Setting up SSL for stand-alone Tomcat 8
399 views
Skip to first unread message
lu...@lesener.de
Sep 2, 2015, 6:45:54 AM9/2/15
to Lucee
Could someone share a working SSL connector snippet for Tomcat?
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
I have tried a gazillion different versions of SSL connectors without success, e.g.
<Connector port="443" maxHttpHeaderSize="8192" maxThreads="150"
minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
disableUploadTimeout="true" acceptCount="100" scheme="https"
secure="true" clientAuth="false" sslProtocol="TLS" keyAlias="server"
keystoreFile="d:/lucee/tomcat/cert.key"
keypass="xxx" redirectPort="8443" />
or
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keyAlias="server" keystoreFile="D:\lucee\tomcat\cert.key" keystorePass="xxx" redirectPort="8443" />
or
<Connector port="443" scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="d:/lucee/tomcat/cert.crt"
SSLCertificateKeyFile="d:/lucee/tomcat/cert.key"
SSLPassword="xxx"
SSLCertificateChainFile="d:/lucee/tomcat/ca.crt"
keyAlias="server" SSLProtocol="TLSv1" redirectPort="8443" />
I created the keystore file using keytool and imported both the existing crt file (assigning the alias "server" to the certificate) and the CA file of the company issuing the certificate.
However, the best result I can produce when trying to access the site is an error message in the browser complaining about a timeout error or a cipher protocol error.
I've also been wondering whether the connector should be set up for port 8443 instead and the connector for port 443 should simply redirect to port 8443...?
Any hints?
rgds
Lutz
Terry Whitney
Sep 2, 2015, 9:09:18 AM9/2/15
to Lucee
tomcat is installed on c:\tomcat
C:\Tomcat\conf\server.xml
The contents of server.xml that are relevant are:
<Connector URIEncoding="UTF-8" executor="tomcatThreadPool" port="8443"
protocol="HTTP/1.1" scheme="https" secure="true" SSLEnabled="true"
keystoreFile="c;\Tomcat\keystore.jks"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
keystorePass="password" clientAuth="false" sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"></Connector>
Terry Whitney
Sep 2, 2015, 9:18:24 AM9/2/15
to Lucee
Sorry, too quick of most and not enough coffee this morning.
So you would have.
<Connector URIEncoding="UTF-8" executor="tomcatThreadPool" port="443"
protocol="HTTP/1.1" scheme="https" secure="true" SSLEnabled="true"
keystoreFile="c;\Tomcat\keystore.jks"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
keystorePass="password" clientAuth="false" sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"></Connector>
lu...@lesener.de
Sep 2, 2015, 11:31:26 AM9/2/15
to Lucee
Terry,
thanks for your answer!
Still no luck so far... I thought that opening port 443 for outbound traffic in the firewall might be the thing I had overlooked, but it doesn't seem to make a difference yet.
Would I need to add redirectPort="8443" to the connector?
I think of starting over with a self-signed cert instead of importing a certificate, just to rule out any problems with the certificate itself.
rgds
Lutz
Terry Whitney
Sep 2, 2015, 11:41:15 AM9/2/15
to Lucee
You would want 443 not 8443. Hence my follow up post.
post your error log.
How did you generate your ssl cert?
lu...@lesener.de
Sep 2, 2015, 6:35:25 PM9/2/15
to Lucee
Generating a new (for now: self-signed) certificate did the trick, thanks!
Apparently the import of the existing .crt file didn't work out. Will submit a new CSR tomorrow to get a proper cert.
Thanks again!
Reply all
Reply to author
Forward
0 new messages