Documentation Center

Enabling Secure Socket Layer (SSL) protocol for the Apache Tomcat web application server

Enabling the Apache Tomcat web application server to support the Secure Socket Layer (SSL) protocol and make it capable to manage secure connections (HTTPS), is a prerequisite. In most cases, the secure connection is already enabled in Apache Tomcat for other applications. If not, you must obtain and load the appropriate SSL certificates.

Before you begin

Secure Socket Layer (SSL) protocol requires the use of a certificate.

This documentation is written based on the assumption that you acquire this certificate commercially, which is the recommended option.

Depending on the certificate's provided format, it might be necessary to convert it. The following steps assume that you have one of the following:

  • A Java key store file server_name.jks
  • A PFX certificate file server_name.pfx

Procedure

  1. Copy server_name.jks or server_name.pfx to the conf subdirectory underneath the Apache Tomcat installation.

    Typically, this directory is located:

    On Windows:

    C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\

    On Linux:

    /usr/Apache Software Foundation/Tomcat 8.0/conf/

  2. Configure the Apache Tomcat web application server to use the keystore file.
    1. Open the server.xml file, found underneath the conf subdirectory, in a text editor.
    2. Add a connector using the matching certificate type.

      On Windows (non-PFX certificate)

      
      <Connector  port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" 
      			SSLEnabled="true" sslProtocol="TLS" clientAuth="false" 
      			maxThreads="150" scheme="https" secure="true"
      			useBodyEncodingForURI="false" 
      			URIEncoding="UTF-8"
      			connectionTimeout="72000000"
      			compression="on"
      			compressionMinSize="10"
      			compressableMimeType="text/html,text/xml,application/xml,text/javascript,text/css,application/x-javascript" 
      			maxHttpHeaderSize="65536" 
      			keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\server_name.jks" keystorePass="*****"
      			/>
      

      On Linux (non-PFX certificate)

      
      <Connector  port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" 
      			SSLEnabled="true" sslProtocol="TLS" clientAuth="false" 
      			maxThreads="150" scheme="https" secure="true"
      			useBodyEncodingForURI="false" 
      			URIEncoding="UTF-8"
      			connectionTimeout="72000000"
      			compression="on"
      			compressionMinSize="10"
      			compressableMimeType="text/html,text/xml,application/xml,text/javascript,text/css,application/x-javascript" 
      			maxHttpHeaderSize="65536" 
      			keystoreFile="./server_name.pfx" keystorePass="*****"
      			/>
      

      On Windows (PFX certificate)

      
      <Connector  port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" 
      			SSLEnabled="true" sslProtocol="TLS" clientAuth="false" 
      			maxThreads="150" scheme="https" secure="true"
      			useBodyEncodingForURI="false" 
      			URIEncoding="UTF-8"
      			connectionTimeout="72000000"
      			compression="on"
      			compressionMinSize="10"
      			compressableMimeType="text/html,text/xml,application/xml,text/javascript,text/css,application/x-javascript" 
      			maxHttpHeaderSize="65536" 
      			keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\server_name.pfx" keystoreType="PKCS12" keystorePass="*****"
      			/>
      

      On Linux (PFX certificate)

      
      <Connector  port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" 
      			SSLEnabled="true" sslProtocol="TLS" clientAuth="false" 
      			maxThreads="150" scheme="https" secure="true"
      			useBodyEncodingForURI="false" 
      			URIEncoding="UTF-8"
      			connectionTimeout="72000000"
      			compression="on"
      			compressionMinSize="10"
      			compressableMimeType="text/html,text/xml,application/xml,text/javascript,text/css,application/x-javascript" 
      			maxHttpHeaderSize="65536" 
      			keystoreFile="/usr/Apache Software Foundation/Tomcat 8.0/conf/server_name.pfx" keystoreType="PKCS12" keystorePass="*****"
      			/>
      

      where ***** is the keystore password.

      If necessary replace the port number 8443 to a more suitable one.

  3. Restart the Apache Tomcat service.
  4. Check if the Tomcat home page displays correctly with a secure connection by using the link https://example.com:8443/