Configuring the SSL Certificate for Tomcat Server

To configure SSL on the Tomcat server for the Web Console or Compliance Search, you must create a certificate and then configure the SSL connector.

Before You Begin

  • Create a Certificate.

    Note: Self-signed certificates are automatically created and installed by the Commvault software. If you use a self-signed certificate, users will see a warning in the browser indicating that it is not safe to proceed.

  • If you use a Custom Report Engine and you want to configure SSL on a port other than 443, you must add the customreportengineurl additional setting. For more information, see Configuring an Alternate Port for SSL for the Custom Report Engine.
  • To support stronger encryption when establishing the SSL connection, add the Djdk.tls.ephemeralDHKeySize=2048 setting to the startup option of the Tomcat service. This setting is available by default on Web Console and Compliance Search computers that are installed with Version 11 SP9 or later service packs.

Where to Perform This Task

  • For Web Console, perform this task on the Web Console computer.
  • For Compliance Search, perform this task on the Compliance Search computer.


  1. Stop the Tomcat Server.
  2. Back up the server.xml that is part of the Apache configuration in the software_installation_path/Apache/Conf folder.
  3. Copy the generated keystore file to software_installation_path/Apache.
  4. For new installations of Version 11 SP9 or higher, in the server.xml file, modify the path to the generated keystore file and the keystore password values.

    <Certificate certificateKeystoreFile="software_installation_path/Apache/your_file" certificateKeystorePassword="Password" certificateKeystoreType="JKS"/> 


    • certificateKeystoreFile is the path to your keystore file. You can use the .jks keystore file and set the certificateKeystoreType to JKS. You can also use the .pfx or .p12 keystore files and set the certificateKeystoreType to PKCS12.
    • certificateKeystorePassword is the password that you used to create the keystore or certificate.

    For configuration on SP8 or earlier installations, refer to the corresponding service pack version documentation.

  5. Keep the SSL protocols up to date (it is recommended that you enable TLSv1.1 and higher) by modifying the sslEnabledProtocols attribute of the Connector element in the server.xml file as follows:

    <Connector port="443" sslEnabledProtocols="TLSv1.1,TLSv1.2">

  6. If you want all users to use a secured channel, on the Web Console computer add the forceHttps additional setting.

    Note: For new installations of Version 11 SP9 or higher, the forceHttps additional setting is enabled by default.

    For instructions on adding the additional setting from the CommCell Console, see Adding or Modifying Additional Settings from the CommCell Console.











    Note: If the Web Server and Web Console computers are separated by a firewall, you must configure third-party ports mapping to open connections to the Web Server through the Web Console computer. For more information, see Configuring Access to the Web Server Using TPPM.

  7. Update the URL for the link to the Web Console. For more information, see Linking to the Web Console from the CommCell Console.
  8. Start the Tomcat Server and access the resource on your server using HTTPS.

    For instructions on restarting the Tomcat service, see Restarting a Service.

What To Do Next

For Compliance Search, configure HTTPS for the Compliance Search Link from the Web Console.

Last modified: 10/7/2019 3:25:21 PM