How to set up HTTPS for the EMessaging web site

EMessaging 1.5.1, Tomcat, Windows

How to set up HTTPS for the EMessaging web site

i.e., change


so it would be


NOTE: this is beyond the scope of EMessaging support, as what this really involves is setting up the application server properly. However, assuming that the application server is set up properly, the EMessaging web site can run under HTTPS.

https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html contains detailed instructions on how to set this up on Tomcat 7.

I was able to create a self-signed cert and do this in a test environment with the following steps:

1) Create a keystore file to store the server's private key and self-signed certificate by executing the following command:

on Windows:

"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA

and specify a password value of "changeit".

(note on my VM I put the following values:

C:\Java\jdk1.8.0_91\bin>keytool -genkey -alias tomcat -keyalg RSA

Enter keystore password:

Re-enter new password:

What is your first and last name?

[Unknown]: C

What is the name of your organizational unit?

[Unknown]: S

What is the name of your organization?

[Unknown]: C

What is the name of your City or Locality?

[Unknown]: S

What is the name of your State or Province?

[Unknown]: MN

What is the two-letter country code for this unit?

[Unknown]: US

Is CN=C, OU=S, O=C, L=S, ST=MN, C=US correct?

[no]: yes

Enter key password for <tomcat>

(RETURN if same as keystore password):


on Unix:

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

and specify a password value of "changeit".

2) Uncomment the "SSL HTTP/1.1 Connector" entry in $CATALINA_BASE/conf/server.xml and modify as described in the Configuration section below.

i.e., uncomment this section:

<!-- Define a SSL HTTP/1.1 Connector on port 8443

This connector uses the BIO implementation that requires the JSSE

style configuration. When using the APR/native implementation, the

OpenSSL style configuration is required as described in the APR/native

documentation -->

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"

maxThreads="150" SSLEnabled="true" scheme="https" secure="true"

clientAuth="false" sslProtocol="TLS" />

3) restart Tomcat

If it works you should be able to see Tomcat on https://localhost:8443/

But it didn't work for me. catalina log had this error:

Jun 03, 2016 10:14:55 AM org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore

SEVERE: Failed to load keystore type JKS with path C:\Windows\system32\config\systemprofile/.keystore due to Illegal character in opaque part at index 2: C:\Windows\system32\config\systemprofile/.keystore

java.lang.IllegalArgumentException: Illegal character in opaque part at index 2: C:\Windows\system32\config\systemprofile/.keystore

at java.net.URI.create(URI.java:852)

at java.net.URI.resolve(URI.java:1036)

at org.apache.tomcat.util.file.ConfigFileLoader.getInputStream(ConfigFileLoader.java:93)

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:470)

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:381)

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:634)

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:574)

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:519)

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:255)

at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:400)

at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:650)

at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)

at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)

at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)

at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

at org.apache.catalina.core.StandardService.initInternal(StandardService.java:560)

at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:838)

at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

at org.apache.catalina.startup.Catalina.load(Catalina.java:642)

at org.apache.catalina.startup.Catalina.load(Catalina.java:667)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:253)

at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:427)

Caused by: java.net.URISyntaxException: Illegal character in opaque part at index 2: C:\Windows\system32\config\systemprofile/.keystore

at java.net.URI$Parser.fail(URI.java:2848)

at java.net.URI$Parser.checkChars(URI.java:3021)

at java.net.URI$Parser.parse(URI.java:3058)

at java.net.URI.<init>(URI.java:588)

at java.net.URI.create(URI.java:850)

4) So I stopped Tomcat and copied my .keystore file to C:\Windows\system32\config\systemprofile/ (because a .keystore file was missing from this location, instead it was located in the users home directory (as expected per the documentation on the Tomcat website)

5) Once I copied to the .keystore to this location, then https://localhost:8443/ worked correctly (although I got a bunch of certificate related messages because it's a self-signed cert)

6) http://localhost:8080/emessaging/login.jsp still worked correctly, and if I wanted HTTPS I could visit https://localhost:8443/emessaging/login.jsp as well.

UPDATED:  September 7, 2017