Skip to content

Tomcat 8.5 Configuring HTTPS Connector

Endi S. Dewata edited this page Sep 14, 2023 · 1 revision

Table of Contents

SSL Implementation

SSL Ciphers

SSL Client Authentication

     <SSLHostConfig ... certificateVerification="optional" />
 
         <Certificate ... />
 
     </sslhostconfig>
 
 </connector>

SSL Connectors

HTTP/1.1 Connector with JSSE NIO implementation:

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
           sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
           port="8443" .../>

HTTP/1.1 Connector with JSSE NIO2 implementation:

<Connector protocol="org.apache.coyote.http11.Http11Nio2Protocol"
           sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
           port="8443" .../>

HTTP/1.1 Connector with JSSE NIO implementation and OpenSSL:

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443"
           sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
           .../>

HTTP/1.1 Connector with APR implementation:

<Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
           port="8443" .../>

SSL Keystore

JKS Keystore

$ $JAVA_HOME/bin/keytool -genkey -alias sslserver -keyalg RSA -keystore /usr/share/tomcat/keystore
<Connector port="8443"
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="200"
           scheme="https"
           secure="true"
           SSLEnabled="true">

    <SSLHostConfig sslProtocol="SSL" ...>

        <Certificate certificateKeystoreType="jks"
                     certificateKeystoreFile="/usr/share/tomcat/keystore"
                     certificateKeystorePass="Secret.123"
                     certificateKeyAlias="sslserver" />

    </sslhostconfig>

</connector>

PKCS #11 Keystore

     <SSLHostConfig sslProtocol="SSL" ...>
 
         <Certificate <font color="red">certificateKeystoreType="pkcs11"</font>
                      <font color="red">certificateKeystoreProvider="Mozilla-JSS"</font>
                      <font color="red">certificateKeyAlias="sslserver"</font> />
 
     </sslhostconfig>
 
 </connector>

PKCS #12 Keystore

SSL Trust Manager

     <SSLHostConfig ... <font color="red">trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager"</font>>
 
         <Certificate ... />
 
     </sslhostconfig>
 
 </connector>