KB486843: HTTPS and HTTP/2 configuration changes for Tomcat 10.1.x

Description

Starting in Strategy ONE (June 2024), Tomcat has been upgraded from 9 to 10.1.x. Some deprecated HTTPS configuration properties are available in Tomcat 9, but have been removed in Tomcat 10.1.x. You must adjust these configurations with their corresponding properties in Tomcat 10.1.x.
 

Solution

1. Go to the Tomcat installation directory, and open the server configuration file, 

   [$TOMCAT_HOME]\conf\server.xml.

2. Locate and revise the configuration of any

   Connector

   that has 

   scheme="https"

   to utilize properties supported in Tomcat 10.1.x, replacing those that have been deprecated or removed. The new configuration is equivalent to the previous one.This table only shows some property mappings between the previous release and the new one. For a detailed list, see Apache Tomcat 9 Configuration Reference (9.0.90) - The HTTP Connector.

   Tomcat 9		Tomcat 10
   XML Node	XML Attribute	XML Node	XML Attribute
   Connector	clientAuth	SSLHostConfig	certificateVerification
   Connector	sslProtocol	SSLHostConfig	sslProtocol
   Connector	keystorePass	Certificate	certificateKeystorePassword
   Connector	keystoreFile	Certificate	certificateKeystoreFile
   Connector	keystoreType	Certificate	certificateKeystoreType
   Connector	keystoreProvider	Certificate	certificateKeystoreProvider
   UpgradeProtocol	compression	Connector	compression
   UpgradeProtocol	compressionMinSize	Connector	compressionMinSize

   Here is an example of the modification.Before:

   <Connector
       SSLEnabled="true"
       clientAuth="false"
       port="8443"
       protocol="org.apache.coyote.http11.Http11NioProtocol"
       sslProtocol="TLSv1.2"
       server="Strategy"
       scheme="https"
       secure="true"
       keystorePass="$PWD$"
       keystoreFile="$KEYSTORE_PATH$"
       compression="on"
       compressionMinSize="1024"    ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384">
       <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" compression="on" compressionMinSize="1024"/>
   </Connector>
   

   After:

   <Connector
       SSLEnabled="true"
       port="8443"
       protocol="org.apache.coyote.http11.Http11NioProtocol"
       server="Strategy"
       scheme="https"
       secure="true"
       compression="on"
       compressionMinSize="1024"    ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384">
       <SSLHostConfig certificateVerification="none" sslProtocol="TLSv1.2">
           <Certificate certificateKeystorePassword="$PWD$" certificateKeystoreFile="$KEYSTORE_PATH$"/>
       </SSLHostConfig>
       <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
   </Connector>
   

   In the above example, the

   UpgradeProtocol

   node inherits the

   compression

   and

   compressionMinSize

   from the

   Connector

   for Tomcat 10.1.x. This means you can remove them from the

   UpgradeProtocol

   node. See Apache Tomcat 10 Configuration Reference (10.1.25) - The HTTP2 Upgrade Protocol for more properties inherited from

   Connector

   for HTTP/2 upgrade protocol.For more examples, see Apache Tomcat 10 (10.1.25) - SSL/TLS Configuration How-To.
3. Restart Tomcat for the changes to take effect.