SailPoint IIQ | Tomcat Server SSL port 443 configuration

 

Installing a Windows Domain Certificate in Apache Tomcat — Step-by-Step

Below is a cleaned, ordered article-style transcription of the screenshots you provided. Follow these steps to create a keystore, request a certificate from a Windows CA, import the CA response, export the certificate and key, and configure Tomcat to use the certificate.

---

Step1. Configure and install (prerequisites)

1. Install JavaSoft (Oracle) registry keys for AdoptOpenJDK JRE (if not already installed).

2. Download and install KeyStore Explorer from: https://keystore-explorer.org/.

3. In the Tomcat installation directory create a folder named certs and grant write permissions to the account that will run the key/certificate operations and Tomcat.

---

Step2. Create the keystore file (use KeyStore Explorer)

1. Open KeyStore Explorer.

2. File → New → PKCS #12 (create a new PKCS#12 keystore).

3. Tools → Generate Key Pair → choose RSA 2048.

4. Version → Version 3 (this should be the default).

5. Signature Algorithm → SHA-256 with RSA.

6. Validity Period — set e.g. 5 Years and apply (only applicable if you create a self-signed cert).

7. Click the Name (or Distinguished Name) button and set Common Name (CN) to the fully qualified domain name (FQDN) of the server; fill other DN fields as appropriate.

8. Click Add Extensions and add these extensions:

   • Extended Key Usage — TLS Web Server Authentication

   • Key Usage — Digital Signature and Key Encipherment

   • Subject Alternative Name — DNS Name: the server FQDN (and any additional SANs if required)

   • Subject Key Identifier — 160-bit Hash

9. Enter and confirm a key pair password (store securely).

10. Save the keystore in the Tomcat certs directory using a .pfx extension (use the same password you used for the key pair).

---

Step3. Create a Certificate Signing Request (CSR)

1. In KeyStore Explorer, right-click the key pair → Generate CSR.

2. Format: PKCS #10 (default).

3. Signature Algorithm: SHA-256 with RSA (default).

4. Select Add certificate extensions to request if it is not already selected (this will include the SANs and usages you set).

5. Specify an output filename with a .csr extension and save it to the certs folder.

---

Step4. Submit the CSR to your Windows Certificate Authority (CA)

Example CA web path shown in screenshots: https://dc01/certsrv (replace dc01 with your CA host).

1. Open the CA web enrollment page (e.g. https://dc01.corp.com/certsrv).

2. From the CA home page, click Request a certificate.

3. Click Advanced certificate request (link depends on CA configuration).

4. Paste the entire contents of your .csr file into the text box on the CA request page.

5. Choose Web Server as the certificate template (or the correct template for your environment), then Submit.

6. When the certificate is available choose Base 64 encoded and click Download certificate chain (or Download certificate).

7. Download the file, rename it to name-response.cer (or similar) and copy it into your Tomcat certs directory.

---

Step5. Import the CA response into the keystore (KeyStore Explorer)

1. In KeyStore Explorer, right-click the key pair → Import CA Reply → From File.

2. Select the downloaded response .cer file (the CA reply chain).

3. Import and save the keystore file (.pfx) again (this will attach the CA-signed certificate to your private key entry).

---

Step6. Export certificate chain and private key (to files Tomcat can use)

1) Export the certificate chain

1. Right-click the key pair → Export → Export Certificate Chain.

2. Export Length: Entire Chain.

3. Export Format: X.509.

4. Save the exported certificate as name.cer in the Tomcat certs directory.

2) Export the private key

1. Right-click the key pair → Export → Export Private Key → OpenSSL.

2. Uncheck the Encrypt checkbox (if you need an unencrypted PEM private key).

3. Select PEM checkbox if it is not already selected.

4. Save the private key as name.key in the Tomcat certs directory.

5. Restrict file permissions on the private key so only the Tomcat service account (or admin) can read it.

Security note: keep private keys secure. If you must keep them encrypted on disk, adjust Tomcat configuration accordingly.

---

Step7. Update Tomcat server.xml to use the certificate

1. Open PowerShell (or an elevated command prompt) as Administrator.

2. Set-Location (cd) to the Tomcat conf directory (e.g. C:\path\to\tomcat\conf).

3. Make a backup copy of server.xml (e.g. copy server.xml server.xml.bak).

4. Find the commented connector for SSL — e.g. the <Connector port="8443" ...> line for APR/native — copy and paste or uncomment the appropriate Connector block for APR/native or JSSE depending on your Tomcat build.

5. Modify the Connector attributes to point to the exported key and certificate files. For APR/native you typically set:

   • certificateKeyFile="certs/sailpoint.key"

   • certificateFile="certs/sailpoint.cer"

6. If there is a certificateChainFile attribute present, remove it (you exported the full chain into name.cer; configs vary—confirm your Tomcat connector type expects the fields you set).

7. Save server.xml.

8. Restart the Tomcat service to apply the changes.
   

   ---------------------------------------------------------------
   
   Troubleshoot Steps:
   
   

   Issue :
   SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException 
   Failed to initialize component [Connector["https-openssl-apr-443"]]
   org.apache.catalina.LifecycleException: The configured protocol [org.apache.coyote.http11.Http11AprProtocol] requires the APR/native library which is not available
   
   Resolution: 
   
   
   

   Enabling Tomcat Native with OpenSSL on Windows

   When running Apache Tomcat on Windows, enabling the Tomcat Native library improves performance and allows the use of OpenSSL for HTTPS connections. Below are the steps to install and configure it for Tomcat 9.0.109 (64-bit, Windows).

   ---

   Step 1: Download Tomcat Native (tcnative)

   Visit the official Apache Tomcat Native downloads page and download the pre-built 64-bit Windows binaries (ZIP).
   The package contains the required tcnative-1.dll.

   ---

   Step 2: Extract the DLL

   Unzip the downloaded archive.
   Inside the bin folder, locate tcnative-1.dll.
   Make sure you are using the 64-bit version since your OS is 64-bit.

   ---

   Step 3: Copy the DLL

   Copy tcnative-1.dll into one of the following directories:

   • C:\Apache\Tomcat\bin (recommended and safe)

   • C:\Windows\System32 (for system-wide access)

   ---

   Step 4: Install OpenSSL Runtime

   Tomcat Native requires OpenSSL.

   1. Download the latest Win64 OpenSSL Light installer from:
      https://slproweb.com/products/Win32OpenSSL.html

   2. Install it (default installation path is usually C:\Program Files\OpenSSL-Win64).

   3. During installation, if prompted, allow it to copy DLLs into the Windows system directory.

   ---

   Step 5: Add OpenSSL to PATH

   1. Open System Properties → Environment Variables.

   2. In the PATH variable, add:

      C:\Program Files\OpenSSL-Win64\bin
      

   3. Save and apply changes.

   ---

   Step 6: Restart Tomcat

   1. Stop the Tomcat service (if running).

   2. Start Tomcat again.

   If everything is configured correctly, the startup log will display messages similar to:

   org.apache.coyote.http11.Http11AprProtocol initialized with OpenSSL
   OpenSSL successfully initialized
   

   At this point, your HTTPS connector (for example, https-openssl-apr-443) should bind successfully.
   
   
   Happy Learning!!