Enabling SSL on Apache Tomcat

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux (RHEL)
  • Red Hat JBoss Web Server (JWS)
  • Apache Tomcat

Issue

  • How do I setup SSL on Tomcat using a Certificate Authority such as Verisign or Thawte?
  • How to enabled end-to-end SSL configuration on JBoss web server 2.0 ?

Resolution

The container will attempt to auto-configure the connector's protocol based on what libraries were loaded (NOT recommended).

Set the protocol attribute of the Connector to avoid the auto-config (recommended).

Tomcat has three different implementations of SSL:

  • JSSE implementation provided as part of the Java runtime (default)
  • JSSE implementation that uses OpenSSL (PEM files)
  • APR implementation, which uses the OpenSSL (PEM files) engine by default
    • NOTE: The APR/Native HTTP Connector is DEPRECATED and will be REMOVED in Tomcat 10.1.x onwards.

To install and configure SSL/TLS support on Tomcat:

  1. Create a certificate following the instructions here: How to build Certificates for use with Java applications
  2. Uncomment the Connector entry in $CATALINA_BASE/conf/server.xml and follow one of the changes according to the implementation (protocol)

  • JSSE Implementation

      <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
             sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
             maxThreads="150" SSLEnabled="true"
             maxParameterCount="1000"
             >
      <SSLHostConfig>
          <Certificate certificateKeystoreFile="/path/to/keystore.jks"
                       type="RSA" />
      </SSLHostConfig>
  </Connector>

  • JSSE OpenSSL Implementation

      <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
             sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
             maxThreads="150" SSLEnabled="true"
             maxParameterCount="1000"
             >
      <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
      <SSLHostConfig>
          <Certificate certificateKeyFile="/path/to/certificateKey.pem"
                       certificateFile="/path/to/certificate.pem"
                       certificateChainFile="/path/to/certificateChain.pem"
                       type="RSA" />
      </SSLHostConfig>
  </Connector>

  • APR Implementation (Deprecated)

      <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
             maxThreads="150" SSLEnabled="true" >
      <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
      <SSLHostConfig>
          <Certificate certificateKeyFile="/path/to/certificateKey.pem"
                       certificateFile="/path/to/certificate.pem"
                       certificateChainFile="/path/to/certificateChain.pem"
                       type="RSA" />
      </SSLHostConfig>
  </Connector>
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.