Server.xml Changes for Tomcat 8.5

The server.xml file is included in the Jamf Pro installers. Starting with Jamf Pro 10.7.0, deprecated attributes of the HTTPS Connector element in the server.xml file have been removed and new attributes have been added to meet the requirements for Apache Tomcat 8.5.

If you had defined custom attributes in the HTTPS Connector element, the custom attributes will be preserved in the existing location when you upgrade to Jamf Pro 10.7.0 or later using the installers.

For more information about the HTTPS Connector element, see the following webpage: http://tomcat.apache.org/tomcat-8.5-doc/config/http.html

Change Details

SSLHostConfig Element

The SSLHostConfig element is nested within the Connector element and contains the following attributes:

  • sslProtocol

  • protocols

  • honorCipherOrder

  • certificateVerification

  • ciphers

In the new format, the above attributes have been moved from a nested attribute of the Connector element to a nested attribute of the SSLHostConfig element. If these attributes were present in the Connector element, they will be removed and default values will be added in the new SSLHostConfig element.
Important:

Any customizations made to the above attributes when upgrading to Jamf Pro 10.7.0 or later from an earlier version will be lost. Once on Jamf Pro 10.7.0 or later, subsequent upgrades will preserve the customizations to the values of these attributes under the SSLHostConfig element.

Certificate Element

The Certificate element is nested within the SSLHostConfig element and contains the following attributes:
  • type

  • certificateKeystoreFile

  • certificateKeystorePassword

  • certificateKeystoreType

  • certificateKeyAlias

While the type attribute is new, the other attributes listed above have been moved from an attribute of the Connector element to an attribute of the Certificate element. Deprecated attributes will be removed from the Connector element and the new attributes with previously defined values will be located in the Certificate element. See the table below for a comparison of old and new attributes.

Keystore

The attribute names for the keystore attributes have changed as shown in the following table:

Jamf Pro 10.7.0 or laterJamf Pro 10.6.0 or earlier
Server/Service/Connector/SSLHostConfig/Certificate/@certificateKeystoreFileServer/Service/Connector/@keystoreFile
Server/Service/Connector/SSLHostConfig/Certificate/@certificateKeystorePasswordServer/Service/Connector/@keystorePass
Server/Service/Connector/SSLHostConfig/Certificate/@certificateKeystoreTypeServer/Service/Connector/@keystoreType
Server/Service/Connector/SSLHostConfig/Certificate/@certificateKeyAliasServer/Service/Connector/@keyAlias
If you upgrade to Jamf Pro 10.7.0 or later using the installers:
  • Custom keystoreFile and keystorePass attribute values will be migrated to the certificateKeystoreFile and certificateKeystorePassword attributes, respectively.

  • If the keystorePass attribute was not present, it will not be added/migrated to the new server.xml file.

Ciphers

The ciphers are now defined in the SSLHostConfig element. The existing ciphers list in the Connector element will be removed and a default list of recommended ciphers will be added to the SSLHostConfig ciphers attribute when you upgrade to Jamf Pro 10.7.0 using the installers.
Important:

Upgrading to Jamf Pro 10.7.0 or later from an earlier version will not preserve any customizations to the ciphers list. You will need to restore any customizations after upgrading.

Comparison of Changes

The following table shows the changes to attribute names and locations:

Jamf Pro 10.7.0 or laterJamf Pro 10.6.0 or earlier
Server/Service/Connector/SSLHostConfig/@sslProtocol Server/Service/Connector/@sslProtocol
Server/Service/Connector/SSLHostConfig/@protocolsServer/Service/Connector/@sslEnabledProtocols
Server/Service/Connector/SSLHostConfig/@honorCipherOrderServer/Service/Connector/@honorCipherOrder
Server/Service/Connector/SSLHostConfig/@certificationVerificationServer/Service/Connector/@clientAuth
Server/Service/Connector/SSLHostConfig/@ciphersServer/Service/Connector/@ciphers
Server/Service/Connector/SSLHostConfig/Certificate/@certificateKeystoreFileServer/Service/Connector/@keystoreFile
Server/Service/Connector/SSLHostConfig/Certificate/@certificateKeystorePasswordServer/Service/Connector/@keystorePass
Server/Service/Connector/SSLHostConfig/Certificate/@certificateKeystoreTypeServer/Service/Connector/@keystoreType
Server/Service/Connector/SSLHostConfig/Certificate/@certificateKeyAliasServer/Service/Connector/@keyAlias

HTTPS Connector Element Comparison

HTTPS Connector Attributes—Jamf Pro 10.7.0 or Later

The following code block shows the default Connector element for Jamf Pro 10.7.0 or later:
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
           This connector uses the NIO implementation that requires the JSSE
           style configuration. When using the APR/native implementation, the
           OpenSSL style configuration is required as described in the APR/native
           documentation -->
<Connector URIEncoding="UTF-8"
           server="Apache Tomcat"
           port="8443"
           executor="tomcatThreadPool"
           SSLEnabled="true"
           maxPostSize="-1"
           scheme="https"
           protocol="org.apache.coyote.http11.Http11Nio2Protocol"
           sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
           secure="true">
  <SSLHostConfig sslProtocol="TLS"
                 protocols="TLSv1.2"
                 honorCipherOrder="true"
                 certificateVerification="none"
                 ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                          TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                          TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
                          TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
                          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                          TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                          TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
                          TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
                          TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                          TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
                          TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                          TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
                          TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
                          TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
                          TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
                          TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
                          TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                          TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                          TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                          TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                          TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
                          TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
                          TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
                          TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" >
    <Certificate type="RSA"
                 certificateKeystoreFile="${catalina.home}/.keystore"
                 certificateKeystorePassword="changeit" />
  </SSLHostConfig>
</Connector>

HTTPS Connector Attributes—Jamf Pro 10.6.0 or Earlier

The following code block shows the default Connector element for Jamf Pro 10.6.0 or earlier:
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
           This connector uses the NIO implementation that requires the JSSE
           style configuration. When using the APR/native implementation, the
           OpenSSL style configuration is required as described in the APR/native
           documentation -->
<Connector port="8443"
           protocol="org.apache.coyote.http11.Http11Nio2Protocol"
           SSLEnabled="true"
           URIEncoding="UTF-8"
           server="Apache"
           executor="tomcatThreadPool"
           maxPostSize="-1"
           scheme="https"
           sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
           secure="true"
           clientAuth="false"
           sslProtocol="TLS"
           sslEnabledProtocols="TLSv1.2"
           keystoreFile="/opt/tomcat/keystore"
           keystorePass="changeit"
           ciphers="TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
                    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
                    TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
                    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
                    TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
                    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
                    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
                    TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
                    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
                    TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
                    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
                    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" />