Configuring SSL for Apache Tomcat

Create a keystore, import the Secure Socket Layer (SSL) certificate, and edit the conf/server.xml file to define a connector for SSL on Apache Tomcat.

About this task

Follow the steps in this procedure to configure SSL on Apache Tomcat. See SSL Configuration HOW-TO for more details and examples of configuring SSL for Apache Tomcat.

Procedure

  1. Create a keystore for your web server. You can use the Java™ keytool command to create a keystore.
    keytool -genkey -alias tomcat -keyalg RSA -keystore /path/to/keystore.jks
  2. Import the SSL certificate and the corresponding chain certificate into your keystore by following the instructions provided by the certificate authority.
  3. Edit the conf/server.xml file to define a connector to use SSL. This connector must point to your keystore.
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="/path/to/keystore.jks"
           keystorePass="mypassword" />
  4. To enable TLS v1.2, which is required for iOS9, add the following attribute to the <Connector> element: 
    sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
    The result should be similar to this example:
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="/path/to/keystore.jks"
           sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
           keystorePass="mypassword" />
    You must use a JRE that supports TLS v1.2.
    • Oracle JRE 1.7.0_75 or later
    • Oracle JRE 1.8.0_31 or later
  5. Restart the web server. Now you can access the web server by https://myserver:8443/...
Parent topic: Configuring Secure Sockets Layer (SSL)