cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Implement SSL on Tomcat (https)

Go to solution
Former Member

on ‎07-24-2014 9:04 AM

0 Kudos

Hi experts,

I am considering to implement SSL on Tomcat (https).

It will open to users in internal network and in external network.

Internal Network and External network has different domain name (internal IP and public IP)

However when I use the keystore to create private key, it allows me to input one domain name only.

./keytool.exe -genkey -alias tomcat -keyalg RSA

If I use public IP as the common name (CN) of the key, internal users cannot access the server.

If I use internal IP, external users cannot access the server.

How can I implement the https so that both internal and external users can access the server successfully?

We do not allow "add exception" due to security policy.

Thanks & Regards,

Gordon Lo

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member136842
Employee
Employee
‎07-24-2014 1:31 PM
0 Kudos

Hi,

you need to deploy the Web Applications twice then. Use one Tomcat for internal access (with the internal SSL certificate) and one Tomcat for external access (with the external SSL certificate).

Regards

-Seb.

Show replies
Show replies
Former Member
‎07-25-2014 4:46 AM
0 Kudos

Hi Seb,

How can I deploy the web applications twice on the same Tomcat server?

Regards,

Gordon

Former Member
‎07-25-2014 7:00 AM
0 Kudos

Hi Gordon,

What I can suggest you to involve your network team to configure NAT to map External address to internal network.

So that Users accessing internally and externally have only one URL to access.

After doing so you can have SSL configured only using internal network.

Hope that helps.

Regards,

Tanveer

Former Member
‎07-25-2014 10:51 AM
0 Kudos

Hi Gordon,

I think what Seb is trying to say here is have 2 Tomcats. One for external users and one for internal users.

You could install an additional Tomcat instance on a separate drive.

You could then bring over the .war files from your BO Tomcat to the 2nd one and deploy them.

The "Web Application Deployment Guide" would contain additional information on how to deploy: http://help.sap.com/boall_en

Note: A unique port on each Tomcat would be needed to ensure isolation on the network.

The NAT option is also valid and saves adding a 2nd instance.

Regards,

Sid

Answers (1)

Answers (1)

denis_konovalov
Active Contributor
‎07-25-2014 12:13 PM
0 Kudos

Use regular DMZ deployment scenario,

Have Apache web server with SSL inside DMZ and regular tomcat inside your network. Tomcat can be with or without SSL.

External users access web server in DMZ and it redirects them to tomcat inside.
Internal users access tomcat directly.

this is the most secure solution.

Show replies
Show replies
Ask a Question