Apache Tomcat SSL

This section describes how to configure Apache Tomcat to Debian and Redhat distros and enable HTTPS communication

1. Copy keystore created during Managing PKI Keys to /usr/local/tomcat/conf folder.

                       
   
   sudo cp src/test/resources/certs/mykeystore /usr/local/tomcat8/conf
                       
                   

2. Edit /usr/local/tomcat8/conf/server.xml file:

                         
   
   vi /usr/local/tomcat8/conf/server.xml
                         
                       

3. Add the following to server.xml:

                       
   
   <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
   <Connector
       port="8443" maxThreads="200"
       ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_NULL_SHA,TLS_ECDH_RSA_WITH_NULL_SHA,TLS_ECDHE_ECDSA_WITH_NULL_SHA,TLS_ECDHE_RSA_WITH_NULL_SHA"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="conf/mykeystore" keystorePass="changeit"
       clientAuth="false" sslProtocol="TLS"
   />
                       
           

   Notice the ciphers tag. This is to disable weak Diffie-Hellman cipher suites available in Tomcat 7 by default.


4. Save and exit the file.


5. Restart Tomcat (Debian):

                       
   
   sudo /etc/init.d/tomcat8 restart
                       
                   

   Redhat users:

                       
   
   /usr/local/tomcat8/bin/shutdown.sh
   /usr/local/tomcat8/bin/startup.sh
                       
                   

6. Verify setup by signing onto the Tomcat Manager app with credentials userId: tcmanager, password: m@nager123
   
   
   1. non-SSL - local: http://localhost:8080/manager, remote: http://fortressdemo2.com:8080/manager
      
   
   
   2. SSL - local: https://localhost:8443/manager, remote: https://fortressdemo2.com:8443/manager
   
   Accept the self-signed certificate when the warning dialog appears.

This is free and unencumbered software released into the public domain.