Tomcat and HTTPS Support

HTTPS is used to strengthen data transmission security. HTTP hypertext transfer protocol, plaintext transmission is very insecure. HTTPS encrypts data during transmission.

SSL Protocol

Basic Introduction

TLS (Transport Layer Security) Protocol HTTP protocol is one of the most widely used data transmission protocols on the internet, but HTTP itself does not have encryption function. Transmitted data is plaintext, there is risk of being eavesdropped, tampered, or forged.

HTTPS protocol adds a TLS (formerly SSL) encryption layer on top of HTTP, providing:

  • Data Confidentiality: Ensures data will not be eavesdropped during transmission.
  • Data Integrity: Ensures data will not be tampered with or destroyed during transmission.
  • Authentication: Client and server can authenticate each other, confirming authenticity of both parties in communication.

Working Principle

HTTPS introduces a TLS/SSL encryption layer on HTTP basis. Communication steps are as follows:

  • Client requests connection: Client sends HTTPS request to server.
  • Server responds and sends certificate: Server returns a digital certificate containing its public key.
  • Client verifies certificate: Client verifies if digital certificate is legal. Verify if certificate’s domain name matches currently accessed domain name.
  • Negotiate encryption method and generate session key: Client generates random symmetric key (Session Key), encrypts it using server certificate’s public key and sends to server. Server uses its private key to decrypt and obtain session key.
  • Establish secure connection and transmit data: Client and server use session key for data encryption and decryption, achieving secure communication.

Technical Foundation

Asymmetric Encryption (Public Key Encryption)

  • Uses a pair of keys, respectively public key and private key.
  • Public key encrypts data, private key decrypts data, private key only stored on server side forever.

Symmetric Encryption

  • Main body of HTTPS data transmission uses symmetric encryption technology. Client and server have the same key for encrypting and decrypting data.

TLS Handshake Process

TLS handshake process is key step for establishing HTTPS communication:

  • Client initiates connection, proposes supported TLS version and cipher suite.
  • Server responds with its certificate, public key, and chosen cipher suite.
  • Client verifies certificate validity, generates random key, encrypts with server’s public key and sends to server.
  • Server uses private key to decrypt session key, completing handshake.

Tomcat HTTPS

Generate Certificate

First we need to generate a password-free key certificate:

keytool -genkey -alias wzkicu -keyalg RSA -keystore wzkicu.keystore

Configure XML

Modify the Connector section in /opt/servers/apache-tomcat-9.0.98/conf/server.xml:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
 maxThreads="150" schema="https" secure="true" SSLEnabled="true">
 <SSLHostConfig>
 <Certificate
certificateKeystoreFile="/opt/wzk/wzkicu.keystore" certificateKeystorePassword="123123" type="RSA"
 />
 </SSLHostConfig>
</Connector>

Tomcat Performance Optimization

Basic Introduction

System performance measurement indicators mainly include response time and throughput.

  • Response time: Time to execute an operation
  • Throughput: Number of transactions the system can support in a given time, unit TPS

Tomcat optimization mainly from the following aspects:

  • JVM virtual machine optimization (optimize memory model)
  • Tomcat’s own configuration optimization (such as using shared thread pool? IO model?)

Parameter Adjustment

Connector

Common configuration example:

<Connector port="8080"
           protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443"
           acceptCount="100"
           maxConnections="10000"
           maxThreads="200"
           minSpareThreads="10"
           enableLookups="false"
           compression="on"
           compressibleMimeType="text/html,text/xml,text/plain,text/javascript,text/css"/>

Optimize JVM in Tomcat startup script:

JAVA_OPTS="-server -Xms2G -Xmx2G -Xss512k \
-XX:+UseG1GC \
-XX:MaxGCPauseMillis=200 \
-XX:+HeapDumpOnOutOfMemoryError \
-Djava.awt.headless=true"