· Kalpa Madhushan · devops · 3 min read

Complete Guide: Securely Connecting Apache Tomcat to MySQL with TLS 1.2 (VirtualBox Setup)

Learn how to establish a secure TLS 1.2 connection between Apache Tomcat and MySQL using Ubuntu VMs in VirtualBox, with step-by-step instructions for certificates, configuration, and testing.

Learn how to establish a secure TLS 1.2 connection between Apache Tomcat and MySQL using Ubuntu VMs in VirtualBox, with step-by-step instructions for certificates, configuration, and testing.

Introduction In this guide, we walk through the process of securely connecting an Apache Tomcat server to a MySQL server using TLS 1.2. We’ll explain each step, highlight common pitfalls (like network issues in VirtualBox), and ensure the setup meets security requirements such as IP-based restrictions and certificate validation. This setup is done using two Ubuntu VMs running in VirtualBox.

Why Connect Tomcat and MySQL Securely? Tomcat is a Java-based web server, while MySQL is a relational database. Many enterprise applications need these two to communicate. However, sending database credentials and data in plain text is insecure. TLS 1.2 encrypts communication between Tomcat and MySQL, ensuring confidentiality and integrity.

Setup Overview

  • Apache Tomcat installed on Ubuntu VM 1
  • MySQL Server installed on Ubuntu VM 2
  • Both VMs connected via VirtualBox’s internal networking
  • TLS 1.2 with specific cipher suite enforced
  • MySQL access restricted to only the Tomcat server IP

Step 1: Configure Networking in VirtualBox Many users struggle here. Instead of just setting both VMs to “Internal Network,” you also need to:

  1. Open VirtualBox > File > Tools > Network Manager
  2. Create a NAT Network (this helps with DHCP auto IP assignment)
  3. Assign this NAT Network to both VMs under Adapter 1

Now, both VMs will get IPs like 10.0.2.X and can ping each other.

Step 2: Install and Configure MySQL Server

  1. Install MySQL on VM2:

    sudo apt update && sudo apt install mysql-server

  2. Enable SSL:

    • Generate SSL certs:

      sudo mkdir /etc/mysql/ssl
cd /etc/mysql/ssl
sudo openssl genrsa 2048 > ca-key.pem
sudo openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem
sudo openssl req -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem -out server-req.pem
sudo openssl x509 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

    • Update mysqld.cnf:

      [mysqld]
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem
bind-address=0.0.0.0

    • Restart MySQL:

      sudo systemctl restart mysql

  3. Create a restricted SSL user:

    CREATE USER 'tomcat_user'@'10.0.2.15' IDENTIFIED BY 'StrongPassword' REQUIRE SSL;
GRANT ALL PRIVILEGES ON testdb.* TO 'tomcat_user'@'10.0.2.15';
FLUSH PRIVILEGES;

Step 3: Install and Configure Apache Tomcat

  1. Download and extract Tomcat:

    cd /opt
sudo wget https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.X/bin/apache-tomcat-9.0.X.tar.gz
sudo tar -xvzf apache-tomcat-9.0.X.tar.gz
sudo mv apache-tomcat-9.0.X tomcat

  2. Add MySQL JDBC driver to /opt/tomcat/lib/

  3. Edit /opt/tomcat/conf/context.xml to include the JDBC Resource:

    <Resource name="jdbc/MyDB" auth="Container"
          type="javax.sql.DataSource" maxTotal="100" maxIdle="30" maxWaitMillis="10000"
          username="tomcat_user" password="StrongPassword"
          driverClassName="com.mysql.cj.jdbc.Driver"
          url="jdbc:mysql://10.0.2.5:3306/testdb?verifyServerCertificate=true&useSSL=true&requireSSL=true&enabledTLSProtocols=TLSv1.2&enabledSslCipherSuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"/>

  4. Start Tomcat:

    /opt/tomcat/bin/startup.sh

Step 4: Test the Connection Without Deploying an App

  1. Create a simple test JSP:

    • Path: /opt/tomcat/webapps/ROOT/test.jsp
    <%@ page import="javax.naming.*, javax.sql.*, java.sql.*" %>
<%
try {
    Context ctx = new InitialContext();
    DataSource ds = (DataSource) ctx.lookup("java:/comp/env/jdbc/MyDB");
    Connection conn = ds.getConnection();
    Statement stmt = conn.createStatement();
    ResultSet rs = stmt.executeQuery("SELECT NOW();");
    while(rs.next()) {
        out.println("Connected: " + rs.getString(1));
    }
    rs.close(); conn.close();
} catch (Exception e) {
    e.printStackTrace(out);
}
%>

  2. Curl from the Tomcat VM:

    curl http://localhost:8080/test.jsp

You should see:

Connected: 2025-07-30 13:37:00

This confirms the TLS-based connection is working.

Step 5: Validate TLS Usage You can further validate TLS by using:

openssl s_client -connect 10.0.2.5:3306 -CAfile /opt/tomcat/ssl/ca-cert.pem

It will show the TLS version and cipher suite used.

Step 6: File Transfer via FileZilla (Optional) To extract files for submission:

  • Enable port forwarding in VirtualBox (Host: 2222 -> Guest: 22)

  • Connect via FileZilla using:

    • Host: sftp://127.0.0.1
    • Port: 2222
    • User: your Ubuntu username

  • Download:

    • /opt/tomcat/conf/context.xml
    • /etc/mysql/mysql.conf.d/mysqld.cnf
    • /etc/mysql/ssl/*.pem
    • /opt/tomcat/ssl/ca-cert.pem
    • test.jsp
    • A SQL file with the user creation query

Conclusion By following this guide, you set up a secure, TLS-encrypted connection between Apache Tomcat and MySQL, with access restricted to one IP. You avoided deploying a full app by using a minimal JSP test and validated TLS with proper tools. This setup is robust, secure, and meets enterprise-grade requirements.

Share:
Back to Blog

Related Posts

View All Posts »