Linux Apps Tutorials - Herong's Tutorial Examples - v1.03, by Herong Yang
SSL/TLS Support on Tomcat 8 or Older
This section provides a tutorial example on how to configure Tomcat 8 or older to support SSL/TLS for the HTTPS service.
If you are still using a Tomcat 8 or older release, you need follow this tutorial to configure SSL/TLS support.
1. Decide which certificate file format to use. Tomcat 8 or older release supports only 2 file formats: JKS and PKCS12. Both formats can be managed by the JDK command called "keytool". But PKCS12 can also be managed by the "openssl pkcs12" command.
2. Convert certificate files from PEM format to a single PKCS12 file, which is also called a keystore file. Then move it to the "conf" directory:
herong$ server.cert.pem server.key.pem > server.pair.pem herong$ sudo openssl pkcs12 -export -out server.p12 -name "MyWeb" \ -in server.pair.pem -certfile ca-chain.cert.pem Enter Export Password: TopSecret Verifying - Enter Export Password: TopSecret herong$ mv server.p12 $TOMCAT_HOME/conf
3. Update the configuration file to turn on the HTTPS service, by opening the port="8443" connector and specifying certificate related settings. Don't forget to provide the keystorePass setting.
herong$ sudo vi conf/server.xml
...
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/server.p12" keystoreType="PKCS12"
keystorePass="TopSecret"
/>
4. Restart Tomcat and check the log file. You should see the [https-jsse-nio-8443] connector started with no errors:
herong$ $TOMCAT_HOME/logs/shutdown.sh herong$ $TOMCAT_HOME/logs/startup.sh herong$ tail -100 $TOMCAT_HOME/logs/catalina.out ... INFO: Starting ProtocolHandler ["http-bio-8080"] Mar 10, 2024 02:54:35 org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-bio-8443"] Mar 10, 2024 02:54:35 org.apache.coyote.AbstractProtocol start INFO: Server startup in 7046 ms
5. Open firewall for port 8443:
herong$ sudo firewall-cmd --zone=public --add-port=8443/tcp herong$ sudo firewall-cmd --runtime-to-permanent
6. Try to open Tomcat home page with the HTTPS protocol in a Web browser: https://localhost:8443. You should see the home page displayed, if the certificate is valid.
7. Resolve certificate exception issues, if the certificate is self-signed, the Root CA certificate is not trusted, the certificate is expired, etc..
For more information on HTTPS service for Apache Tomcat 8, see "The HTTP Connector" document at tomcat.apache.org/tomcat-8.0-doc/config/http.html.
Table of Contents
Running Apache HTTP Server (httpd) on Linux Systems
►Running Apache Tomcat on Linux Systems
Install Apache Tomcat on Linux
Common Issues on Running Tomcat
Turn on SSL/TLS Support on Tomcat
►SSL/TLS Support on Tomcat 8 or Older
Running PHP Scripts on Linux Systems
Running MySQL Database Server on Linux Systems
Running Python Scripts on Linux Systems
Conda - Environment and Package Manager