Tomcat SSL

Overview

The full documentation for Tomcat 8 is here: Tomcat SSL How To

Below we summarise the steps you'll need to take.

Certificate

First, you need to generate a certificate or install a certificate.

  • Create a local self-signed Certificate (as described in the previous section):

Copy 
keytool -genkey -alias tomcat -keyalg RSA -keystore (your_keystore_filename)

Note:  Note: In some cases, you will have to enter the domain of your website (i.e.www.myside.org) in the field "first- and lastname" in order to create a working Certificate.

  • The CSR is then created with:

Copy 
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore (your_keystore_filename)

Enable SSL and Port

Next, enable SSL and Port 8443 or port 443 in tomcat/conf/server.xml

  1. Find a section in server.xml that looks like this:

    Copy 
    <!--
       <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true">
         <SSLHostConfig>
           <Certificate certificateKeystoreFile="conf/dos1235.jks" type="RSA" />
           </SSLHostConfig>
       </Connector>
    -->

  2. Uncomment it out by removing the <!- and --> at the end to get

    Copy 
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
       maxThreads="150" SSLEnabled="true" scheme="https" secure="true" 
       clientAuth="false" sslProtocol="TLS" />

  3. To enable client authentication, you'll need to reference your SSL Certificate based on your version of Tomcat. You can modify the above to look like this:

    Tomcat 8:

    Copy 
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
       maxThreads="150" scheme="https" secure="true"
       keystoreFile="${catalina.base}/external-conf/.keystore" keystorePass="PUT_YOUR_KEY_PASS_HERE"
       clientAuth="false" sslProtocol="TLS"
       sslEnabledProtocols="TLSv1.2,TLSv1.1,TSLv1.2"/>

    For keystorePass, replace PUT_YOUR_KEY_PASS_HERE with the password for your key.

    Tomcat 9:

    Copy 
    <Connector
       protocol="org.apache.coyote.http11.Http11NioProtocol"
       port="8443" maxThreads="200"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="${user.home}/.keystore" keystorePass="PUT_YOUR_KEY_PASS_HERE"
       clientAuth="false" sslProtocol="TLS"/>

    For keystorePass, replace PUT_YOUR_KEY_PASS_HERE with the password for your key.

    Tomcat 10

    Copy 
    <Connector
        protocol="org.apache.coyote.http11.Http11NioProtocol"
        port="8443"
        maxThreads="150"
        SSLEnabled="true">
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig>
    <Certificate
      certificateKeystoreFile="${catalina.base}/conf/dos1234-test.jks"
      certificateKeystorePassword="objective"
      type="RSA"
      />
    </SSLHostConfig>
    </Connector>

    For keystorePass, replace PUT_YOUR_KEY_PASS_HERE with the password for your key.

  4. To disable http, comment out the following section:

    Copy 
    <Connector port="8080" protocol="HTTP/1.1"
       connectionTimeout="20000"
       redirectPort="6443" />

    Note, it may look slightly different in your install, but the important part is you will have a Connector tag that is uncommented, and you'll need to use xml commenting to disable:

    Copy 
    <!-
    <Connector port="8080" protocol="HTTP/1.1"
       connectionTimeout="20000"
       redirectPort="6443" />
    -->

 

Related Articles

SharePoint REST Connector

3Sixty Federation Tutorials

3Sixty Installation Guide