First and foremost, before you even starting working through configuring Tomcat to use SSL, you should ask yourself it it makes sense to configure Tomcat to use SSL. For example, let's say Tomcat is going to sit behind a web server. In this situation, if the web server is configured to use SSL, it may not make sense to configure Tomcat to use SSL. And you don't just configure SSL for fun. SSL adds latency and increased burden on CPU and memory, as well as actual money as you need to pay for a trusted certificate. Read on if you still want to configure Tomcat to use SSL.
It's important to recongize that there will be both inbound and outbound requests. Typically, an inbound request is when a remote system makes a request for an app deployed to Tomcat. Typically, and outbound request is when an app deployed to Tomcat needs to go out, such as when making a query to a remote SQL database. This article only deals with securing inbound requests. Refer to this article to secure outbound requests.
Inbound requests use a keystore to secure the requests. Outbound requests use a truststore to secure the request. So, when you see keystore, think "inbound" and when you see truststore think "outbound".
First you will create a keystore that contains the public/private keypair used for SSL for the inbound connections to Tomcat, and then you will configure Tomcat. If you have not yet created a keystore, refer to this article.
By default, your $CATALINA_HOME/conf/server.xml file should have the SSL configuration commented out with the <!-- and --> tags. Remove the <!-- and --> tags.
<!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" > <SSLHostConfig> <Certificate certificateKeystoreFile="conf/localhost-rsa.jks" type="RSA" /> </SSLHostConfig> </Connector> -->
Revise the Connector to have the following. Notice keystoreFile is ssl/my_keystore.p12. This assumes you have a keystore named my_keystore.p12 in the $CATALINA_HOME/ssl/ directory.
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="ssl/my_keystore.p12" keystorePass="myPassword" keyAlias="tc.example.com" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA" />
Shutdown the server.
Startup the server.
You should now be able to navigate to https://localhost:8443.
More details are available in the Tomcat manual.
If some problem occurs, nmap can be used to ensure port 8443 is open.
[john.doe@server1 ~]# nmap -sS localhost . . . 8443/tcp open https-alt
Check the $CATALINA_HOME/logs/catalina.out file.