{"id":162,"date":"2016-01-19T10:39:39","date_gmt":"2016-01-19T10:39:39","guid":{"rendered":"http:\/\/www.pkipartner.support\/?page_id=162"},"modified":"2016-01-19T10:39:39","modified_gmt":"2016-01-19T10:39:39","slug":"ssl-tomcat-ssl-connector","status":"publish","type":"page","link":"https:\/\/pkipartner.com\/support\/ssl-tomcat-ssl-connector\/","title":{"rendered":"SSL &#8211; Tomcat SSL Connector"},"content":{"rendered":"<h1>Tomcat SSL Connector<\/h1>\n<p>Tomcat will first need a SSL Connector configured before it can accept secure connections.<\/p>\n<p><strong>Note<\/strong>: By default Tomcat will look for your Keystore with the file name .keystore in the\u00a0CATALINA_Home directory with the default password &#8216;changeit&#8217;.<\/p>\n<h3>Commonly found CATALINA_HOME Directories<\/h3>\n<p><strong>Unix, Linux or *nix<\/strong> &#8212; \/etc\/tomcat5.5<br \/>\n<strong>Windows<\/strong> &#8212; C:\\Program Files\\Apache Software Foundation\\Tomcat 5.5\\<\/p>\n<p>It is possible to change the file name, password, and even location that Tomcat looks for the\u00a0keystore. If you need to do this, pay special attention to #8 of Option 2 or #5 of Option 1\u00a0below.<\/p>\n<h3>Option 1 &#8212; Configure the SSL Connector in server.xml:<\/h3>\n<ol>\n<li>Copy your keystore file (your_domain.key or your_domain.pfx) to the home directory\u00a0(see the Note above)<\/li>\n<li>Open the file Home_Directory\/conf\/server.xml in a text editor<\/li>\n<li>Un-comment the &#8216;SSL Connector&#8217; Configuration<\/li>\n<li>Make sure that the &#8216;Connector Port&#8217; is 443<\/li>\n<li>If your keystore filename is something other than the default file name (.keystore)\u00a0and\/or your keystore password is something other than default (&#8216;changeit&#8217;) then you\u00a0will need to specify the correct keystore filename and\/or password in your connector\u00a0configuration &#8212; ex. keystorePass=&#8221;newpassword&#8221;. When you are done your\u00a0connector should look something like this:<\/li>\n<\/ol>\n<h3>To use a JKS (Java Key Store) file:<\/h3>\n<p>&lt; Connector port=&#8221;443&#8243; maxHttpHeaderSize=&#8221;8192&#8243; maxThreads=&#8221;150&#8243;<br \/>\nminSpareThreads=&#8221;25&#8243; maxSpareThreads=&#8221;75&#8243; enableLookups=&#8221;false&#8221;<br \/>\ndisableUploadTimeout=&#8221;true&#8221; acceptCount=&#8221;100&#8243; scheme=&#8221;https&#8221; secure=&#8221;true&#8221;<br \/>\nclientAuth=&#8221;false&#8221; sslProtocol=&#8221;TLS&#8221;<br \/>\nkeystoreFile=&#8221;conf\/user_name\/your_domain.key&#8221;<br \/>\nkeystorePass=&#8221;your_keystore_password&#8221;\/&gt;<\/p>\n<h3>To use a PFX\/P12 (PKCS#12) file:<\/h3>\n<p>&lt; Connector port=&#8221;443&#8243; maxHttpHeaderSize=&#8221;8192&#8243; maxThreads=&#8221;150&#8243;<br \/>\nminSpareThreads=&#8221;25&#8243; maxSpareThreads=&#8221;75&#8243; enableLookups=&#8221;false&#8221;<br \/>\ndisableUploadTimeout=&#8221;true&#8221; acceptCount=&#8221;100&#8243; scheme=&#8221;https&#8221; secure=&#8221;true&#8221;<br \/>\nclientAuth=&#8221;false&#8221; sslProtocol=&#8221;TLS&#8221; keystoreFile=&#8221;conf\/your_domain.pfx&#8221;<br \/>\nkeystorePass=&#8221;your_keystore_password&#8221; keystoreType=&#8221;PKCS12&#8243;\/&gt;<\/p>\n<p>6. Save the changes to server.xml<br \/>\n<strong>Note<\/strong>: You may need to comment out the following line:<br \/>\n<strong>&lt;Listener className=&#8221;org.apache.catalina.core.AprLifecycleListener&#8221;\u00a0SSLEngine=&#8221;on&#8221; \/&gt;<\/strong><br \/>\nlike so:<br \/>\n&lt; !