{"id":18470,"date":"2023-09-01T22:13:36","date_gmt":"2023-09-01T19:13:36","guid":{"rendered":"https:\/\/kifarunix.com\/?p=18470"},"modified":"2024-03-10T11:35:03","modified_gmt":"2024-03-10T08:35:03","slug":"how-to-configure-apache-tomcat-with-https","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-configure-apache-tomcat-with-https\/","title":{"rendered":"How to Configure Apache Tomcat with HTTPS"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1057\" height=\"593\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/09\/apache-tomcat-configure-https.png\" alt=\"How to Configure Apache Tomcat with HTTPS\" class=\"wp-image-18549\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/09\/apache-tomcat-configure-https.png?v=1693594889 1057w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/09\/apache-tomcat-configure-https-768x431.png?v=1693594889 768w\" sizes=\"(max-width: 1057px) 100vw, 1057px\" \/><\/figure>\n\n\n\n<p>Is it possible to configure Apache Tomcat to run over HTTPS? Yes, this guide provides a step by step tutorial on how to configure Apache Tomcat with HTTPS. <a href=\"https:\/\/tomcat.apache.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">Apache Tomcat<\/a> (or simply Tomcat) is an open source web server and servlet container developed by the Apache Software Foundation (ASF). Tomcat implements the Java Servlet and the JavaServer Pages (JSP) specifications from Oracle, and provides a &#8220;pure Java&#8221; HTTP web server environment for Java code to run in.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#configuring-apache-tomcat-with-https\">Configuring Apache Tomcat with HTTPS<\/a><ul><li><a href=\"#why-https-for-apache-tomcat\">Why HTTPS for Apache Tomcat?<\/a><\/li><li><a href=\"#install-and-setup-apache-tomcat\">Install and Setup Apache Tomcat<\/a><\/li><li><a href=\"#generating-apache-tomcat-ssl-tls-certificates\">Generating Apache Tomcat SSL\/TLS Certificates<\/a><ul><li><a href=\"#which-ssl-tls-certificates-are-supported-by-apache-tomcat\">Which SSL\/TLS Certificates are Supported by Apache Tomcat<\/a><\/li><li><a href=\"#generating-ssl-tls-certificates-in-pem-format\">Generating SSL\/TLS Certificates in PEM Format<\/a><ul><li><a href=\"#generate-ca-private-key\">Generate CA Private Key<\/a><\/li><li><a href=\"#generate-ca-self-signed-certificate\">Generate CA self-signed certificateApache Tomcat<\/a><\/li><li><a href=\"#generate-server-private-key-and-csr\">Generate Server Private Key and CSR<\/a><\/li><li><a href=\"#generate-and-sign-server-certificate\">Generate and Sign Server Certificate<\/a><\/li><\/ul><\/li><li><a href=\"#generating-ssl-tls-certificates-in-jks-format\">Generating SSL\/TLS Certificates in JKS Format<\/a><\/li><li><a href=\"#enable-apache-tomcat-https-using-pem-ssl-tls-certificate-files\">Enable Apache Tomcat HTTPS Using PEM SSL\/TLS Certificate files<\/a><\/li><li><a href=\"#enable-apache-tomcat-https-using-jks-ssl-tls-certificate-files\">Enable Apache Tomcat HTTPS Using JKS SSL\/TLS Certificate files<\/a><\/li><\/ul><\/li><li><a href=\"#accessing-apache-tomcat-via-https\">Accessing Apache Tomcat via HTTPS<\/a><\/li><li><a href=\"#redirecting-apache-tomcat-http-to-https\">Redirecting Apache Tomcat HTTP to HTTPS<\/a><\/li><li><a href=\"#other-tutorials\">Other Tutorials<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"configuring-apache-tomcat-with-https\">Configuring Apache Tomcat with HTTPS<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"why-https-for-apache-tomcat\">Why HTTPS for Apache Tomcat?<\/h3>\n\n\n\n<p>Using HTTPS for Apache Tomcat is recommended for several important reasons:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Security:<\/strong> HTTPS provides encryption and data integrity, ensuring that the data exchanged between the client (user&#8217;s web browser) and the Tomcat server remains confidential. Without HTTPS, data can be intercepted or tampered with during transmission, putting sensitive information at risk.<\/li>\n\n\n\n<li><strong>Credentials Protection:<\/strong> Apache Tomcat often requires users to enter credentials (e.g., usernames, passwords) to access manager app or host manager. With HTTPS, these credentials are encrypted and protected from potential eavesdropping.