8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | 21c | 23ai | 24ai | 26ai | Misc | PL/SQL | SQL | RAC | WebLogic | Linux
Home » Articles » Linux » Here
Apache Tomcat : Enable HTTPS
This article show how to enable HTTPS for Tomcat. It uses a self-signed certificate, but you could replace this with a valid Certificate Authority (CA) certificate.
This articles includes the two types of HTTPS configuration required for versions prior to Tomcat 10, and from Tomcat 10 onward.
Related articles.
- Apache Tomcat 10 Installation on Linux (RHEL and clones)
- Apache Tomcat 9 Installation on Linux (RHEL and clones)
- Apache Tomcat 8 Installation on Linux (RHEL and clones)
- Self-Signed Certificates - keytool (Java)
Setup
Set the relevant environment variables.
export JAVA_HOME=/u01/ords/jdk1.8.0_91 export CATALINA_HOME=/u01/ords/apache-tomcat-8.0.35 export CATALINA_BASE=$CATALINA_HOME
Using a Keystore
Use this section if you plan on using a keystore.
Create Keystore
Create a keystore containing a self-signed certificate. Adjust the "-dname" values and passwords as required. The certificate is valid for about 10 years.
mkdir -p ~/keystore cd ~/keystore $JAVA_HOME/jre/bin/keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks \ -dname "CN=`hostname`, OU=My Department, O=My Company, L=Birmingham, ST=West Midlands, C=GB" \ -storepass password1 -validity 3600 -keysize 2048 -keypass password1
Configure Tomcat (Keystore)
If you are using a keystore, make the following two changes to the "$CATALINA_BASE/conf/server.xml" file. This method works fine up to and including Tomcat 9.
(1)
Before:
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
After: Amend path and password for your keystore.
<Connector port="8443" protocol="HTTP/1.1"
maxThreads="250" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/home/oracle/keystore/keystore.jks"
keystorePass="password1"
clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"
URIEncoding="UTF-8"
compression="on"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json"
/>
<!--
If you are using a proxy server, you may need to add the following two entries also.
proxyName="www.example.com"
proxyPort="443"-->
(2)
Before:
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
After:
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" URIEncoding="UTF-8" />
For Tomcat 10 onward, use the following variation of the first bit of the config.
Before:
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
After: Amend path and password for your keystore.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="250" SSLEnabled="true"
URIEncoding="UTF-8"
compression="on"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json"
>
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig protocols="TLSv1.2,TLSv1.3">
<Certificate certificateKeystoreFile="/home/oracle/keystore/keystore.jks"
certificateKeystorePassword="password1"
type="RSA" />
</SSLHostConfig>
</Connector>
Using Certificates and Keys
Use this method if you plan to use a certificate and key, rather than a keystore. You can generate self-signed certificates, or use real certificates from a certificate authority.
- Self-Signed Certificates - keytool (Java)
- Let's Encrypt - Free Certificates on Oracle Linux (CertBot)
In this example, we are using the certificates created using Let's Encrypt for a domain called "example.com". Make the following two changes to the "$CATALINA_BASE/conf/server.xml" file. This method works fine up to and including Tomcat 9.
(1)
Before:
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
After: Amend path and password for your keystore.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
SSLCertificateFile="/etc/letsencrypt/live/example.com/cert.pem"
SSLCertificateKeyFile="/etc/letsencrypt/live/example.com/privkey.pem"
SSLCertificateChainFile="/etc/letsencrypt/live/example.com/chain.pem"
SSLCACertificateFile="/etc/letsencrypt/live/example.com/chain.pem"
SSLVerifyClient="optional" SSLProtocol="TLSv1.2"
URIEncoding="UTF-8"
/>
<!--
If you are using a proxy server, you may need to add the following two entries also.
proxyName="www.example.com"
proxyPort="443"-->
(2)
Before:
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
After:
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" URIEncoding="UTF-8" />
For Tomcat 10 onward, use the following variation of the first bit of the config.
Before:
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
After: Amend path and password for your keystore.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="250" SSLEnabled="true"
URIEncoding="UTF-8"
compression="on"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json"
>
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig protocols="TLSv1.2,TLSv1.3">
<Certificate certificateFile="/etc/letsencrypt/live/example.com/cert.pem"
certificateKeyFile="/etc/letsencrypt/live/example.com/privkey.pem"
certificateChainFile="/etc/letsencrypt/live/example.com/chain.pem" />
</SSLHostConfig>
</Connector>
Restart Tomcat
Restart Tomcat in the normal way.
$CATALINA_HOME/bin/shutdown.sh $CATALINA_HOME/bin/startup.sh
You will now be able to access Tomcat using both HTTP and HTTPs.
http://server:8080/ https://server:8443/
For more information see:
- Apache Tomcat 10 Installation on Linux (RHEL and clones)
- Apache Tomcat 9 Installation on Linux (RHEL and clones)
- Apache Tomcat 8 Installation on Linux (RHEL and clones)
- Self-Signed Certificates - keytool (Java)
Hope this helps. Regards Tim...