To configure SSL on the Tomcat server for the Command Center, Web Console, you must create a certificate and then configure the SSL connector.
Perform this task on the following computers:
-
For Command Center, perform this task on the Command Center computer.
-
For Web Console, perform this task on the Web Console computer.
Before You Begin
-
Create a certificate. For more information, see Create a Certificate.
Note
Self-signed certificates are automatically created and installed by the Commvault software. If you use a self-signed certificate, users will see a warning in the browser indicating that it is not safe to proceed.
-
If you use a Custom Report Engine and you want to configure SSL on a port other than 443, you must add the customreportengineurl additional setting. For more information, see Configuring an Alternate Port for SSL for the Custom Report Engine.
-
To support stronger encryption when establishing the SSL connection, add the
-Djdk.tls.ephemeralDHKeySize=2048
setting to the startup options of the Tomcat service. This setting is enabled by default on the Command Center and the Web Console computers that are installed with Version 11 SP9 or later service packs.To edit the Java startup options (also called system properties), open the Tomcat service GUI by double-clicking the GxTomcatInstance001.exe file in the software_installation_directory\ContentStore\Apache\bin folder, go to the Java tab, and then under Java Options, add the setting.
-
The server.xml file requires escaping for certain characters as per the XML specification. For example, the & and < characters must be escaped as & and < respectively. For more information, see https://www.w3.org/TR/xml/.
Procedure
-
Stop the Tomcat Server.
-
Go to software_installation_path/Apache/Conf, and then back up the server.xml file that is part of the Apache configuration.
-
Copy the generated keystore file to software_installation_path/Apache.
-
For new installations of Version 11 SP9 or higher, in the server.xml file, modify the path to the generated keystore file and the keystore password values as follows:
<Certificate certificateKeystoreFile="software_installation_path/Apache/your_file" certificateKeystorePassword="password" certificateKeystoreType="JKS"/>
Where:
-
software_installation_path/Apache/your_file is the path to your keystore file. You can use the .jks keystore file and set certificateKeystoreType to JKS. You can also use the .pfx, .p12 or .p7b keystore files and set certificateKeystoreType to PKCS12.
-
password is the password that you used to create the keystore or certificate.
For configuration on SP8 or earlier installations, refer to the corresponding service pack version documentation.
-
-
In the server.xml file Connector element associated with port 443, keep the following up to date:
-
SSL protocols: Update the SSLHostConfig element
protocols
attribute (enable TLSv1.2+TLSv1.3 or a more recent version). -
Ciphers: Update the SSLHostConfig element
ciphers
attribute according to your corporate security policy.<SSLHostConfig certificateVerification="none" honorCipherOrder="true" protocols="TLSv1.2+TLSv1.3" ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256">
-
-
Start the Tomcat Server and access the resource on your server using HTTPS.
What to Do Next
-
For the Web Console, update the URL for the link to the Web Console.
-
If your Web Console is not configured to allow only HTTPS connections (installations of Version 11 SP8 and older), add the forceHttps additional setting. For instructions on adding the additional setting from the CommCell Console, see Adding or Modifying Additional Settings from the CommCell Console.
Note
If the Web Server and Web Console computers are separated by a firewall, you must configure a port-forwarding gateway to open connections to the Web Server through the Web Console computer. For more information, see Configuring Access to the Web Server Using a Port-Forwarding Gateway.
Related Topics
-
For instructions about stopping and restarting the Tomcat service, see:
-
For a list of ciphers that are considered reasonably secure at this time, see Ciphers for the SSL Connector for Tomcat Server.