Tomcat

Reconfigure Tomcat to HTTPS 443

Ahmed Aboulnaga

2 min read
Reconfigure Tomcat to HTTPS 443

There are a lot of notes, blogs, and references on how to reconfigure Tomcat from the default HTTP 8080 port to HTTPS 443. Granted, this is for a sandbox installation. The many responses on Stack Overflow were partial and confusing, so here we are.

This blog post describes how to add HTTPS 8443 to Apache Tomcat 9.x with a self-signed cert, and perform a network route on the Linux box from port 443 to the local 8443.

FYI-1. The best documentation I found was from the official Apache Tomcat User Guide.

FYI-2. The first half of my previous blog post describes how to install Tomcat.

Create a Self-Signed Certificate

  1. Create a new JKS keystore from scratch, containing a single self-signed certificate:
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /home/tomcat/keystore
  1. You will be prompted for some information as shown:
tomcat@devhost:/home/tomcat/jenkins> $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /home/tomcat/keystore
Enter keystore password:
Re-enter new password:
Enter the distinguished name. Provide a single dot (.) to leave a sub-component empty or press ENTER to use the default value in braces.
What is your first and last name?
  [Unknown]:  Tomcat
What is the name of your organizational unit?
  [Unknown]:  RevTech
What is the name of your organization?
  [Unknown]:  IT
What is the name of your City or Locality?
  [Unknown]:  Herndon
What is the name of your State or Province?
  [Unknown]:  VA
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=Tomcat, OU=RevTech, O=IT, L=Herndon, ST=VA, C=US correct?
  [no]:  yes

Generating 3,072 bit RSA key pair and self-signed certificate (SHA384withRSA) with a validity of 90 days
 for: CN=Tomcat, OU=RevTech, O=IT, L=Herndon, ST=VA, C=US
  1. A file called keystore is created in the location specified with the -keystore.

Update the Tomcat Configuration

  1. Edit $TOMCAT_HOME/conf/server.xml.
  2. Locate this entry:
<Connector port="8080" protocol="HTTP/1.1"
               cachingAllowed="false"
               connectionTimeout="20000"
               redirectPort="8443"
               maxParameterCount="1000"
               />
  1. Add the following below it:
    <Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" maxThreads="200"
           maxParameterCount="1000"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/home/tomcat/keystore" keystorePass="welcome1"
           clientAuth="false" sslProtocol="TLS"/>
  1. Start Tomcat:
cd $TOMCAT_HOME/bin

./startup.sh

Root Commands

  1. Execute the following command as the root user to map external port 443 to local port 8443 and save the configuration:
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443

/sbin/iptables-save

When you access the page, you should see entries in the $TOMCAT_HOME/logs/catalina.out similar to the following:

14-May-2024 15:27:32.047 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
14-May-2024 15:27:32.345 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-jsse-nio-8443"]
14-May-2024 15:27:32.354 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [21306] milliseconds

References