General Settings  Tomcat Server

Tomcat Server

In the Tomcat Server tab, you designate ports for the local Tomcat server components and optionally configure Tomcat to use HTTPS. You configure the Tomcat Server settings in either wizard mode or utility mode on the servers that host the Tomcat server components.

General Settings

In the General tab, you configure the following settings.

Tomcat Server Settings

To configure HTTP connections to your Tomcat server, provide the following:

Field Description
HTTP Connector port Enter the HTTP connector port that Tomcat will use on this server. If you clear the port value, the connector is no longer used.
Note: The HTTP port affects the URL that is used to log in to Application Repository. If you change this port, you will need to notify SBM Composer users.

Tomcat Advanced Settings

Use the Advanced Settings to override the maximum HTTP header size for SBM Tomcat requests and responses. Tomcat allocates two buffers with the maxHttpHeaderSize per request, which can create out-of-memory problems when SBM Tomcat is handling heavy server traffic. If users are experiencing 400 errors from Tomcat, consider increasing the maximum HTTP header size as appropriate.

For systems that are configured to use Windows Domain authentication with SSO, SBM Configurator automatically doubles the default maximum HTTP header size from 8192 bytes to 16384 bytes.

Use the Minimum and Maximum memory size fields to control Tomcat memory utilization on your current server. For example, you might increase the Maximum memory size setting for Tomcat in the event you are seeing out-of-memory errors in the tomcat.log file.

Related Topics

Tomcat Server

HTTPS / TLS Settings

HTTPS / TLS Settings

The Tomcat Server HTTPS / TLS Settings sub-tab enables you to secure end-user connections to Tomcat.

If you want to enable HTTPS in a distributed server environment, you must run SBM Configurator on each Tomcat server and configure these settings.

If you enable SSO, you can secure connections from the browser into the SSO Security Server by selecting Use HTTPS for SSO login on the Security | Secure SSO sub-tab. For details, refer to Securing SSO.

General Settings

To configure HTTPS, you must specify a port in the HTTPS connector port field.

Field Description
HTTPS connector port Enter the HTTPS connector port that Tomcat will use on this server. If you clear the port value, the connector is no longer used.
HTTPS client certificate port for Smart Card authentication Enter the HTTPS port that will be used for client cert authentication, which is used for Smart Card authentication in SBM.
Note: The HTTPS port affects the URL that is used to log in to Application Repository. If you change this port, you will need to notify SBM Composer users.

To finish configuring HTTPS, you can import a new certificate from a well-known certificate authority (CA) or a self-signed certificate generated by your own CA. You can also manage the current configuration by selecting an existing certificate. If SSO is enabled, this creates a secure communication channel between the browser and the SSO Security Server.

The following certificate options are available:

  • Generate Sample Certificate

    Select this option to create a new certificate that is based on the sample CA certificate that is installed with SBM. For example, if you have not yet purchased a certificate from a well-known certificate authority (CA), select this option to secure Tomcat with a sample certificate.

    • In the Generate Certificate dialog box that appears, you can accept the default values to create a new sample certificate with a common name that matches the local server's hostname. By default, the sample certificate is signed by the CA, but you can import and use a different CA cert if necessary.
    • If you clear the Certificate authority check box, SBM Configurator generates a self-signed certificate. You can configure additional parameter including the public key size, validity dates, and signature algorithm as needed.
    • The newly-generated certificate and the CA certificate that was used to generate the sample certificate are placed in the local Tomcat keystore and truststore, respectively. If an existing certificate is found, SBM Configurator provides you with the option to remove it from the keystore.
    • Once the certificate has been created, you can export the public key and import it into a third party keystore to establish a trust. To export the certificate, click View more details, select the Details tab, and click Copy to File. Complete the export wizard that appears to generate a DER-encoded certificate.
  • Import New Certificate

    Select this option to import a well-known or self-signed certificate (in PEM format, which is a base64-encoded DER). For example, if you have purchased a certificate from a well-known CA, select this option to have SBM Configurator import the certificate for you. This operation adds the new certificate to the Tomcat keystore.

