How to use TLS 1.2 with Apache Tomcat

Problem Description

You need to configure TLS 1.2 for the Apache Tomcat that is hosting TAC and the connection from TAC to the backend database.

 

Root Cause

TLS 1.0 and 1.1 are no longer secure and have many vulnerabilities.

 

Solution

To specify truststore and explicit connection security of TLS 1.2 from TAC to the TAC backend database, and force TLS 1.2 for the Java app, set the following parameters in the apache-tomcat/bin/setenv.sh file:

-Djavax.net.ssl.trustStore=<path to file>
-Djavax.net.ssl.trustStorePassword=<password>
-Dhttps.protocols=TLSv1.2

For your connection to the TAC webapp from a browser level and how it communicates for non-database communication, (in addition to the other SSL protocol settings) add the following to the apache-tomcat/conf/server.xml file:

SSLProtocol="TLSv1.2"

Your server.xml file should look similar to this:

<Connector protocol="org.apache.coyote.http11.Http11AprProtocol" port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true" SSLCertificateFile="/usr/local/ssl/server.crt" SSLCertificateKeyFile="/usr/local/ssl/server.pem" 
SSLVerifyClient="optional" SSLProtocol="TLSv1.2"/>

 

For more information, see the Apache Tomcat 8 documentation SSL/TLS Configuration HOW-TO page.

Version history
Revision #:
3 of 3
Last update:
‎04-17-2019 01:11 AM
Updated by:
 
Contributors