8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | 21c | Misc | PL/SQL | SQL | RAC | WebLogic | Linux

Home » Articles » Linux » Here

Apache Tomcat : Enable HTTPS

This article show how to enable HTTPS for Tomcat. It uses a self-signed certificate, but you could replace this with a valid Certificate Authority (CA) certificate.

This articles includes the two types of HTTPS configuration required for versions prior to Tomcat 10, and from Tomcat 10 onward.

Related articles.

Setup

Set the relevant environment variables.

export JAVA_HOME=/u01/ords/jdk1.8.0_91
export CATALINA_HOME=/u01/ords/apache-tomcat-8.0.35
export CATALINA_BASE=$CATALINA_HOME

Using a Keystore

Use this section if you plan on using a keystore.

Create Keystore

Create a keystore containing a self-signed certificate. Adjust the "-dname" values and passwords as required. The certificate is valid for about 10 years.

mkdir -p ~/keystore
cd ~/keystore

$JAVA_HOME/jre/bin/keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks \
   -dname "CN=`hostname`, OU=My Department, O=My Company, L=Birmingham, ST=West Midlands, C=GB" \
   -storepass password1 -validity 3600 -keysize 2048 -keypass password1

Configure Tomcat (Keystore)

If you are using a keystore, make the following two changes to the "$CATALINA_BASE/conf/server.xml" file. This method works fine up to and including Tomcat 9.

(1)

Before:

    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    -->

After: Amend path and password for your keystore.

    <Connector port="8443" protocol="HTTP/1.1" 
               maxThreads="250" SSLEnabled="true" scheme="https" secure="true"
               keystoreFile="/home/oracle/keystore/keystore.jks"
               keystorePass="password1"
               clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"
               URIEncoding="UTF-8"
               compression="on"
               noCompressionUserAgents="gozilla, traviata"
               compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json"
               />
               <!--
               If you are using a proxy server, you may need to add the following two entries also.
               proxyName="www.example.com"
               proxyPort="443"-->      

(2)

Before:

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

After:

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" URIEncoding="UTF-8" />

For Tomcat 10 onward, use the following variation of the first bit of the config.

Before:

    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
    -->

After: Amend path and password for your keystore.

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="250" SSLEnabled="true"
               URIEncoding="UTF-8"
               compression="on"
               noCompressionUserAgents="gozilla, traviata"
               compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json"
               >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig protocols="TLSv1.2,TLSv1.3">
            <Certificate certificateKeystoreFile="/home/oracle/keystore/keystore.jks"
                         certificateKeystorePassword="password1"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

Using Certificates and Keys

Use this method if you plan to use a certificate and key, rather than a keystore. You can generate self-signed certificates, or use real certificates from a certificate authority.

In this example, we are using the certificates created using Let's Encrypt for a domain called "example.com". Make the following two changes to the "$CATALINA_BASE/conf/server.xml" file. This method works fine up to and including Tomcat 9.

(1)

Before:

    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    -->

After: Amend path and password for your keystore.

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               SSLCertificateFile="/etc/letsencrypt/live/example.com/cert.pem"
               SSLCertificateKeyFile="/etc/letsencrypt/live/example.com/privkey.pem"
               SSLCertificateChainFile="/etc/letsencrypt/live/example.com/chain.pem"
               SSLCACertificateFile="/etc/letsencrypt/live/example.com/chain.pem"
               SSLVerifyClient="optional" SSLProtocol="TLSv1.2"
               URIEncoding="UTF-8"
               />
               <!--
               If you are using a proxy server, you may need to add the following two entries also.
               proxyName="www.example.com"
               proxyPort="443"-->      

(2)

Before:

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

After:

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" URIEncoding="UTF-8" />

For Tomcat 10 onward, use the following variation of the first bit of the config.

Before:

    <!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
    -->

After: Amend path and password for your keystore.

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="250" SSLEnabled="true"
               URIEncoding="UTF-8"
               compression="on"
               noCompressionUserAgents="gozilla, traviata"
               compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json"
               >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig protocols="TLSv1.2,TLSv1.3">
            <Certificate certificateFile="/etc/letsencrypt/live/example.com/cert.pem"
                         certificateKeyFile="/etc/letsencrypt/live/example.com/privkey.pem"
                         certificateChainFile="/etc/letsencrypt/live/example.com/chain.pem" />
        </SSLHostConfig>
    </Connector>

Restart Tomcat

Restart Tomcat in the normal way.

$CATALINA_HOME/bin/shutdown.sh

$CATALINA_HOME/bin/startup.sh

You will now be able to access Tomcat using both HTTP and HTTPs.

http://server:8080/
https://server:8443/

For more information see:

Hope this helps. Regards Tim...

Back to the Top.