Login
    Contents x
    Configure tomcat with SSL on Windows using windows key store
    • 27 Jan 2023
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Contents

    Configure tomcat with SSL on Windows using windows key store

    • Updated on 27 Jan 2023
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    Configure tomcat with SSL on Windows using windows key store

    Introduction

    This is a instruction how to configure SLL via certificates stored on Windows. 

    This gives the benefit of that the server administrator can monitor the certificate and replace it and Comflow's Tomcat server just adapts to that.

    Setup of account

    The following steps has to be performed by a server administrator (usually not by Corzia but by the customers IT department).

    •A service account has to be created that is connected to the administrators group on the server.

    •Import the certificate to the new users “Personal” store.

    •Set the tomcat to use the service account under the “Log On” tab.

    Configure tomcat server xml

    •The connector at the top of the image is the default connecter for regular http connection. The “port” property should be changed to a close by free port. The “redirectPort” should point towards the port you want to use.

    •The connector at the bottom of the image exist by default but is commented out. This should be activated with the same setup as in image (if tomcat 8.5 or above). The port here should be the same as the redirectPort in the regular connector. 

    •Keystore type “Windows-MY” tells the tomcat service to go to the personal key store for the user running the tomcat and look for a certificate with the specified alias pointed out.

    •Start the tomcat. The address to reach the portal in ls case looks like this: https://servername.domain.com:9191/comflow/portal - so the domain name (domain.com) might have to be included for the address to work properly. 

    Redirect all traffic to HTTPS

    Without configuring this the server is still reachable without HTTPS by using the the port in the HTTP/1.1 connector. To force all traffic to that port through HTTP you edit the web.xml file to contain the following code:

    <security-constraint>
 <web-resource-collection>
 <web-resource-name>Entire Application</web-resource-name>
 <url-pattern>/*</url-pattern>
 </web-resource-collection>
 <user-data-constraint>
 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
 </user-data-constraint>
</security-constraint>

    Note

    •The SSLHostConfig tag is only needed if tomcat version is 8.5 or above. For older versions the certificate tags can go directly under the connector tag (not tested though).

    •In order to run the eclipse in debug with this setup you also have to add the personal store of your own user.

    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout