Move the certificate file (for example
certificate_file.pfx) to a Tomcat configuration directory (for example
Server.xml file located in
/etc/tomcat/. The Location may vary depending on the Linux distribution.
Server.xml, copy the following string into the
Server.xml. Use your own values for
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslEnabledProtocols="TLSv1.2,TLSv1.3" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA" keystoreFile="/etc/tomcat/certificate_file.pfx" keystorePass="Secret_Password_123" keystoreType="PKCS12" />
<Connectoris present after
Server.xml, replace the values of parameters listed below with your values:
keystoreFile - Provide the full path to the certificate file (
.keystore, or other). If you use a non-JKS certificate (for example, a
.pfx file), delete the
keyAlias (it is present in
Server.xml by default) and add the proper
keystorePass - Provide certificate passphrase.
keystoreType - Specify the certificate type.
sudo systemctl tomcat restart).
.keystorefile, use the path to the file (
keystoreFile="/etc/tomcat/tomcat.keystore") and define
keyAlias="tomcat") instead of
<!-- <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
To use a secure HTTPS/SSL connection for ESMC Web Console, follow the steps below:
Create a keystore with an SSL certificate. You must have Java installed.
Java includes the keytool, which enables you to create a certificate via command line. You must generate a new certificate for each tomcat instance (if you have multiple tomcat instances) to ensure that if one certificate is compromised, other tomcat instances will remain secure.
Below is a sample command to create a
keystore with an SSL certificate:
Navigate to the exact location of the keytool file, for example
/usr/lib/jvm/”java version”/jre/bin (the directory depends on the OS and Java version) and run the command:
/etc/tomcat/tomcat.keystoreis only an example, choose your own secure and accessible destination.
keystore. Below is a sample command to export the certificate sign request from the
keystore. These certificates are usually made available by the entity that signed your certificate. It is necessary because the certificate reply is validated using trusted certificates from the
intermediate.crt.pem" -keystore "/etc/tomcat/tomcat.keystore"
tomcat.cer) into your
keystore. Below is a sample command that imports a signed certificate into the
If you want to use an already existing certificate (for example company certificate), follow these instructions.
server.xmlconfiguration file so that the tag
<Connectoris written similar to the example below:
<Connector server="OtherWebServer" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/etc/tomcat/tomcat.keystore" keystorePass="yourpassword"/>
This modification also disables non-secure Tomcat features, leaving only HTTPS enabled (
scheme= parameter). For security reasons, you may also need to edit
tomcat-users.xml to delete all Tomcat users and change ServerInfo.properties to hide the identity of the Tomcat.
tomcat7. ESMC version 7.1 and later may use the service name
sudo systemctl tomcat restart