Configuring Tomcat to use SSL Connectors

  1. Open $CATALINA_BASE/conf/server.xml. This is Tomcat web server's main configuration file that contains the global connector options.
  2. Search for port 8444.

    It will look like this: 

    <!-- Define a SSL HTTP/1.1 Connector on port 8444

    This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation. 

    <Connector port="8444" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"/>

    You'll notice that the comment enclosing this connector describes a choice between APR and JSSE configurations. This refers to the implementation of SSL you are intending to use. JSSE, which is Tomcat web server's default configuration, is supported by default, and included in all JDKs after version 1.4. So, if you don't even know what APR is, you only need to remove the comment from this entry and add some additional information to allow Tomcat web server to find your keystore.

  3. Add the following: 
    <Connector port="8444" maxThreads="150" scheme="https" 
secure="true" SSLEnabled="true" keystoreFile="path/to/your/keystore" 
keystorePass="YourKeystorePassword" clientAuth="false" 
keyAlias="yourAlias" sslProtocol="TLS"/>
  4. If, on the other hand, you know that using the Apache Portable Runtime (APR), also known as Tomcat web server's native library, is by far the best practice to follow, especially when using Tomcat web server as a standalone web server (which you probably are), and have already installed it on your server, then you'll need to alter this entry as follows to allow Tomcat web server to use APR's OpenSSL implementation in place of JSSE, or trying to use SSL will generate an error: 
    <Connector port="8444" scheme="https" secure="true" 
SSLEnabled="true" SSLCertificateFile="/path/to/your/certificate.crt" 
SSLCertificateKeyFile="/path/to/your/keyfile" 
SSLPassword="YourKeystorePassword" 
SSLCertificateChainFile="path/to/your/root/certificate" 
keyAlias="yourAlias" SSLProtocol="TLSv1"/>

    Notice that if you are using APR, the SSLCertificateFile and SSLCertificateKey-type attributes are used in place of the keystoreFile attribute. For more information on the differences between using APR in place of JSSE, refer to Tomcat web server APR Documentation.

  5. Restart Tomcat web server.
  6. Once you're up and running again, test your configuration by connecting to a secure page, using a URL such as https:/[yourhost]:8444. If you followed the directions correctly, you should be able to view the page over a secure HTTPS connection
Parent topic: Enabling SSL