Based on what we know about Tomcat configuration, which file in /conf should we edit to to enable SSL?
Open /conf/server.xml with your favorite editor:
$ vi server.xml
Locate the Java HTTP/1.1 Connector listening on port 8080 and verify it is redirecting SSL traffic to port 8443:
<Connector port="8080"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
Find and uncomment the SSL HTTP/1.1 Connector listening on port 8443 to activate this connector:
<Connector port="8443"
protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS" />
Add a keystoreFile attribute to the SSL HTTP/1.1 Connector to tell Tomcat where to find your keystore:
<Connector port="8443"
protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="/home/tds/apache-tomcat-7.0.42/conf/keystore" />
Since we opted to not use the default keystore password, we need to specify the new password so Tomcat can open the file:
<Connector port="8443"
protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="/home/tds/apache-tomcat-7.0.42/conf/keystore"
keystorePass="foobar" />
Restart Tomcat:
$ /bin/shutdown.sh $ /bin/startup.sh
Verify Tomcat is listening on port 8443 by running the netstat command:
$ netstat -an | grep tcp | grep 8443
man netstatRun man netstat in your terminal window to learn more about this command.
netstat (short for network statistics) is available on Unix, Unix-like, and Windows NT-based operating systems. It is a
command-line tool that displays:
Look for the following in the output:
tcp 0 0 :::8443 :::* LISTEN
server.xml to make sure it is well-formed and without error.key password) and keystore password should be the same (changeit).
If they differ, Tomcat cannot open the keystore and you will get this error: java.io.IOException: Cannot recover key.
server.xml?keystore file in server.xml?