forked from apache/tomcat
-
Notifications
You must be signed in to change notification settings - Fork 0
Tomcat 9 Configuring HTTPS Connector
Endi S. Dewata edited this page May 13, 2022
·
1 revision
Tomcat supports the following SSL connector implementations:
-
JSSE implementation provided as part of the Java runtime
-
JSSE implementation that uses OpenSSL
-
APR implementation, which uses the OpenSSL engine by default
To use OpenSSL or APR connector, install tomcat-native package, then make sure the following Listener exists in server.xml:
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
If tomcat-native is not installed, the following messages may appear in systemd journal:
INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: [/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib]
If an old tomcat-native is installed, the following messages may appear in systemd journal:
INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent An older version [1.2.17] of the APR based Apache Tomcat Native library is installed, while Tomcat recommends a minimum version of [1.2.18] INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.17] using APR version [1.6.5]. INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1c FIPS 28 May 2019]
If the right tomcat-native is installed, the following message may appear in systemd journal:
INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.21] using APR version [1.6.5]. INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1c FIPS 28 May 2019]
To let Tomcat select the connector implementation automatically:
<Connector protocol="HTTP/1.1" ... />
To configure JSSE connector:
<Connector name="Secure"
port="8443"
scheme="https"
secure="true"
SSLEnabled="true"
protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation">
<SSLHostConfig sslProtocol="SSL">
<Certificate type="..."
certificateFile="/var/lib/tomcats/pki/conf/sslserver.crt"
certificateKeyFile="/var/lib/tomcats/pki/conf/sslserver.key"/>
<Certificate type="..."
certificateKeyAlias="sslserver"
certificateKeystoreType="pkcs12"
certificateKeystoreFile="/var/lib/tomcats/pki/conf/keystore.p12"
certificateKeystorePassword="Secret.123"/>
<Certificate type="..."
certificateKeyAlias="sslserver"
certificateKeystoreType="pkcs11"
certificateKeystoreProvider="Mozilla-JSS"/>
</SSLHostConfig>
</Connector>
The following message may appear in systemd journal:
INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-jsse-nio-8443"]
To configure OpenSSL connector:
<Connector name="Secure"
port="8443"
scheme="https"
secure="true"
SSLEnabled="true"
protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
<SSLHostConfig sslProtocol="SSL">
<Certificate type="..."
certificateFile="/var/lib/tomcats/pki/conf/sslserver.crt"
certificateKeyFile="/var/lib/tomcats/pki/conf/sslserver.key"/>
<Certificate type="..."
certificateKeyAlias="sslserver"
certificateKeystoreType="pkcs12"
certificateKeystoreFile="/var/lib/tomcats/pki/conf/keystore.p12"
certificateKeystorePassword="Secret.123"/>
</SSLHostConfig>
</Connector>
The following message may appear in systemd journal:
INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-openssl-nio-8443"]
To configure APR connector:
<Connector name="Secure"
port="8443"
scheme="https"
secure="true"
SSLEnabled="true"
protocol="org.apache.coyote.http11.Http11AprProtocol">
<SSLHostConfig sslProtocol="SSL">
<Certificate type="..."
certificateFile="/var/lib/tomcats/pki/conf/sslserver.crt"
certificateKeyFile="/var/lib/tomcats/pki/conf/sslserver.key"/>
</SSLHostConfig>
</Connector>
The following message may appear in systemd journal:
INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-openssl-apr-8443"]