Jamf Nation Community

That is the route I was going to take, but I am a little confused as to how to do that. We are running Tomcat/JSS on a Windows server, and most of the methods I have found are mentioning IPTables or assuming that Apache is running on the server as well.

Did the the new entry go before, or after the original entry? I just want to clarify.

We placed it after, just used a second connector tag.

This doesn't appear to be working any longer for 9.8.

@JoshStephens

I got this working in 9.8 by changing the TOMCAT7_USER and TOMCAT7_GROUP from tomcat7 to root in the /etc/init.d/jamf.tomcat7 script.

@mattbomarc1][~JoshStephens

Instead of changing the user for tomcat to root, I changed the authbind settings to tomcat can us privileged ports under 1023.

Change contents of file /etc/authbind/byuid/105 (mine is a manual jss/tomcat config) to

::/0,443
0.0.0.0/0,443

Make sure your /etc/default/tomcat7 has AUTHBIND=YES commented out! On a linux box with JSS installed using the installer this path will be different!

This is still working for us, we did not encounter any issues post-upgrade to 9.8. We did upgrade from Java 6 to 8 though in the process, so that might have had an impact in some way. The Server.xml though is the same as it was before.

We are still using the additional connector--my previous comment was due to my own trivial error that I fixed the same day (can't remember what it was exactly).

I just had to renew our wildcard certs and it was a pain so I thought I'd take a few minutes to document the process from start to finish in case it will help others. These steps use a Windows 2012 R2 server to complete the certificate renewal process.

1. Renewal initiated by SSL service, they request a CSR
2. Generate a CSR (I used a Windows Server 2012 R2 IIS Server Certificates screen (Create Certificate Request)
3. Copy CSR to file (end step of generating the CSR)
4. Paste file output into SSL service link provided
5. Download certificate generated by SSL service, ours takes about 5 minutes to process after submitting CSR to make the download available
6. Go back to the server that the CSR was generated on and complete Certificate Request (for Window, IIS Server Certificates screen, Complete Certificate Request)
7. Next in Windows, open MMC and add the Certificates Snap-In (Computer account when prompted, not user)
8. Go to Personal then Certificates, then right click on the new certificate, choose All Tasks then Export, Next, “Yes, export the private key,” keep defaults on Export File Format screen, check the box for a password and set it, then create a file on the last screen.
9. Go to a system with Java and open command prompt as admin, go to Java directory (currently c:Program Files (x86)Javajre8in)
10. Type in the following to convert the pfx to jks for use with Tomcat servers like Casper: keytool -importkeystore -srckeystore YourWildcardCert.pfx -srcstoretype pkcs12 -destkeystore YourWildcardCert.jks -deststoretype JKS
11. Casper can now accept the certificate, but the conf file will have to be edited to redirect 443 properly. The following line will need its keyalias value updated: <Connector URIEncoding="UTF-8" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" maxPostSize="-1" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" executor="tomcatThreadPool" port="443" protocol="HTTP/1.1" redirectPort="8443" scheme="https" secure="true" SSLEnabled="true" keystoreFile="C:Program FilesJSSTomcatYourWildcardCert.jks" keystorePass="YOURKEYSTOREPASS" keyAlias="YOURKEYPASSALIAS,LOOK AT THE STANDARD 8443 CONNECTOR STRING GENERATED BY THE CASPER UPLOAD AND COPY/PASTE" />
12. Finally, bounce the Tomcat service and it should be working.

sorry Raymond, i have to go to attend another matter. Here is the original xml

+<Connector port="443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" executor="tomcatThreadPool" URIEncoding="UTF-8" secure="true" scheme="https" SSLEnabled="true" server="Apache Tomcat" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" maxPostSize="-1">

<!-- Define an AJP 1.3 Connector on port 8009 -->

<Connector port="8009" redirectPort="443" protocol="AJP/1.3" URIEncoding="UTF-8"/>

<!-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them on to the appropriate Host (virtual host). Documentation at /docs/config/engine.html -->

<!-- You should set jvmRoute to support load-balancing via AJP ie : <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> -->