&#8211;<br \/>\n&lt;Listener className=&#8221;org.apache.catalina.core.AprLifecycleListener&#8221; SSLEngine=&#8221;on&#8221;<br \/>\n\/&gt;<br \/>\n&#8211;&gt;<br \/>\n<strong>Note2<\/strong>: You may also need to set <strong>SSLEnabled=&#8221;true&#8221;<\/strong>on the Connector in order for<br \/>\nthe SSL connection to work or else an HTTP only connection may be made. However,<br \/>\nthis is often not required.<br \/>\n7. Restart Tomcat<\/p>\n<p><strong>Please remember all Connector arguments are case sensitive!<\/strong><\/p>\n<h3>Option 2 &#8212; Add an SSL Connector using admintool:<\/h3>\n<ol>\n<li>Start Tomcat<\/li>\n<li>Enter &#8216;http:\/\/localhost:8080\/admin&#8217; in a local browser to start admintool<\/li>\n<li>Type a username and password with administrator rights<\/li>\n<li>On the left select &#8216;Service&#8217; (Java Web Services Developer Pack)<\/li>\n<li>Select &#8216;Create New Connector&#8217; from the drop-down list on the right<\/li>\n<li>Choose &#8216;HTTPS&#8217; in the &#8216;Type&#8217; field<\/li>\n<li>In the &#8216;Port&#8217; field, enter &#8216;443&#8217;. This defines the TCP\/IP port number on which Tomcat\u00a0will listen for secure connections<\/li>\n<li>Enter the Keystore Name and Keystore Password if (a.) your keystore is named\u00a0something other than .keystore, (b.) if .keystore is located in a directory other than\u00a0the home directory of the machine on which Tomcat is running, or if (c.) the\u00a0password is something other than the default value of &#8216;changeit&#8217;. If you have used\u00a0the default values, you can leave these fields blank.<\/li>\n<li>Select &#8216;Save&#8217; to save the new Connector<\/li>\n<li>Select &#8216;Commit Changes&#8217; to save the new Connector information to the server.xml\u00a0file so that it is available the next time Tomcat is started<\/li>\n<\/ol>\n<h3>Related Article<\/h3>\n<p><a href=\"http:\/\/www.pkipartner.com\/support\/ssl-exporting-and-restoring-a-pfx-file-to-iis\/\">Exporting and Restoring a PFX file to IIS<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Tomcat SSL Connector Tomcat will first need a SSL Connector configured before it can accept secure connections. Note: By default Tomcat will look for your Keystore with the file name .keystore in the\u00a0CATALINA_Home directory with the default password &#8216;changeit&#8217;. Commonly found CATALINA_HOME Directories Unix, Linux or *nix &#8212; \/etc\/tomcat5.5 Windows\u2026<\/p>\n<p> <a class=\"continue-reading-link\" href=\"https:\/\/pkipartner.com\/support\/ssl-tomcat-ssl-connector\/\"><span>Continue reading<\/span><i class=\"crycon-right-dir\"><\/i><\/a> <\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"_links":{"self":[{"href":"https:\/\/pkipartner.com\/support\/wp-json\/wp\/v2\/pages\/162"}],"collection":[{"href":"https:\/\/pkipartner.com\/support\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/pkipartner.com\/support\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/pkipartner.com\/support\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pkipartner.com\/support\/wp-json\/wp\/v2\/comments?post=162"}],"version-history":[{"count":1,"href":"https:\/\/pkipartner.com\/support\/wp-json\/wp\/v2\/pages\/162\/revisions"}],"predecessor-version":[{"id":163,"href":"https:\/\/pkipartner.com\/support\/wp-json\/wp\/v2\/pages\/162\/revisions\/163"}],"wp:attachment":[{"href":"https:\/\/pkipartner.com\/support\/wp-json\/wp\/v2\/media?parent=162"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}