There might be situations where you don't desire or can't put a Nginx reverse proxy in front of the Tomcat server and you want to server SSL directly on the Tomcat server.
You might also want to change the port number tomcat is serving the application under SSL so we will cover that topic too.
This can be useful for on-premises Tomcat servers or when load balancers or reverse proxies are not available.
We are going to assume you are using our dockerized Tomcat server, instructions are similar for standalone Tomcat servers without the specific docker instructions.
- Ability to run docker commands on the Iriusrisk host.
- Certificate in X509 format (pem), both the public and the private keys. For this guide we will call the public certificate "cert.pem" and the private one "key.pem"
Since we will need external tools included with the JDK, we will use the binary tools already included within the Iriusrisk Tomcat container.
Copy your X509 certificate public (cert.pem) and private (key.pem) files on the /tmp/ folder inside the iriusrisk running container:
Open a shell inside the docker container:
And go to the /tmp/ folder:
Now we will create a new keystore with the certificates included using the openssl binary:
And convert it from pkcs12 to jks format (java keystore):
And exit the container to go back to the docker host again:
Now we copy the generated jks file inside the container to the docker host:
And also we copy the tomcat server.xml configuration file to the docker host:
Now we need to edit the server.xml file and add a new connector section with the path of the jks that Tomcat will use, you can also change the port to an unused port here (20000 in this example):
Now we need to bring the application down:
Now that we have all files ready (server.xml and tomcatssl.jks) we need to modify the docker-compose.yml.
- You can either comment or remove the Nginx section since it won't be used.
- You need to change the ports section to expose the configured port outside the container.
- You need to add the volume section as described here.
This is the final aspect of the docker-compose.yml:
The application is ready and we can start it again:
Check that Tomcat starts correctly looking at the logs:
After 5-10 minutes the application should be up and running in the new port number with your certificates directly on the Tomcat server.