Implementing HTTPS in Android and Tomcat: Principles, Configuration, and Practice

The author, an Android developer at Qunar, introduces the need to migrate existing HTTP interfaces to HTTPS and begins with a concise overview of HTTPS, describing how HTTP sits atop SSL/TLS, which in turn combines symmetric encryption, message authentication codes, public‑key cryptography, digital signatures, and random number generation.

Key cryptographic concepts such as hash functions, MACs, digital signatures, and public‑key certificates are explained, followed by the three security goals HTTPS provides: confidentiality, integrity, and authentication.

The TLS handshake is broken down into its two layers: the Handshake Protocol (including sub‑protocols for negotiation, cipher suite changes, warnings, and application data) and the Record Protocol (handling fragmentation, compression, MAC addition, symmetric encryption, and header construction).

Practical implementation steps are then presented. First, a simple HttpsServlet is created to simulate a login endpoint, with accompanying web.xml configuration. The article shows the project structure and Android components (e.g., NextActivity.java , layout files) required for the client side.

Next, the process of generating server and client keystores using Java keytool is detailed, including commands for creating keys, setting aliases (must be tomcat for Tomcat), defining distinguished names, passwords, and validity periods. The importance of using the BKS keystore type for Android compatibility and the need for the BouncyCastle provider are highlighted.

Exporting certificates, creating truststores, and verifying their contents are illustrated with screenshots. The resulting files (e.g., qproject.cer , qproject.p12 , tomcat.keystore ) are listed.

Tomcat’s server.xml is then modified to enable HTTPS: setting port , SSLEnabled , scheme , secure , specifying the keystore and truststore files and passwords, enabling clientAuth , and selecting the TLS protocol.

Common pitfalls are addressed, such as alias mismatches causing startup errors, CN mismatches between certificates and hostnames, and Android’s default keystore format limitations. Solutions include correcting the alias, importing the server certificate into the browser’s trusted root store, and using BKS format for Android.

On the Android side, the article describes adding the server’s certificate and the client’s truststore to the app’s assets, implementing an HttpsHelper for SSL socket factory configuration, and updating network calls to use HttpsURLConnection with the proper HTTPS URL.

Finally, the author demonstrates testing the setup by launching Tomcat, accessing the HTTPS endpoint via a browser, and capturing encrypted traffic with Fiddler, confirming that the communication is now securely encrypted.