<\/li>\n\n\n\n<li>e.t.c<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-and-setup-apache-tomcat\">Install and Setup Apache Tomcat<\/h3>\n\n\n\n<p>Of course you need to have Apache Tomcat  server up and running.<\/p>\n\n\n\n<p>You can check our guides on how to <a href=\"https:\/\/kifarunix.com\/?s=install+tomcat\" target=\"_blank\" rel=\"noreferrer noopener\">install and setup Apache Tomcat<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"generating-apache-tomcat-ssl-tls-certificates\">Generating Apache Tomcat SSL\/TLS Certificates<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"which-ssl-tls-certificates-are-supported-by-apache-tomcat\">Which SSL\/TLS Certificates are Supported by Apache Tomcat<\/h4>\n\n\n\n<p>Being Java-based, Apache Tomcat primarily supports two certificate formats for SSL\/TLS configuration:<strong>Java Keystore (JKS)<\/strong> format and <strong>PEM<\/strong> format.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Java Keystore (JKS) Format:<\/strong> Java Keystore is the native format used by Java applications, including Apache Tomcat. It&#8217;s a binary format that can store various types of cryptographic information, including private keys, certificates, and certificate chains. Tomcat&#8217;s native SSL connector supports JKS as the keystore format.<\/li>\n\n\n\n<li><strong>PEM Format:<\/strong> Although not a native format, Apache Tomcat also supports PEM-encoded certificates and private keys. Tomcat can work with PEM-encoded files through the <a href=\"https:\/\/www.openssl.org\/\" target=\"_blank\" rel=\"noopener\">OpenSSL<\/a> library and its APR (Apache Portable Runtime) connector. This allows you to use certificates and keys in PEM format directly with Tomcat.<\/li>\n<\/ol>\n\n\n\n<p>As a result, you can have your SSL\/TLS certificates in JKS or PEM formats.<\/p>\n\n\n\n<figure class=\"wp-block-pullquote has-small-font-size\" style=\"font-style:normal;font-weight:500\"><blockquote><p><strong>NOTE:<\/strong> We are using Self-Signed SSL Certificates in this guide for the purposes of the demo. If your server is public facing, ensure that you use SSL\/TLS certificates from trusted CAs.<\/p><\/blockquote><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"generating-ssl-tls-certificates-in-pem-format\">Generating SSL\/TLS Certificates in PEM Format<\/h4>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"generate-ca-private-key\">Generate CA Private Key<\/h5>\n\n\n\n<p>Run the following OpenSSL command to generate a private key for your CA:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mkdir \/opt\/tomcat9\/ssl<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl genpkey -algorithm RSA -out \/opt\/tomcat9\/ssl\/ca.key<\/code><\/pre>\n\n\n\n<p>The command generates an RSA private key and saves it in the file&nbsp;<code>\/opt\/tomcat9\/ssl\/ca.key<\/code>.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"generate-ca-self-signed-certificate\">Generate CA self-signed certificate<\/h5>\n\n\n\n<p>Once you have the private key, you can now generate the CA self-signed certificate using the command below. When the command runs, you are prompted to provide information about your CA, such as the common name, organization, and location, contact email e.t.c. Common Name, must be provided.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl req -x509 -new -key \/opt\/tomcat9\/ssl\/ca.key -days 3650 -out \/opt\/tomcat9\/ssl\/ca.crt<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>You are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nCountry Name (2 letter code) [AU]:<strong>US<\/strong>\nState or Province Name (full name) [Some-State]:<strong>California<\/strong>\nLocality Name (eg, city) []:<strong>San Francisco<\/strong>\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:<strong>Kifarunix-Demo Inc<\/strong>\nOrganizational Unit Name (eg, section) []:<strong>Infrastracture<\/strong>\nCommon Name (e.g. server FQDN or YOUR name) []:<strong>tomcat.kifarunix-demo.com<\/strong>\nEmail Address []:\n<\/code><\/pre>\n\n\n\n<p>You can provide all these information from the command line using the&nbsp;<strong>-subj&nbsp;<\/strong>option.