Tomcat SSL Connector
Tomcat will first need a SSL Connector configured before it can accept secure connections.
Note: By default Tomcat will look for your Keystore with the file name .keystore in the CATALINA_Home directory with the default password ‘changeit’.
Commonly found CATALINA_HOME Directories
Unix, Linux or *nix — /etc/tomcat5.5
Windows — C:\Program Files\Apache Software Foundation\Tomcat 5.5\
It is possible to change the file name, password, and even location that Tomcat looks for the keystore. If you need to do this, pay special attention to #8 of Option 2 or #5 of Option 1 below.
Option 1 — Configure the SSL Connector in server.xml:
- Copy your keystore file (your_domain.key or your_domain.pfx) to the home directory (see the Note above)
- Open the file Home_Directory/conf/server.xml in a text editor
- Un-comment the ‘SSL Connector’ Configuration
- Make sure that the ‘Connector Port’ is 443
- If your keystore filename is something other than the default file name (.keystore) and/or your keystore password is something other than default (‘changeit’) then you will need to specify the correct keystore filename and/or password in your connector configuration — ex. keystorePass=”newpassword”. When you are done your connector should look something like this:
To use a JKS (Java Key Store) file:
< Connector port=”443″ maxHttpHeaderSize=”8192″ maxThreads=”150″
minSpareThreads=”25″ maxSpareThreads=”75″ enableLookups=”false”
disableUploadTimeout=”true” acceptCount=”100″ scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS”
keystoreFile=”conf/user_name/your_domain.key”
keystorePass=”your_keystore_password”/>
To use a PFX/P12 (PKCS#12) file:
< Connector port=”443″ maxHttpHeaderSize=”8192″ maxThreads=”150″
minSpareThreads=”25″ maxSpareThreads=”75″ enableLookups=”false”
disableUploadTimeout=”true” acceptCount=”100″ scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS” keystoreFile=”conf/your_domain.pfx”
keystorePass=”your_keystore_password” keystoreType=”PKCS12″/>
6. Save the changes to server.xml
Note: You may need to comment out the following line:
<Listener className=”org.apache.catalina.core.AprLifecycleListener” SSLEngine=”on” />
like so:
< !–
<Listener className=”org.apache.catalina.core.AprLifecycleListener” SSLEngine=”on”
/>
–>
Note2: You may also need to set SSLEnabled=”true”on the Connector in order for
the SSL connection to work or else an HTTP only connection may be made. However,
this is often not required.
7. Restart Tomcat
Please remember all Connector arguments are case sensitive!
Option 2 — Add an SSL Connector using admintool:
- Start Tomcat
- Enter ‘http://localhost:8080/admin’ in a local browser to start admintool
- Type a username and password with administrator rights
- On the left select ‘Service’ (Java Web Services Developer Pack)
- Select ‘Create New Connector’ from the drop-down list on the right
- Choose ‘HTTPS’ in the ‘Type’ field
- In the ‘Port’ field, enter ‘443’. This defines the TCP/IP port number on which Tomcat will listen for secure connections
- Enter the Keystore Name and Keystore Password if (a.) your keystore is named something other than .keystore, (b.) if .keystore is located in a directory other than the home directory of the machine on which Tomcat is running, or if (c.) the password is something other than the default value of ‘changeit’. If you have used the default values, you can leave these fields blank.
- Select ‘Save’ to save the new Connector
- Select ‘Commit Changes’ to save the new Connector information to the server.xml file so that it is available the next time Tomcat is started