Re: Help with Tomcat 9 to Tomcat 10 HTTPS connector configuration conversion

Sat, 18 Oct 2025 00:59:54 -0700 

Dimitris,
        Thank you for the prompt and accurate reply. With your information I 
was able to get my customer's updated application functioning with Tomcat 10.

Darryl Baker, GSEC, GCLD (he/him/his) 
Sr. System Administrator 
Distributed Application Platform Services 
Northwestern University 
4th Floor 
2020 Ridge Avenue 
Evanston, IL 60208-0801 
[email protected] <mailto:[email protected]> 
(847) 467-6674 <tel:+18474676674> 




On 10/7/25, 2:21 PM, "Dimitris Soumis" <[email protected] 
<mailto:[email protected]>> wrote:


On Tue, Oct 7, 2025 at 9:43 PM Darryl Baker <[email protected] 
<mailto:[email protected]>>
wrote:


> Colleagues,
> I am a system administrator and only a few of the systems I support use
> Tomcat. I probably saw this in earlier threads but I don’t remember the
> answer. I need either a pointer to the solution or a simple explanation of
> converting my current Tomcat 9 configuration to a working Tomcat 10
> configuration for the main connector for the application I support
> installation. I would like to continue to use a Java keystore.
>
> Current Tomcat 9:
>
> <Connector SSLEnabled=”true” clientAuth=”false”
> keystoreFile=”/opt/tomcat/latest/conf/dev-appit-keystore.jks”
> keystorePass=”XXXXXXXX” maxHttpHeaderSize=”32678” maxThreads=”500”
> port=”8443” protocol=”org.apache.coyote.http11.Http11NioProtocol”
> scheme=”https” secure=”true”
> sslImplementationName=”org.apache.tomcat.util.net.jsse.JSSEImplementation”
> sslProtocol=”TLSv1.2”/>
>
> My attempt at a Tomcat 10 configuration:
>
> <Connector port="8443"
> maxHttpHeaderSize="32678"
> maxThreads="500"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> scheme="https"
> secure="true"
>
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
> sslProtocol="TLSv1.2">
> <SSLHostConfig>
> <Certificate
> certificateKeystoreFile="/opt/tomcat/latest/conf/dev-appit-keystore.jks"
> certificateKeystorePassword="XXXXXXXX"
> certificateKeyAlias="dev-appit.it.example.com"
> certificateKeystoreType="PKCS12"
> type="RSA" />
> </SSLHostConfig>
> </Connector>
>
> Darryl Baker, GSEC, GCLD (he/him/his)
> Sr. System Administrator
> Distributed Application Platform Services
> Northwestern University
> 4th Floor
> 2020 Ridge Avenue
> Evanston, IL 60208-0801
> [email protected] 
> <mailto:[email protected]><mailto:[email protected] 
> <mailto:[email protected]>>
> (847) 467-6674<tel:+18474676674>
>
Hi Darryl,


In Tomcat 10 you should use the new configuration, see
https://urldefense.com/v3/__https://tomcat.apache.org/tomcat-10.1-doc/ssl-howto.html__;!!Dq0X2DkFhyF93HkjWTBQKhk!R8oQRsDqs6qgWt01owSzv2ROB6nKJNjXvQ4pxfOWJ61XbwdIkExV5xKdNdDXPD_Q9VzfcAR9deQWAVq_5oDdbtrNjQ$
 
<https://urldefense.com/v3/__https://tomcat.apache.org/tomcat-10.1-doc/ssl-howto.html__;!!Dq0X2DkFhyF93HkjWTBQKhk!R8oQRsDqs6qgWt01owSzv2ROB6nKJNjXvQ4pxfOWJ61XbwdIkExV5xKdNdDXPD_Q9VzfcAR9deQWAVq_5oDdbtrNjQ$>
 and
https://urldefense.com/v3/__https://tomcat.apache.org/tomcat-10.1-doc/config/http.html__;!!Dq0X2DkFhyF93HkjWTBQKhk!R8oQRsDqs6qgWt01owSzv2ROB6nKJNjXvQ4pxfOWJ61XbwdIkExV5xKdNdDXPD_Q9VzfcAR9deQWAVq_5oDzzzk_3A$
 
<https://urldefense.com/v3/__https://tomcat.apache.org/tomcat-10.1-doc/config/http.html__;!!Dq0X2DkFhyF93HkjWTBQKhk!R8oQRsDqs6qgWt01owSzv2ROB6nKJNjXvQ4pxfOWJ61XbwdIkExV5xKdNdDXPD_Q9VzfcAR9deQWAVq_5oDzzzk_3A$>
 .


Your configuration should be:


<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="500"
maxHttpHeaderSize="32678"
scheme="https"
secure="true"
SSLEnabled="true"


sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation">
*<-- This can be omitted as it's the default value -->*
<SSLHostConfig protocols="TLSv1.2" certificateVerification="none">* <--
Consider adding TLSv1.3 in protocols too -->*
*<-- certificateVerification="none" can be omitted as it's the default
value -->*
<Certificate


certificateKeystoreFile="/opt/tomcat/latest/conf/dev-appit-keystore.jks"
certificateKeystorePassword="XXXXXXXX"
certificateKeystoreType="JKS" <-- This can be omitted as it's the
default value -->
certificateKeyAlias="dev-appit.it.example.com"* <-- Make sure the
keystore actually contains the alias since it was missing in your previous
configuration. If it doesn't, remove this. -->*
type="RSA" />
</SSLHostConfig>
</Connector>


Kind regards,
Dimitris

Reply via email to