    • SBM does not support using certificates that contain wildcards.
    • There are restrictions to note when you configure your server for Smart Card authentication. Specifically, if you replace the server certificate with a self-signed server certificate, you must create the self-signed certificate using the RSA algorithm. The security handshake fails when using a self-signed DSA certificate in earlier FireFox browsers. This is not an issue for Internet Explorer browsers.
  • Export Current Certificate

    Launches the Export dialog box, from which you can: export the certificate and optionally the private key; export the entire certificate chain plus the certificate; export just the chain without the certificate. Note that the certificate path options are disabled if you are using a self-signed certificate.

  • Select Existing Certificate

    Select this option to select an existing certificate from the Windows keystore to secure Tomcat. For example, if you need change the current certificate that is installed, use this option to select an alternative certificate from the keystore. This operation replaces the current certificate (if one is installed) with the certificate that you select.

  • Change Keystore Password

    Select this option to change the default keystore password. Changing the default password updates the keystore and certificates with a password of your choice, which improves security.

    To update the default password:

    1. Click Change Keystore Password.
    2. A window appears and displays the current password.
    3. Enter a new password and click OK.
    4. Click Apply.
  • Manage Trusted Certificates
    Click Manage Trusted Certificates to launch the Certificates dialog box. This enables you to search for trusted certificates, as well as import, export, or remove trusted certificates from the truststore. In the Certificates dialog box, you can:
    • Import Certificates – Imports a trusted certificate into the truststore.
    • Export Certificates – Exports a trusted certificate.
    • Remove Certificates – Removes one or more selected certificates.
    • View Details – Select a certificate and click View Details to see more information.
    Use the search field to find a certificate in the truststore. You can search for certificates by using any of the details that are listed in the Certificates dialog box.

    To execute an external Web service call from SBM using SSL, the SBM certificate truststore must contain the external service's public certificate (in the event that the certificate does not already exist in the truststore). Therefore, you must import the service's public certificate into either the Windows or Tomcat truststore—depending on which SBM component performs the call.

    For example, if the external Web service call is invoked from a workflow transition, you must add the public certificate to the Windows truststore in the IIS tab on the IIS server. This ensures that SBM Application Engine calls are trusted by the external service. Similarly, you must add the public certificate to the Tomcat truststore to ensure that SBM Orchestration Engine calls are trusted by the external service. For example, if you create an SBM orchestration that contains an external Web service call that is secured by SSL, the public certificate for that service must be added to the Tomcat truststore. The truststore may already contain some public certificates, but if you create your own certificates or use certificates that are newer than those the truststore, the truststore must be updated to successfully complete calls over HTTPS.

Advanced Settings

Under Advanced Settings, you can select the Java TLS provider for your Tomcat server. The following options are available:

  • Default Java Provider – Supports TLS 1.0, TLS 1.1, and TLS 1.2.
  • OpenJSSE Provider – Supports TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3.

Depending on the TLS protocols that you select, you can enable one of the following TLS cipher bundles:

  • Default – Selected by default. Compatible with TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3.
  • Modern – Only compatible with TLS 1.2 and TLS 1.3.

Note the following:

  • If you select the OpenJSSE Provider, you can enable TLS 1.3 for Tomcat.
  • If you select TLS 1.2 or TLS 1.3, you can select the Modern cipher bundle that contains cipher suites that are compatible with TLS 1.3.
  • You must ensure that at least one TLS protocol is common between your IIS server and your Tomcat servers. This means if you enable TLS 1.2 for IIS, you must enable TLS 1.2 for Tomcat as well. If you enable TLS 1.3 for Tomcat, you must enable TLS 1.2 or earlier for IIS.

Related Topics

Tomcat Server

General Settings

Copyright © 2007–2019 Micro Focus or one of its affiliates. All rights reserved.