Server.xml Changes for Tomcat 8.5
The server.xml file is included in the Jamf Pro installers. Starting with Jamf Pro 10.7.0, deprecated attributes of the HTTPS Connector
element in the server.xml file have been removed and new attributes have been added to meet the requirements for Apache Tomcat 8.5.
If you had defined custom attributes in the HTTPS Connector
element, the custom attributes will be preserved in the existing location when you upgrade to Jamf Pro 10.7.0 or later using the installers.
For more information about the HTTPS Connector
element, see the following webpage:
http://tomcat.apache.org/tomcat-8.5-doc/config/http.html
Change Details
SSLHostConfig Element
The SSLHostConfig
element is nested within the Connector
element and contains the following attributes:
-
sslProtocol
-
protocols
-
honorCipherOrder
-
certificateVerification
-
ciphers
Connector
element to a nested attribute of the SSLHostConfig
element. If these attributes were present in the Connector
element, they will be removed and default values will be added in the new SSLHostConfig
element.Any customizations made to the above attributes when upgrading to Jamf Pro 10.7.0 or later from an earlier version will be lost. Once on Jamf Pro 10.7.0 or later, subsequent upgrades will preserve the customizations to the values of these attributes under the SSLHostConfig
element.
Certificate Element
Certificate
element is nested within the SSLHostConfig
element and contains the following attributes:-
type
-
certificateKeystoreFile
-
certificateKeystorePassword
-
certificateKeystoreType
-
certificateKeyAlias
While the type
attribute is new, the other attributes listed above have been moved from an attribute of the Connector
element to an attribute of the Certificate
element. Deprecated attributes will be removed from the Connector
element and the new attributes with previously defined values will be located in the Certificate
element. See the table below for a comparison of old and new attributes.
Keystore
The attribute names for the keystore attributes have changed as shown in the following table:
Jamf Pro 10.7.0 or later | Jamf Pro 10.6.0 or earlier |
---|---|
Server/Service/Connector/SSLHostConfig/Certificate/@certificateKeystoreFile | Server/Service/Connector/@keystoreFile |
Server/Service/Connector/SSLHostConfig/Certificate/@certificateKeystorePassword | Server/Service/Connector/@keystorePass |
Server/Service/Connector/SSLHostConfig/Certificate/@certificateKeystoreType | Server/Service/Connector/@keystoreType |
Server/Service/Connector/SSLHostConfig/Certificate/@certificateKeyAlias | Server/Service/Connector/@keyAlias |
-
Custom
keystoreFile
andkeystorePass
attribute values will be migrated to thecertificateKeystoreFile
andcertificateKeystorePassword
attributes, respectively. -
If the
keystorePass
attribute was not present, it will not be added/migrated to the new server.xml file.
Ciphers
SSLHostConfig
element. The existing ciphers list in the Connector
element will be removed and a default list of recommended ciphers will be added to the SSLHostConfig ciphers
attribute when you upgrade to Jamf Pro 10.7.0 using the installers.Upgrading to Jamf Pro 10.7.0 or later from an earlier version will not preserve any customizations to the ciphers list. You will need to restore any customizations after upgrading.
Comparison of Changes
The following table shows the changes to attribute names and locations:
Jamf Pro 10.7.0 or later | Jamf Pro 10.6.0 or earlier |
---|---|
Server/Service/Connector/SSLHostConfig/@sslProtocol
| Server/Service/Connector/@sslProtocol |
Server/Service/Connector/SSLHostConfig/@protocols | Server/Service/Connector/@sslEnabledProtocols |
Server/Service/Connector/SSLHostConfig/@honorCipherOrder | Server/Service/Connector/@honorCipherOrder |
Server/Service/Connector/SSLHostConfig/@certificationVerification | Server/Service/Connector/@clientAuth |
Server/Service/Connector/SSLHostConfig/@ciphers | Server/Service/Connector/@ciphers |
Server/Service/Connector/SSLHostConfig/Certificate/@certificateKeystoreFile | Server/Service/Connector/@keystoreFile |
Server/Service/Connector/SSLHostConfig/Certificate/@certificateKeystorePassword | Server/Service/Connector/@keystorePass |
Server/Service/Connector/SSLHostConfig/Certificate/@certificateKeystoreType | Server/Service/Connector/@keystoreType |
Server/Service/Connector/SSLHostConfig/Certificate/@certificateKeyAlias | Server/Service/Connector/@keyAlias |
HTTPS Connector Element Comparison
HTTPS Connector Attributes—Jamf Pro 10.7.0 or Later
Connector
element for Jamf Pro 10.7.0 or later:<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<Connector URIEncoding="UTF-8"
server="Apache Tomcat"
port="8443"
executor="tomcatThreadPool"
SSLEnabled="true"
maxPostSize="-1"
scheme="https"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
secure="true">
<SSLHostConfig sslProtocol="TLS"
protocols="TLSv1.2"
honorCipherOrder="true"
certificateVerification="none"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" >
<Certificate type="RSA"
certificateKeystoreFile="${catalina.home}/.keystore"
certificateKeystorePassword="changeit" />
</SSLHostConfig>
</Connector>
HTTPS Connector Attributes—Jamf Pro 10.6.0 or Earlier
Connector
element for Jamf Pro 10.6.0 or earlier:<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
SSLEnabled="true"
URIEncoding="UTF-8"
server="Apache"
executor="tomcatThreadPool"
maxPostSize="-1"
scheme="https"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
secure="true"
clientAuth="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2"
keystoreFile="/opt/tomcat/keystore"
keystorePass="changeit"
ciphers="TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" />