Configuring the SSL Connector for Tomcat Server

To configure SSL on the Tomcat server for the Web Console or Compliance Search, you must create a certificate, install the certificate, and then configure the SSL connector.

Before You Begin

• Create a Certificate.
• If you are using a self-signed certificate, install the certificate.
• If you use a Custom Report Engine and you want to configure SSL on a port other than 443, you must add the customreportengineurl additional setting. For instructions, see Configuring an Alternate Port for SSL for the Custom Report Engine.

About This Task

• For Web Console, perform this task on the Web Console computer.
• For Compliance Search, perform this task on the Compliance Search computer.

Procedure

1. Stop the Tomcat Server.
2. Back up the server.xml that is part of the Apache configuration in the software_installation_path/Apache/Conf folder.
3. Set the SSLEngine argument to Off for the listener node using the following command:

   <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="off" />

   Important: You can remove or comment out the node completely from the server.xml, if recommended by the CA.

4. Copy the generated keystore file to software_installation_path/Apache.

   By default, the following connector is defined:

   <Connector protocol="HTTP/1.1" connectionTimeout="600000" redirectPort="443" URIEncoding="UTF-8" maxPostSize="40960000" maxHttpHeaderSize="1024000" maxThreads="2500" enableLookups="true" port="80" />

5. In the server.xml file, add a second connector port using the following command:

   <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="443" connectionTimeout="600000" URIEncoding="UTF-8" maxPostSize="40960000" maxHttpHeaderSize="1024000" maxThreads="2500" enableLookups="true" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" keystoreFile="software_installation_path/Apache/your_file" keystorePass="<password>" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" server="Commvault WebServer" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"/>

   Where:

   • port is the same port number specified in the redirectPort parameter of the default connector. Make sure the port number is not used by any other program on the server.
   • keystoreFile is the path to your keystore file (.jks) or your certificate file (.pfx).
   • keystorePass is the password that you used to create the keystore or certificate.

   Important: If you are using a .pfx file, you must add the keystoreType="PKCS12" parameter to the <Connector> element.

6. If you want all users to use a secured channel, on the Web Console computer add the forceHttps additional setting:

   Property	Value
   Name	forceHttps
   Category	WebConsole
   Type	BOOLEAN
   Value	True

   For instructions on adding the additional setting from the CommCell Console, see Add or Modify an Additional Setting.

7. Update the URL for the link to the Web Console. For more information, see Linking to the Web Console from the CommCell Console.
8. Start the Tomcat Server and access the resource on your server using HTTPS.

   For instructions on restarting the Tomcat service, see Restarting a Service.

What To Do Next

• For Compliance Search, configure HTTPS for the Compliance Search Link from the Web Console.