To access your tomcat threw https, you have to declare a secured connector. There are two parts to do that :
- modify your server.xml with the new connector configuration
- generate a java keystore the connector will refer to
Step 1 : Modify your serveur.xml like this
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="${ssl.port}" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${java.home}/lib/security/tomcat_java.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLSv1.1" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_RC4_128_SHA" />
Step 2 : generate the keystore which contains the certificate used to secure connections
To generate your keystore, you need openssl and keytool (%JAVA_HOME%/jre/bin/keytool).
If you use an existing certificate in PEM format (cer or pem files) , you will need to convert it to PKCS#12 format (p12 file). To acheive that, you need :
- your private key which was used to generate the certificate
- your certificate
- the root certificate form your Certificate Authority (Verisign, GoDaddy, Symantec, etc...)
Convert it with :
openssl pkcs12 -export -in [your_certificate].cer -inkey [your private key].key -out result-certificate.p12 -name tomcat -CAfile [Veridign certificate].cer -caname root
Then generate your keystore (NOTE --> 'tomcat' alias is important) :
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore tomcat_java.keystore -srckeystore result-certificate.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias tomcat
Restart Tomcat and check logs to see if connector is started.
PS : many thanks to John Willis. His post (http://www.johnwillis.com/2015/07/tomcat-errsslversionorciphermismatch.html) really helped me.
PS : many thanks to John Willis. His post (http://www.johnwillis.com/2015/07/tomcat-errsslversionorciphermismatch.html) really helped me.