8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | 21c | 23ai | Misc | PL/SQL | SQL | RAC | WebLogic | Linux
Home » Articles » Linux » Here
Apache Tomcat : Enable HTTPS
This article show how to enable HTTPS for Tomcat. It uses a self-signed certificate, but you could replace this with a valid Certificate Authority (CA) certificate.
This articles includes the two types of HTTPS configuration required for versions prior to Tomcat 10, and from Tomcat 10 onward.
Related articles.
- Apache Tomcat 10 Installation on Linux (RHEL and clones)
- Apache Tomcat 9 Installation on Linux (RHEL and clones)
- Apache Tomcat 8 Installation on Linux (RHEL and clones)
- Self-Signed Certificates - keytool (Java)
Setup
Set the relevant environment variables.
export JAVA_HOME=/u01/ords/jdk1.8.0_91 export CATALINA_HOME=/u01/ords/apache-tomcat-8.0.35 export CATALINA_BASE=$CATALINA_HOME
Using a Keystore
Use this section if you plan on using a keystore.
Create Keystore
Create a keystore containing a self-signed certificate. Adjust the "-dname" values and passwords as required. The certificate is valid for about 10 years.
mkdir -p ~/keystore cd ~/keystore $JAVA_HOME/jre/bin/keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks \ -dname "CN=`hostname`, OU=My Department, O=My Company, L=Birmingham, ST=West Midlands, C=GB" \ -storepass password1 -validity 3600 -keysize 2048 -keypass password1
Configure Tomcat (Keystore)
If you are using a keystore, make the following two changes to the "$CATALINA_BASE/conf/server.xml" file. This method works fine up to and including Tomcat 9.
(1) Before: <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> --> After: Amend path and password for your keystore. <Connector port="8443" protocol="HTTP/1.1" maxThreads="250" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/home/oracle/keystore/keystore.jks" keystorePass="password1" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" URIEncoding="UTF-8" compression="on" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json" /> <!-- If you are using a proxy server, you may need to add the following two entries also. proxyName="www.example.com" proxyPort="443"--> (2) Before: <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> After: <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" URIEncoding="UTF-8" />
For Tomcat 10 onward, use the following variation of the first bit of the config.
Before: <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig> <Certificate certificateKeystoreFile="conf/localhost-rsa.jks" type="RSA" /> </SSLHostConfig> </Connector> --> After: Amend path and password for your keystore. <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="250" SSLEnabled="true" URIEncoding="UTF-8" compression="on" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig protocols="TLSv1.2,TLSv1.3"> <Certificate certificateKeystoreFile="/home/oracle/keystore/keystore.jks" certificateKeystorePassword="password1" type="RSA" /> </SSLHostConfig> </Connector>
Using Certificates and Keys
Use this method if you plan to use a certificate and key, rather than a keystore. You can generate self-signed certificates, or use real certificates from a certificate authority.
- Self-Signed Certificates - keytool (Java)
- Let's Encrypt - Free Certificates on Oracle Linux (CertBot)
In this example, we are using the certificates created using Let's Encrypt for a domain called "example.com". Make the following two changes to the "$CATALINA_BASE/conf/server.xml" file. This method works fine up to and including Tomcat 9.
(1) Before: <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> --> After: Amend path and password for your keystore. <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" SSLCertificateFile="/etc/letsencrypt/live/example.com/cert.pem" SSLCertificateKeyFile="/etc/letsencrypt/live/example.com/privkey.pem" SSLCertificateChainFile="/etc/letsencrypt/live/example.com/chain.pem" SSLCACertificateFile="/etc/letsencrypt/live/example.com/chain.pem" SSLVerifyClient="optional" SSLProtocol="TLSv1.2" URIEncoding="UTF-8" /> <!-- If you are using a proxy server, you may need to add the following two entries also. proxyName="www.example.com" proxyPort="443"--> (2) Before: <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> After: <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" URIEncoding="UTF-8" />
For Tomcat 10 onward, use the following variation of the first bit of the config.
Before: <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig> <Certificate certificateKeystoreFile="conf/localhost-rsa.jks" type="RSA" /> </SSLHostConfig> </Connector> --> After: Amend path and password for your keystore. <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="250" SSLEnabled="true" URIEncoding="UTF-8" compression="on" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig protocols="TLSv1.2,TLSv1.3"> <Certificate certificateFile="/etc/letsencrypt/live/example.com/cert.pem" certificateKeyFile="/etc/letsencrypt/live/example.com/privkey.pem" certificateChainFile="/etc/letsencrypt/live/example.com/chain.pem" /> </SSLHostConfig> </Connector>
Restart Tomcat
Restart Tomcat in the normal way.
$CATALINA_HOME/bin/shutdown.sh $CATALINA_HOME/bin/startup.sh
You will now be able to access Tomcat using both HTTP and HTTPs.
http://server:8080/ https://server:8443/
For more information see:
- Apache Tomcat 10 Installation on Linux (RHEL and clones)
- Apache Tomcat 9 Installation on Linux (RHEL and clones)
- Apache Tomcat 8 Installation on Linux (RHEL and clones)
- Self-Signed Certificates - keytool (Java)
Hope this helps. Regards Tim...