Apache Tomcat 9.0 - SSL Configuration Procedures
1. Genarete the Certificate Keystore
[oracle@danbrother ~]$ keytool -genkey -alias tomcat -keyalg RSA
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: DanBrother
What is the name of your organizational unit?
[Unknown]: home
What is the name of your organization?
[Unknown]: home
What is the name of your City or Locality?
[Unknown]: Taipei
What is the name of your State or Province?
[Unknown]: Taiwan
What is the two-letter country code for this unit?
[Unknown]: TW
Is CN=DanBrother, OU=home, O=home, L=Taipei, ST=Taiwan, C=TW correct?
[no]: yes
Enter key password for <tomcat>
(RETURN if same as keystore password):
To verify that the .keystore file has been created :
[oracle@danbrother ~]$ ls -al .keystore
-rw-r--r--. 1 oracle dba 2223 Sep 20 11:07 .keystore
2. Edit the Tomcat's Main Configuration File (server.xml) to enable SSL and disable HTTP
[oracle@danbrother ~]$ export CATALINA_BASE=/source/apache-tomcat-9.0.0.M10
[oracle@danbrother ~]$ cd $CATALINA_BASE/conf
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
To enable SSL , change the above settings (gray color) in server.xml to the following:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
keystoreFile="/home/oracle/.keystore" keystorePass="YourPass" scheme="https"
secure="true" clientAuth="false" sslProtocol="TLS"
maxThreads="200" SSLEnabled="true">
</Connector>
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
To disable HTTP, comment out the above settings (gray color) in server.xml by the following:
<!--
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
3. Restart the CATALINA Server (Apache Tomcat Server)
[oracle@danbrother conf]$ cd ../bin
[oracle@danbrother bin]$ ./shutdown.sh && ./startup.sh
[oracle@danbrother bin]$ netstat -tnlp |grep -e 8080 -e 8443
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp6 0 0 :::8443 :::* LISTEN 5710/java
Open the brower and enter the URL as follows:
https://127.0.0.1:8443
[Reference]
https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html