<\/p>\n\n\n\n<pre class=\"scroll-sz\"><code>openssl req -x509 -new \\\n\t-key \/opt\/tomcat9\/ssl\/ca.key \\\n\t-days 3560 \\\n\t-out \/opt\/tomcat9\/ssl\/ca.crt \\\n\t-subj \"\/C=US\/ST=California\/L=San Francisco\/O=Kifarunix-Demo Inc\/CN=tomcat.kifarunix-demo.com\/emailAddress=admin@kifarunix-demo.com\"\n<\/code><\/pre>\n\n\n\n<p>Note that it is not recommended to use wildcard CN. Instead, use SAN to define your other domains\/IPs\/wildcards.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"generate-server-private-key-and-csr\">Generate Server Private Key and CSR<\/h5>\n\n\n\n<p>Next, generate the server private key and certificate signing request (CSR).<\/p>\n\n\n\n<pre class=\"scroll-sz\"><code>openssl req -new \\\n\t-newkey rsa:4096 \\\n\t-nodes \\\n\t-keyout \/opt\/tomcat9\/ssl\/server.key \\\n\t-out \/opt\/tomcat9\/ssl\/server.csr \\\n\t-subj \"\/C=US\/ST=California\/L=San Francisco\/O=Kifarunix-Demo Inc\/CN=tomcat.kifarunix-demo.com\/emailAddress=admin@kifarunix-demo.com\"\n<\/code><\/pre>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"generate-and-sign-server-certificate\">Generate and Sign Server Certificate<\/h5>\n\n\n\n<p>Now, you need to generate the server certificate using the CSR, the CA cert and private key.<\/p>\n\n\n\n<p>Note that since OpenSSL command doesn\u2019t include the extensions such as Subject Alternative Names on the certificate, you need to provide this information manually.<\/p>\n\n\n\n<p>SAN extension allows you to include additional subject names, such as domain names or IP addresses, in a single certificate, thus allowing a certificate to be valid for multiple entities or alternative names.<\/p>\n\n\n\n<p>So, create a CNF file with your SAN extensions;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/opt\/tomcat9\/ssl\/san.cnf<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\nsubjectAltName = @alt_names\n\n[alt_names]\nDNS.1=kifarunix-demo.com\nDNS.2=*.kifarunix-demo.com\n<\/code><\/pre>\n\n\n\n<p>then generate and sign the server certificate;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>openssl x509 -req \\\n\t-in \/opt\/tomcat9\/ssl\/server.csr \\\n\t-CA \/opt\/tomcat9\/ssl\/ca.crt \\\n\t-CAkey \/opt\/tomcat9\/ssl\/ca.key \\\n\t-CAcreateserial \\\n\t-out \/opt\/tomcat9\/ssl\/server.crt \\\n\t-days 3650 \\\n\t-extfile \/opt\/tomcat9\/ssl\/san.cnf\n<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Certificate request self-signature ok\nsubject=C = US, ST = California, L = San Francisco, O = Kifarunix-Demo Inc, CN = tomcat.kifarunix-demo.com, emailAddress = admin@kifarunix-demo.com<\/code><\/pre>\n\n\n\n<p>So you now have the server, CA certificate and key under <strong><code>\/opt\/tomcat9\/ssl\/<\/code><\/strong> in PEM format.<\/p>\n\n\n\n<p>Ensure Tomcat user has ownership of the SSL\/TLS certificate files;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>chown -R tomcat: \/opt\/tomcat9\/ssl\/<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"generating-ssl-tls-certificates-in-jks-format\">Generating SSL\/TLS Certificates in JKS Format<\/h4>\n\n\n\n<p>You can also generate the certificate files in JKS format.<\/p>\n\n\n\n<p>If you already have the certificate files in PEM format as above, then you can convert them JKS as follows.<\/p>\n\n\n\n<p>Convert the ;<\/p>\n\n\n\n<pre class=\"scroll-sz\"><code>openssl pkcs12 -export \\\n\t-in \/opt\/tomcat9\/ssl\/server.crt \\\n\t-inkey \/opt\/tomcat9\/ssl\/server.key \\\n\t-name tomcat \\\n\t-out \/opt\/tomcat9\/ssl\/tomcat.p12\n<\/code><\/pre>\n\n\n\n<p>Provide the keystore password and keep that password somewhere you can easily retrieve.<\/p>\n\n\n\n<p>Create Java KeyStore (JKS), import the server and CA certificates:<\/p>\n\n\n\n<p>Set the keystore password. When prompted, trust the certificate.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>keytool -importcert \\\n\t-file \/opt\/tomcat9\/ssl\/ca.crt \\\n\t-alias kifarunix-demo-CA \\\n\t-keystore \/opt\/tomcat9\/ssl\/keystore.jks\n<\/code><\/pre>\n\n\n\n<p>Next, import the server certificate to keystore. Provide both source and destination keystore password.