Configuring Tomcat to use SSL Connectors

  1. Open $CATALINA_BASE/conf/server.xml. This is Tomcat's main configuration file that contains the global connector options.
  2. Search for port 8443.

    It will look like this:

    <!-- Define a SSL HTTP/1.1 Connector on port 8443

    This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation.

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"/>

    You'll notice that the comment enclosing this connector talks about a choice between APR and JSSE configurations. This refers to the implementation of SSL you are intending to use. JSSE, which is Tomcat's default configuration, is supported by default, and included in all JDKs after version 1.4. So if you don't even know what APR is, you only need to uncomment this entry, and add some additional information to allow Tomcat to find your keystore.

  3. Add the following:
    <Connector port="8443" maxThreads="150" scheme="https" 
    secure="true" SSLEnabled="true" keystoreFile="path/to/your/keystore" 
    keystorePass="YourKeystorePassword" clientAuth="false" 
    keyAlias="yourAlias" sslProtocol="TLS"/>
  4. If, on the other hand, you know that using the Apache Portable Runtime (APR), also known as Tomcat's "native library," is by far the best practice to follow, especially when using Tomcat as a standalone web server (which you probably are), and have already installed it on your server, then you'll need to alter this entry as follows to allow Tomcat to use APR's OpenSSL implementation in place of JSSE, or trying to use SSL will generate an error:
    <Connector port="8443" scheme="https" secure="true" 
    SSLEnabled="true" SSLCertificateFile="/path/to/your/certificate.crt" 
    keyAlias="yourAlias" SSLProtocol="TLSv1"/>

    Notice that if you are using APR, the SSLCertificateFile and SSLCertificateKey-type attributes are used in place of the keystoreFile attribute. For more information on the differences between using APR in place of JSSE, refer to Apache's Tomcat APR Documentation.

  5. Restart Tomcat.
  6. Once you're up and running again, test your configuration by connecting to a secure page, using a URL such as https:/[yourhost]:8443. If you followed the directions correctly, you should be able to view the page over a secure HTTPS connection