Configuring the SSL Connector for Tomcat Server
To configure SSL on the Tomcat server for the Web Console or Compliance Search, you must create a certificate, install the certificate, and then configure the SSL connector.
Before You Begin
- Create a Certificate.
- If you are using a self-signed certificate, install the certificate.
- If you use a Custom Report Engine and you want to configure SSL on a port other than 443, you must add the customreportengineurl additional setting. For instructions, see Configuring an Alternate Port for SSL for the Custom Report Engine.
About This Task
- For Web Console, perform this task on the Web Console computer.
- For Compliance Search, perform this task on the Compliance Search computer.
Procedure
- Stop the Tomcat Server.
- Back up the server.xml that is part of the Apache configuration in the software_installation_path/Apache/Conf folder.
- Set the SSLEngine argument to Off for the listener node using the following command:
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="off" />
Important: You can remove or comment out the node completely from the server.xml, if recommended by the CA.
- Copy the generated keystore file to software_installation_path/Apache.
By default, the following connector is defined:
<Connector protocol="HTTP/1.1" connectionTimeout="600000" redirectPort="443" URIEncoding="UTF-8" maxPostSize="40960000" maxHttpHeaderSize="1024000" maxThreads="2500" enableLookups="true" port="80" />
- In the server.xml file, add a second connector port using the following command:
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="443" connectionTimeout="600000" URIEncoding="UTF-8" maxPostSize="40960000" maxHttpHeaderSize="1024000" maxThreads="2500" enableLookups="true" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" keystoreFile="software_installation_path/Apache/your_file" keystorePass="<password>" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" server="Commvault WebServer" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"/>
Where:
- port is the same port number specified in the redirectPort parameter of the default connector. Make sure the port number is not used by any other program on the server.
- keystoreFile is the path to your keystore file (.jks) or your certificate file (.pfx).
- keystorePass is the password that you used to create the keystore or certificate.
Important: If you are using a .pfx file, you must add the keystoreType="PKCS12" parameter to the <Connector> element.
- If you want all users to use a secured channel, on the Web Console computer add the forceHttps additional setting:
Property Value Name forceHttps Category WebConsole Type BOOLEAN Value True For instructions on adding the additional setting from the CommCell Console, see Add or Modify an Additional Setting.
- Update the URL for the link to the Web Console. For more information, see Linking to the Web Console from the CommCell Console.
- Start the Tomcat Server and access the resource on your server using HTTPS.
For instructions on restarting the Tomcat service, see Restarting a Service.
What To Do Next
- For Compliance Search, configure HTTPS for the Compliance Search Link from the Web Console.