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>keytool -importkeystore \\\n\t-srckeystore \/opt\/tomcat9\/ssl\/tomcat.p12 \\\n\t-srcstoretype pkcs12 \\\n\t-destkeystore \/opt\/tomcat9\/ssl\/keystore.jks \\\n        -deststoretype JKS\n<\/code><\/pre>\n\n\n\n<p>To confirm the keystore details;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>keytool -list -v -keystore \/opt\/tomcat9\/ssl\/keystore.jks<\/code><\/pre>\n\n\n\n<p>If you do not have any PEM files already, then simply execute the command below to generate JKS;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>keytool -genkey \\\n\t-alias tomcat \\\n\t-keyalg RSA \\\n\t-validity 3650 \\\n\t-keystore \/opt\/tomcat9\/ssl\/tomcat.jks\n<\/code><\/pre>\n\n\n\n<p>sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Enter keystore password:  \nRe-enter new password: \nWhat is your first and last name?\n  [Unknown]:  Kifarunix Demo\nWhat is the name of your organizational unit?\n  [Unknown]:  Infrastructure\nWhat is the name of your organization?\n  [Unknown]:  Kifarunix-demo Inc\nWhat is the name of your City or Locality?\n  [Unknown]:  San Francisco\nWhat is the name of your State or Province?\n  [Unknown]:  California\nWhat is the two-letter country code for this unit?\n  [Unknown]:  US\nIs CN=Kifarunix Demo, OU=Infrastructure, O=Kifarunix-demo Inc, L=San Francisco, ST=California, C=US correct?\n  [no]:  yes\n\nGenerating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 3650 days\n\tfor: CN=Kifarunix Demo, OU=Infrastructure, O=Kifarunix-demo Inc, L=San Francisco, ST=California, C=US\n<\/code><\/pre>\n\n\n\n<p>Similarly, ensure Tomcat user has ownership of the SSL\/TLS certificate files;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>chown -R tomcat: \/opt\/tomcat9\/ssl\/<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"enable-apache-tomcat-https-using-pem-ssl-tls-certificate-files\">Enable Apache Tomcat HTTPS Using PEM SSL\/TLS Certificate files<\/h4>\n\n\n\n<p>If you are using PEM SSL\/TLS certificate files, this is how you can enable HTTPs on Apache Tomcat.<\/p>\n\n\n\n<p>Please note that <\/p>\n\n\n\n<p>Tomcat can use three different implementations of SSL:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>JSSE implementation provided as part of the Java runtime<\/li>\n\n\n\n<li>JSSE implementation that uses OpenSSL<\/li>\n\n\n\n<li>APR implementation, which uses the OpenSSL engine by default<\/li>\n<\/ul>\n\n\n\n<p>For Tomcat to automatically choose its proper SSL implementation, you can configure the Connector with generic&nbsp;<code>protocol=\"HTTP\/1.1\"<\/code>. Read more on <a href=\"https:\/\/tomcat.apache.org\/tomcat-9.0-doc\/ssl-howto.html\" target=\"_blank\" rel=\"noopener\">SSL\/TLS configuration page<\/a>.<\/p>\n\n\n\n<p>Thus, edit the <strong>conf\/server.xml<\/strong> file in the Tomcat installation directory.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/opt\/tomcat9\/conf\/server.xml<\/code><\/pre>\n\n\n\n<p>Add the following configuration under the <strong>&lt;Service&gt;&#8230; &lt;\/service&gt;<\/strong> section;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>    &lt;Connector port=\"8443\" protocol=\"HTTP\/1.1\"\n               maxThreads=\"150\" SSLEnabled=\"true\" scheme=\"https\" secure=\"true\"\n               maxParameterCount=\"1000\"\n               >\n        &lt;UpgradeProtocol className=\"org.apache.coyote.http2.Http2Protocol\" \/>\n        &lt;SSLHostConfig>\n\t\t&lt;Certificate certificateKeyFile=\"\/opt\/tomcat9\/ssl\/server.key\"\n                         certificateFile=\"\/opt\/tomcat9\/ssl\/server.crt\"\n                         certificateChainFile=\"\/opt\/tomcat9\/ssl\/ca.crt\"\n                         type=\"RSA\" \/>\n        &lt;\/SSLHostConfig>\n    &lt;\/Connector>\n<\/code><\/pre>\n\n\n\n<p>Replace paths to SSL\/TLS certificates accordingly.<\/p>\n\n\n\n<p>Save and exit when done.<\/p>\n\n\n\n<p>Restart Apache Tomcat to apply the changes;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart tomcat9<\/code><\/pre>\n\n\n\n<p>Check if Apache Tomcat HTTPS, 8443\/TCP, port is opened now;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ss -altnp | grep :8443<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>LISTEN 0      100                     *:8443            *:*    users:((\"java\",pid=27651,fd=45))<\/code><\/pre>\n\n\n\n<p>You should now be able to access your websever via HTTPS on port 8443, <strong>https:\/\/tomcat.kifarunix-demo.com:8443<\/strong>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"enable-apache-tomcat-https-using-jks-ssl-tls-certificate-files\">Enable Apache Tomcat HTTPS Using JKS SSL\/TLS Certificate files<\/h4>\n\n\n\n<p>If you are using SSL\/TLS files in JKS format, update Apache Tomcat <strong><code>server.xml<\/code><\/strong> file as follows;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/opt\/tomcat9\/conf\/server.xml<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>    &lt;Connector port=\"8443\" protocol=\"HTTP\/1.1\"\n               maxThreads=\"150\" SSLEnabled=\"true\" scheme=\"https\" secure=\"true\"\n               maxParameterCount=\"1000\"\n\t       keystoreFile=\"\/opt\/tomcat9\/ssl\/keystore.jks\"\n               >\n        &lt;UpgradeProtocol className=\"org.apache.coyote.http2.Http2Protocol\" \/>\n    &lt;\/Connector>\n<\/code><\/pre>\n\n\n\n<p>If you set keystore password, then you need to define it with the correct password!<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>    &lt;Connector port=\"8443\" protocol=\"HTTP\/1.1\"\n               maxThreads=\"150\" SSLEnabled=\"true\" scheme=\"https\" secure=\"true\"\n               maxParameterCount=\"1000\"\n\t       keystoreFile=\"\/opt\/tomcat9\/ssl\/keystore.jks\"\n               keystorePass=\"ChangeME\"\n               >\n        &lt;UpgradeProtocol className=\"org.apache.coyote.http2.Http2Protocol\" \/>\n    &lt;\/Connector>\n<\/code><\/pre>\n\n\n\n<p>If you are setting your keystore password here in the file, ensure access to this system is restricted and monitored.<\/p>\n\n\n\n<p>Save and exit the files.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"accessing-apache-tomcat-via-https\">Accessing Apache Tomcat via HTTPS<\/h3>\n\n\n\n<p>Now that Apache Tomcat is configured with HTTPS, you can now access it via HTTPS, <strong>https:\/\/tomcat.kifarunix-demo.com:8443\/tomcat<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1453\" height=\"829\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/09\/apache-tomcat-https.png\" alt=\"How to Configure Apache Tomcat with HTTPS\" class=\"wp-image-18550\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/09\/apache-tomcat-https.png?v=1693594951 1453w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/09\/apache-tomcat-https-768x438.png?v=1693594951 768w\" sizes=\"(max-width: 1453px) 100vw, 1453px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"redirecting-apache-tomcat-http-to-https\">Redirecting Apache Tomcat HTTP to HTTPS<\/h3>\n\n\n\n<p>By now, our Apache Tomcat is listening on both HTTP and HTTPS;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ss -altnp | grep java<\/code><\/pre>\n\n\n\n<pre class=\"scroll-sz\"><code>LISTEN 0      100                     *:8080            *:*    users:((\"java\",pid=28087,fd=43))\nLISTEN 0      1      [::ffff:127.0.0.1]:8005            *:*    users:((\"java\",pid=28087,fd=54))\nLISTEN 0      100                     *:8443            *:*    users:((\"java\",pid=28087,fd=45))\n<\/code><\/pre>\n\n\n\n<p>So, how can you configure Apache Tomcat to redirect HTTP to HTTPS? Apache Tomcat can be configured to redirect HTTP to HTTPS using the <a href=\"https:\/\/tomcat.apache.org\/tomcat-9.0-doc\/rewrite.html\" target=\"_blank\" rel=\"noreferrer noopener\">rewrite valve<\/a> which implements URL rewrite functionality in a way that is very similar to <strong><code>mod_rewrite<\/code><\/strong> from Apache HTTP Server.<\/p>\n\n\n\n<p>The rewrite valve is configured as a valve using the&nbsp;<code>org.apache.catalina.valves.rewrite.RewriteValve<\/code>&nbsp;class name (<strong><code>&lt;Valve className=\"org.apache.catalina.valves.rewrite.RewriteValve\" \/&gt;<\/code><\/strong>)<\/p>\n\n\n\n<p>Thus, edit the Apache Tomcat <strong><code>context.xml<\/code><\/strong> file and add the valve class name as follows;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/opt\/tomcat9\/conf\/context.xml<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?>\n&lt;!--\n  Licensed to the Apache Software Foundation (ASF) under one or more\n  contributor license agreements.  See the NOTICE file distributed with\n  this work for additional information regarding copyright ownership.