Tomcat Server Configuration [Server.xml] - Yash-777/LearnJava GitHub Wiki

The HTTP Connector: SSL/TLS Configuration

Java Platform, Standard Edition Security Developer’s Guide

Secure Sockets Layer (SSL) Protocol Overview

TCP/IP Layer Protocol
Application Layer HTTP, NNTP, Telnet, FTP, and so on
Secure Sockets Layer SSL
Transport Layer TCP
Internet Layer IP

SSLProtocol : The names of the protocols to support when communicating with clients. This should be a list of any combination of the following:

	SSLv2
	SSLv3
	TLSv1
	TLSv1.1
	TLSv1.2
	TLSv1.3
	all

Java Mail : Cipher suite

protocols SSLv2Hello Note that SSLv2Hello will be ignored for OpenSSL based secure connectors. If more than one protocol is specified for an OpenSSL based secure connector it will always support SSLv2Hello. If a single protocol is specified it will not support SSLv2Hello.

SSL/TLS and Tomcat

Tomcat is able to use any of the the cryptographic protocols that are provided by the underlying environment. Java itself provides cryptographic capabilities through JCE/JCA and encrypted communications capabilities through JSSE. Any compliant cryptographic "provider" can provide cryptographic algorithms to Tomcat. The built-in provider (SunJCE) includes support for various SSL/TLS versions like SSLv3, TLSv1, TLSv1.1, and so on.

General Tips on Running SSL

When securing a website with SSL it's important to make sure that all assets that the site uses are served over SSL, so that an attacker can't bypass the security by injecting malicious content in a javascript file or similar. To further enhance the security of your website, you should evaluate to use the HSTS header. It allows you to communicate to the browser that your site should always be accessed over https.

Using name-based virtual hosts on a secured connection requires careful configuration of the names specified in a single certificate or Tomcat 8.5 onwards where Server Name Indication (SNI) support is available. SNI allows multiple certificates with different names to be associated with a single TLS connector.

sslProtocol="TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA" sslEnabledProtocols="TLSv1"

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
        maxThreads="150" scheme="https" secure="true" clientAuth="false"
        keystoreFile="conf\store\tomcat.keystore" enableLookups="true"
        keystorePass="password" sslProtocol = "TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA" 
        sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" server="Apache Tomcat" />
Configuring OCSP Connector (Apache Portable Runtime (APR) based Native library for Tomcat)
<!--
/yash/tomcat/tomcat-keystore
		yash777.github.com
			Version:3
			Subject:CN=yash777.github.com,O=github,C=IN
			Issuer: CN=github V1,O=github,C=IN
			Algorithum: SHA256WITHRSA
-->			
			
<Connector port="7775" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true">
	<SSLHostConfig>
		<Certificate 
			certificateKeystoreFile="/yash/tomcat/tomcat-keystore" keystorePass="changeit"
			type="RSA" maxThreads="150" scheme="https" secure="true" 
			clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,SSLv2Hello"
		/>
	</SSLHostConfig>
</Connector>

In a class-based object-oriented language, in general, state is carried by instances, methods are carried by classes, and inheritance is only of structure and behavior.

Method signature: It consists of method name and parameter list (number/type/order of the parameters). methodName(parametersList y). An instance method in a subclass with the same signature and return type as an instance method in the super-class overrides the super-class's method.

Java OOP concepts
Class  - Collection of a common features of a group of object [static/instance Fields, blocks and Methods]
Object - Instance of a class (instance fields)
Abstraction - Process of hiding complex info and providing required info like API, Marker Interfaces ...
Encapsulation(Security) - Class Binding up with data members(fields) and member functions.
Inheritance  (Reusability by placing common code in single class)
 1. Multilevel - {A -> B -> C} 2. Multiple - Diamond problem {A <- (B) -> C} [Java not supports] 3. Cyclic {A <-> B} [Java not supports]
 * Is-A   Relation - Class A extends B
 * Hash-A Relation - Class A { B obj = new B(); } - (Composition/Aggregation)
Polymorphism (Flexibility) 1. Compile-Time Overloading    2. Runtime Overriding  [Greek - "many forms"]


int[] arr = {1,2,3}; int arrLength = arr.length;   // Fixed length of sequential blocks to hold same data type
String str = "Yash"; int strLength = str.length(); // Immutable Object value can't be changed.

List<?> collections = new ArrayList<String>(); int collectionGroupSize = collections.size();
Map<?, ?> mapEntry = new HashMap<String, String>();
Set<?> keySet = mapEntry.keySet(); // Set of Key's
Set<?> entrySet = mapEntry.entrySet(); // Set of Entries [Key, Value]

// Immutable Objects once created they can't be modified. final class Integer/String/Employee
Integer val = Integer.valueOf("100"); String str2 = String.valueOf(100); // Immutable classes
final class Employee { // All Wrapper classes, java.util.UUID, java.io.File ...
    private final String empName; // Field as Final(values can be assigned only once) Only getter functions.
    public Employee(String name) { this.empName = name; }
}

Native Java Code for Hashtable.h, Hashtable.cpp SQL API.

You can check your current JDK and JRE versions on your command prompt respectively,

  • JDK javac -version [C:\Program Files\Java\jdk1.8.0_121\bin] o/p: javac 1.8.0_121
  • JRE java -version [C:\Program Files\Java\jdk1.8.0_121\bin] o/P: java version "1.8.0_102"

JAVA_HOME - Must be set to JDK otherwise maven projects leads to compilation error. [ERROR] No compiler is provided in this environment. Perhaps you are running on a JRE rather than a JDK? C:\Softwares\OpenJDK\, 7-zip

Fatal error compiling: invalid target release: JRE and JDK must be of same version 1.8.0.XXX

Disable TLS 1.0 and 1.1security-libs/javax.net.ssl: TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer considered secure and have been superseded by more secure and modern versions (TLS 1.2 and 1.3).

⚠️ **GitHub.com Fallback** ⚠️