLACE IT WITH YOUR CHOSEN DIRECTORY.

We got our secure web server working by importing our Apache-mod_ssl certificate into Tomcat. It should be possible to generate a certificate for Tomcat directly, but we have not tried that procedure.

To obtain a secure certificate you must generate a private/public key pair, and use that to generate a certificate signing request (CSR). You email the CSR to a certificate authority such as Thawte or Verisign and arrange for payment. You will receive a certificate in return. We used OpenSSL to generate our Apache-mod_ssl certificate request, following instructions provided by Thawte.

To generate a version of your certificate for Tomcat, you will need the following items.

• Copies of your server key and server certificate files. If you call them something other than server.key and server.crt, use your file names below.
• OpenSSL (you needed this to generate the Apache certificate originally.
• Java (which you will also need to run your server)
• ImportKey, a small java program to copy an apache key and certificate into a Sun-format keystore file. ImportKey was originally written by the folks at Computer Mutter GmbH, and we have modified very slightly, compiled it, and put it in a signed JAR file.

Build OpenSSL

If you don't have OpenSSL installed, you'll need to install that now. We installed version 0.9.6, but any recent version should do. First, extract the OpenSSL files into $BIOCORE_HOME.

cd $BIOCORE_HOME
gunzip -dc openssl.tar.gz |tar xvf -
cd openssl-0.9.6

Next, run config.

./config --openssldir=$BIOCORE_HOME/openssl 

Hit <Enter> at the prompt about manually configuring, if you get one.

make
make test
make install

This will install the openssl program into $BIOCORE_HOME/openssl/bin.

Import the Certificate

Now, put copies of server.key, server.crt, and importkey.jar into

$BIOCORE_HOME/tomcat/current/conf

Next, you must convert the key and certificate files into formats that the Sun java tools understand. You can do this by executing the following OpenSSL commands.

$BIOCORE_HOME/openssl/bin/openssl pkcs8 \
           -topk8 -nocrypt -in server.key \
           -out server.key.der -outform der

$BIOCORE_HOME/openssl/bin/openssl x509 \
           -in server.crt -out server.crt.der \
           -outform der 

If your key or certificate files are encoded with pass phrases, you will be prompted to enter them.

Now we need to run the ImportKey program to place the certificate and key into a keystore file. Our version of the file is signed with our web server certificate using the java jarsigner tool. First, make sure the JAR file has not been tampered with by running:

$BIOCORE_HOME/java/current/bin/jarsigner \
           -verify -verbose -certs importkey.jar

That should return "jar verified". You should also see some lines that look like

X.509, CN=biocore-s.ks.uiuc.edu, OU=Theoretical and Computational Biophysics, 
O=University of Illinois, L=Urbana, ST=Illinois, C=US

If the file cannot be verified, it is posible that it has been modified. In that case, please contact us.

Next, run ImportKey.

$BIOCORE_HOME/java/current/bin/java \
           -cp importkey.jar comu.ImportKey server.key.der server.crt.der

After this step, you can delete the .der files. Tomcat will also no longer require the original key and certificate files, so you may wish to move them elsewhere. However, don't delete your only copy of those files. It would be best to store them, along with the original Certificate Signing Request (CSR) file on some safe off-line storage.

Running ImportKey will create a keystore.tomcat file containing your real certificate under the alias tomcat. Both the keystore and the key itself will have the password changeit. You should change this immediately to something more secret using keytool.

$BIOCORE_HOME/java/current/bin/keytool    \
           -storepasswd -keystore keystore.tomcat
$BIOCORE_HOME/java/current/bin/keytool    \
           -keypasswd -alias tomcat -keystore keystore.tomcat

Tomcat requires that both the key and the keystore use the same password. I'll assume below that you set it to "PASSWORD".

Other platforms..

Contributions are welcome..

Return to the Tomcat installation.
Back to the installation page

Feedback

The BioCoRE team welcomes any comments, questions, or suggestions that you might have concerning our software! Please email us or fill out our feedback form.

Funded by a grant from
the National Institute of
General Medical Sciences
of the National Institutes
of Health

Beckman Institute for Advanced Science and Technology // National Institutes of Health // National Science Foundation // Physics, Computer Science, and Biophysics at University of Illinois at Urbana-Champaign