Access via HTTPS


To enable HTTPS support for Tomcat, you need to edit the configuration file server.xml.

  1. Open the server.xml file in a text editor. You can find this file in /path/to/tomcat/conf/server.xml.
  2. Find the following lines:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true">
           <SSLHostConfig>
               <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                            type="RSA" ></Certificate>
           </SSLHostConfig>
       </Connector>

    If the block is commented out, uncomment it.

  3. Edit the configuration and add your port and certificates, for example:

    <Connector port="443" protocol="HTTP/1.1" maxThreads="150" SSLEnabled="true" URIEncoding="UTF-8" maxHttpHeaderSize="65536" maxPostSize="1100715200">
       <SSLHostConfig hostName="XX.XXXX.XX">
           <Certificate certificateKeyFile="conf/private.key"
                        certificateFile="conf/zertifikat.crt"
                        certificateChainFile="conf/CHAIN.pem"
                        type="RSA" ></Certificate>
       </SSLHostConfig>
    </Connector>

    For more information on the SSLHostConfig property, see https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig 

    Below you can find a summary of the most important options:

    AttributWertBeschreibung
    port443 (default)Port for the HTTPS connection.
    URIEncodingUTF-8UTF-8 should be used, as it is also used by FORMCYCLE.
    maxHttpHeaderSize65536This value should not be changed.
    maxPostSize1100715200Maximum size in bytes for POST requests. This applies, for example, when a form is submitted and includes file uploads. 1100715200 means 1 GB.
    hostName*Name or IP address of the host.
    certificateKeyFile*.keyThe private key of the certificate.
    certificateFile*.crtThe certificate file.
    certificateChainFile*.*The certificate of the certificate authority (CA), if required.

Further possibilities to configure a certificate in the Tomcat at the connector:

Integration via KeyStore:

<Connector port="443" protocol="HTTP/1.1" maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
          URIEncoding="UTF-8"
          maxHttpHeaderSize="65536"
          maxPostSize="10485760"
          relaxedQueryChars="[ \ ] ^ ` { | }">
   <SSLHostConfig>
       <Certificate certificateKeystoreFile="conf/file.keystore"
                    certificateKeystorePassword="mypwd" ></Certificate>
   </SSLHostConfig>
</Connector>

If you have a KeyPair file (*.pfx, *.p12) you can also include it directly:

<Connector port="443" protocol="HTTP/1.1" maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
          URIEncoding="UTF-8"
          maxHttpHeaderSize="65536"
          maxPostSize="10485760"
          relaxedQueryChars="[ \ ] ^ ` { | }">
   <SSLHostConfig>
       <Certificate certificateKeystoreFile="conf/file.pfx"
                    certificateKeystorePassword="mypwd"
                    certificateKeystoreType="PKCS12" ></Certificate>
   </SSLHostConfig>
</Connector>