Skip to main content
Skip table of contents

SSL (https) configuration on tomcat


When setting up an SSL encryption for use with iGrafx Platform, the primary question usually is, if there is a proxy between Tomcat and the end user, or if Tomcat is directly contacted (which will usually not be possible on Port 80 or 443, which are the standard http and https ports).

If Tomcat is directly contacted and no proxy is used, the HTTPS for Tomcat without proxy setup can be used without any changes. In the case where an Apache proxy sits between iGrafx Platform's Tomcat and the  end user, the customer has to make the decision if only communication between the end user and the Apache proxy is secured, or if both connections are secured. The former is the much more frequent case, as the Apache proxy will often times run on the same machine as Tomcat. See the reference section for a short guide on which proxy module to use with Apache, depending on the requirements (mod_proxy_http vs. mod_jk).

Once you've decided on a module, follow the instructions below for either mod_proxy_http or mod_jk/AJP


HTTPS for Tomcat without proxy

See the following Tomcat documentation to configure HTTPS without proxy:


Here are some suggested, minimum configuration steps:

sudo apt-get install java
/usr/lib/jvm/java-7-openjdk-amd64/bin/keytool -genkey -alias tomcat -keyalg RSA

Fill out the questions. For testing use igrafx as password.


vim ~/ice/apache-tomcat-7.0.42/conf/server.xml file


<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"/>

Add those two parameters to the block:


Comment out:

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

HTTPS for Apache proxy using mod_proxy_http and https on Tomcat (both servers communicate using SSL)

Follow the steps in Setting up SSL for Apache Tomcat before continuing to set up SSL on Apache.

openssl genrsa -out icedemo.key 1024

Option 1: Self signed

openssl req -new -key icedemo.key -out icedemo.csr
openssl x509 -req -days 365 -in icedemo.csr -signkey icedemo.key -out icedemo.crt

Option 2: Build a CA

For testing we could build our own CA infrastructure, more reading:

Configure Apache

sudo mkdir /etc/apache2/ssl
sudo cp ~/ssl/icedemo.crt /etc/apache2/ssl/
sudo cp ~/ssl/icedemo.key /etc/apache2/ssl/
sudo a2enmod ssl
sudo service apache2 restart
sudo vi /etc/apache2/sites-available/igrafxproxy.conf


<VirtualHost *:443>
    ServerName icedemo
    <Proxy *>
        Order deny,allow
        Allow from all
    SSLEngine on
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    SSLProxyEngine On
    SSLCertificateFile /etc/apache2/ssl/icedemo.crt
    SSLCertificateKeyFile /etc/apache2/ssl/icedemo.key
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass / https://localhost:8443/
    ProxyPassReverse / https://localhost:8443/


When deciding what module to use for proxying between Apache and Tomcat, this document might help



This article contains

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.