\n  The ASF licenses this file to You under the Apache License, Version 2.0\n  (the \"License\"); you may not use this file except in compliance with\n  the License.  You may obtain a copy of the License at\n\n      http:\/\/www.apache.org\/licenses\/LICENSE-2.0\n\n  Unless required by applicable law or agreed to in writing, software\n  distributed under the License is distributed on an \"AS IS\" BASIS,\n  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n  See the License for the specific language governing permissions and\n  limitations under the License.\n-->\n&lt;!-- The contents of this file will be loaded for each web application -->\n&lt;Context>\n\n    &lt;!-- Default set of monitored resources. If one of these changes, the    -->\n    &lt;!-- web application will be reloaded.                                   -->\n    &lt;WatchedResource>WEB-INF\/web.xml&lt;\/WatchedResource>\n    &lt;WatchedResource>WEB-INF\/tomcat-web.xml&lt;\/WatchedResource>\n    &lt;WatchedResource>${catalina.base}\/conf\/web.xml&lt;\/WatchedResource>\n\n    &lt;!-- Uncomment this to disable session persistence across Tomcat restarts -->\n    &lt;!--\n    &lt;Manager pathname=\"\" \/>\n    -->\n<strong>    &lt;Valve className=\"org.apache.catalina.valves.rewrite.RewriteValve\" \/>\n<\/strong>&lt;\/Context>\n<\/code><\/pre>\n\n\n\n<p>Save and exit the file.<\/p>\n\n\n\n<p>Next, create a rewrite.config file under the <strong><code>WEB-INF<\/code><\/strong> directory of the web application with your HTTP to HTTPS rewrite directives;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/opt\/tomcat9\/webapps\/ROOT\/WEB-INF\/rewrite.config<\/code><\/pre>\n\n\n\n<pre class=\"scroll-sz\"><code>RewriteCond %{SERVER_PORT} ^8080$\nRewriteRule ^(.*)$ https:\/\/%{HTTP_HOST}:8443$1 [R=301,L]\n<\/code><\/pre>\n\n\n\n<p>This will redirect anything accessed on port 8080 to port 8443. <strong>Play around with these directives to suite your requirements<\/strong>.<\/p>\n\n\n\n<p>Save and exit the file.<\/p>\n\n\n\n<p>Next, ensure redirect is enabled on the <code>server.xml<\/code> file.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>    &lt;Connector port=\"8080\" protocol=\"HTTP\/1.1\"\n               connectionTimeout=\"20000\"\n               <strong>redirectPort=\"8443\"<\/strong>\n               maxParameterCount=\"1000\"\n               \/>\n<\/code><\/pre>\n\n\n\n<p>Save and exit the file.<\/p>\n\n\n\n<p>Restart Apache Tomcat;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart tomcat9<\/code><\/pre>\n\n\n\n<p>Verify Apache Tomcat HTTP to HTTPS redirection.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"other-tutorials\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/enable-kibana-https-connection\/\" target=\"_blank\" rel=\"noreferrer noopener\">Quick Way to Enable Kibana HTTPS Connection<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/easily-configure-elasticsearch-https-connection\/\" target=\"_blank\" rel=\"noreferrer noopener\">Easily Configure Elasticsearch HTTPS Connection<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Is it possible to configure Apache Tomcat to run over HTTPS? Yes, this guide provides a step by step tutorial on how to configure Apache<\/p>\n","protected":false},"author":10,"featured_media":18549,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,1187],"tags":[7216,7215,7220,7217,7218,7219],"class_list":["post-18470","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-ssl-tls","tag-apache-tomcat-https","tag-apache-tomcat-ssl","tag-configure-tomcat-for-https-http","tag-configure-tomcat-with-https","tag-redirect-http-to-https-on-tomcat","tag-tomcat-https","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/18470"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=18470"}],"version-history":[{"count":15,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/18470\/revisions"}],"predecessor-version":[{"id":20858,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/18470\/revisions\/20858"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/18549"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=18470"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=18470"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=18470"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}