Tomcat by default listens on http port 8000. Follow these instructions to change Tomcat to listen on an https port.
Stop the Tomcat server.
<FlexDeploy Home>/StopFlexDeploy.sh
There are a few different ways that customers can get certificates.
Create a Java Key Store to hold your SSL Certificate. You will need to update location to JDK, alias, and give appropriate path for the keystore location. Make sure it is NOT in the apache-tomcat-flexdeploy folder. The apache-tomcat-flexdeploy folder will be cleaned up with each upgrade, so it is important not to place all supporting files in the flexdeploy home folder or another subfolder instead. This example uses /home/oracle for the location.
/u01/java/jdk8/bin/keytool -genkey -alias flexkeystore -keyalg RSA -keystore /u01/flexdeploy/keystore
Import your SSL certificate. You will need to adjust the JDK location, the keystore name, alias name, and the certificate file name.
When you are importing the SSL certificate, the certificate alias must be different than the keystore alias.
Otherwise you will see the error:
keytool error: java.lang.Exception: Public keys in reply and keystore don’t match
/u01/java/jdk8/bin/keytool -import -alias flexdeploy -file mycert.cer -keystore /u01/flexdeploy/keystore
To generate a self-signed certificate and import into the keystore, issue the following command, adjusting the paths and parameters as necessary.
/u01/java/jdk8/bin/keytool -genkeypair -alias flexdeploy -keyalg RSA -validity 365 -keysize 2048 -keystore /u01/flexdeploy/keystore
Edit <FlexDeploy Home>/apache-tomcat-flexdeploy/conf/server.xml. Modify the HTTP connector that is listening on port 80 as follows to listen on some port (not 443). Be sure to adjust keystore file path.
<Connector port="8443" protocol="HTTP/1.1" sslEnabledProtocols="TLSv1.2" connectionTimeout="20000" maxThreads="200" SSLEnabled="true" secure="true" maxHttpHeaderSize="16384" keystoreFile="/u01/flexdeploy/keystore" keystorePass="changeit" keyAlias="myalias" clientAuth="false" />
In case the certificate is shared in .pfx format the same can be converted to desired jks format using below command
keytool -importkeystore -srckeystore /u01/flexdeploy/flexdeploydev.pfx -srcstoretype pkcs12 -destkeystore /u01/flexdeploy/keystore -deststoretype JKS
Or, you can use it as is, although it might be more difficult to modify as needed later.
<Connector port="8443" protocol="HTTP/1.1" sslEnabledProtocols="TLSv1.2" connectionTimeout="20000" maxThreads="200" SSLEnabled="true" secure="true" maxHttpHeaderSize="16384" keystoreFile="/u01/flexdeploy/flexdeploy.pfx" keystorePass="changeit" keyAlias="myalias" clientAuth="false" />
On Unix, privileged ports (less than 1024) cannot be opened by a non-root user. The solution is to forward traffic from 443 to the port used above (8443). As root, update iptable rule to redirect the traffic from 443 to 8443.
iptables -t nat -I PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 8443
Also saving iptables will ensure the setting stays after a unix server restart.
iptables save
To view the rule after:
iptables -L -t nat
You should see:
REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 8443
in the output of the command
Start the Tomcat server.
<FlexDeploy Home>/StartFlexDeploy.sh
Test in browser.
https://<your.hostname>:<port>/flexdeploy
New to certificates and the keytool utility?
Reference the Tomcat documentation for this.