Summary: this page explains how to modify your Apache Tomcat application server to enable the use of the https protocol.
When installed "out of the box", the Apache Tomcat application server will be configured to use the "http" protocol on port 8080, as shown in the following extract from the CATALINA_HOME\conf\server.xml file:
If your organization requires the use of the "https" protocol on port 443 (or another port) when interacting with the CAST dashboards, then there are various steps that need to be completed with regard to the Apache Tomcat installation. You can find out more information about the changes that are required by following the official Apache Tomcat documentation here: https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html.
CAST highly recommends the use of a trusted CA (Certificate Authority) SSL certificate when configuring Apache Tomcat for secure https access. You can use a self-signed SSL certificate, however, it is not recommended since unpredictable results may occur when using CAST dashboards with this type of certificate.
Advanced security configuration options
If you have configured Apache Tomcat for secure https access, CAST highly recommends that you ALSO configure the following options to further secure your installation.
CAST recommends that you add the "secure" attribute to your SSL connector and set it to "true" - this attribute forces Apache Tomcat to specify whether the request was made using a secure channel, such as https. To do so:
- Edit the CATALINA_HOME\conf\server.xml file with a text editor
- Find your existing SSL connector in the file
- For a JSSE SSL implementation, the connector will look something like this:
- For an APR SSL implementation, the connector will look something like this:
- You now need to add the secure="true" attribute to your SSL connector as follows:
- For a JSSE SSL implementation
- For an APR SSL implementation:
Following any changes you make, save the CATALINA_HOME\conf\server.xml file and then restart your application server so that the changes are taken into account.
CAST recommends that you add the "useHttpOnly" attribute to your context and set it to "true" - this attribute forces an HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID. To do so:
- Edit the CATALINA_HOME\conf\context.xml file with a text editor
- You will find the <context> element as shown below:
- Add the useHttpOnly" attribute to the opening <context> tag and set it to "true":
Following any changes you make, save the CATALINA_HOME\conf\context.xml file and then restart your application server so that the changes are taken into account.
- You can find out more information about the "useHttpOnly" attribute here: https://tomcat.apache.org/tomcat-8.0-doc/config/context.html.
- Adding the "useHttpOnly" attribute will activate it for ALL web applications running in Apache Tomcat.