Changing SSL port from 8443 to 443

powellbc
Contributor II

We have had some complaints about the non standard HTTPS port Tomcat uses. I know that to modify the port used I need to modify the server.xml file in the Tomcat directory. I am thinking I could change the port or try a redirect.

Has anyone attempted this? I am afraid client communications may be messed up if I change it.

1 ACCEPTED SOLUTION

powellbc
Contributor II

Well, it looks like adding a second connector line to the server.xml did it. I just used the port as 443 and then specified the redirect port as 8443.

Ergo:

<Connector executor="tomcatThreadPool" port="443" protocol="HTTP/1.1" redirectPort="8443" scheme="https" secure="true" SSLEnabled="true" ><!--keystoreFile updated by JSS. Mon Aug 13 13:09:03 EDT 2012--><!--keystoreFile updated by JSS. Mon Mar 25 13:40:50 EDT 2013--></Connector>

I left out the file location and cipher info in this sample above.

View solution in original post

11 REPLIES 11

jarednichols
Honored Contributor

Do a redirect for the web interface. You don't want to go changing the actual port that the client communicates on. It's also easier to roll back/change later than an endpoint configuration change like that.

powellbc
Contributor II

That is the route I was going to take, but I am a little confused as to how to do that. We are running Tomcat/JSS on a Windows server, and most of the methods I have found are mentioning IPTables or assuming that Apache is running on the server as well.

powellbc
Contributor II

Well, it looks like adding a second connector line to the server.xml did it. I just used the port as 443 and then specified the redirect port as 8443.

Ergo:

<Connector executor="tomcatThreadPool" port="443" protocol="HTTP/1.1" redirectPort="8443" scheme="https" secure="true" SSLEnabled="true" ><!--keystoreFile updated by JSS. Mon Aug 13 13:09:03 EDT 2012--><!--keystoreFile updated by JSS. Mon Mar 25 13:40:50 EDT 2013--></Connector>

I left out the file location and cipher info in this sample above.

WUSLS
New Contributor

Did the the new entry go before, or after the original entry? I just want to clarify.

powellbc
Contributor II

We placed it after, just used a second connector tag.

JoshStephens
New Contributor

This doesn't appear to be working any longer for 9.8.

mattbomarc1
New Contributor

@JoshStephens

I got this working in 9.8 by changing the TOMCAT7_USER and TOMCAT7_GROUP from tomcat7 to root in the /etc/init.d/jamf.tomcat7 script.

danielslijper
New Contributor

@mattbomarc1][~JoshStephens

Instead of changing the user for tomcat to root, I changed the authbind settings to tomcat can us privileged ports under 1023.

Change contents of file /etc/authbind/byuid/105 (mine is a manual jss/tomcat config) to

::/0,443
0.0.0.0/0,443

Make sure your /etc/default/tomcat7 has AUTHBIND=YES commented out! On a linux box with JSS installed using the installer this path will be different!

powellbc
Contributor II

This is still working for us, we did not encounter any issues post-upgrade to 9.8. We did upgrade from Java 6 to 8 though in the process, so that might have had an impact in some way. The Server.xml though is the same as it was before.

JoshStephens
New Contributor

We are still using the additional connector--my previous comment was due to my own trivial error that I fixed the same day (can't remember what it was exactly).

I just had to renew our wildcard certs and it was a pain so I thought I'd take a few minutes to document the process from start to finish in case it will help others. These steps use a Windows 2012 R2 server to complete the certificate renewal process.

  1. Renewal initiated by SSL service, they request a CSR
  2. Generate a CSR (I used a Windows Server 2012 R2 IIS Server Certificates screen (Create Certificate Request)
  3. Copy CSR to file (end step of generating the CSR)
  4. Paste file output into SSL service link provided
  5. Download certificate generated by SSL service, ours takes about 5 minutes to process after submitting CSR to make the download available
  6. Go back to the server that the CSR was generated on and complete Certificate Request (for Window, IIS Server Certificates screen, Complete Certificate Request)
  7. Next in Windows, open MMC and add the Certificates Snap-In (Computer account when prompted, not user)
  8. Go to Personal then Certificates, then right click on the new certificate, choose All Tasks then Export, Next, “Yes, export the private key,” keep defaults on Export File Format screen, check the box for a password and set it, then create a file on the last screen.
  9. Go to a system with Java and open command prompt as admin, go to Java directory (currently c:Program Files (x86)Javajre8in)
  10. Type in the following to convert the pfx to jks for use with Tomcat servers like Casper: keytool -importkeystore -srckeystore YourWildcardCert.pfx -srcstoretype pkcs12 -destkeystore YourWildcardCert.jks -deststoretype JKS
  11. Casper can now accept the certificate, but the conf file will have to be edited to redirect 443 properly. The following line will need its keyalias value updated: <Connector URIEncoding="UTF-8" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" maxPostSize="-1" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" executor="tomcatThreadPool" port="443" protocol="HTTP/1.1" redirectPort="8443" scheme="https" secure="true" SSLEnabled="true" keystoreFile="C:Program FilesJSSTomcatYourWildcardCert.jks" keystorePass="YOURKEYSTOREPASS" keyAlias="YOURKEYPASSALIAS,LOOK AT THE STANDARD 8443 CONNECTOR STRING GENERATED BY THE CASPER UPLOAD AND COPY/PASTE" />
  12. Finally, bounce the Tomcat service and it should be working.

aandersen5
New Contributor

sorry Raymond, i have to go to attend another matter. Here is the original xml

+<Connector port="443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" executor="tomcatThreadPool" URIEncoding="UTF-8" secure="true" scheme="https" SSLEnabled="true" server="Apache Tomcat" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" maxPostSize="-1">

<!-- Define an AJP 1.3 Connector on port 8009 -->

<Connector port="8009" redirectPort="443" protocol="AJP/1.3" URIEncoding="UTF-8"/>

<!-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them on to the appropriate Host (virtual host). Documentation at /docs/config/engine.html -->

<!-- You should set jvmRoute to support load-balancing via AJP ie : <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> -->