Skip to content
Connect2id

Apache Tomcat tips

1. How to change the Apache Tomcat port?

Edit the tomcat/conf/server.xml configuration file.

The TCP port where the Servlet container will bind to accept plain HTTP requests is set in the Connector element:

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443" />

2. How to run Apache Tomcat on two different ports?

To make the Servlet container accept plain HTTP requests on an additional port, for example on port 8081, edit the tomcat/conf/server.xml configuration file and add a new Connector element:

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000" />
<Connector port="8081" protocol="HTTP/1.1"
           connectionTimeout="20000" />

Note, this will cause Tomcat to create one thread pool for each Connector. On Tomcat 10.1 by default the pool will have a minimum spare thread count of 25 and a max thread count of 200.

To modify the thread pool settings for the second Connector:

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000" />
<Connector port="8081" protocol="HTTP/1.1"
           connectionTimeout="20000"
           minSpareThreads="2"
           maxThreads="25" />

To make the two Connectors share a thread pool add an Executor and reference it like this:

<Executor name="sharedHttpThreadPool"
	      namePrefix="http-shared-exec-"
	      minSpareThreads="10"
	      maxThreads="200" />
<Connector port="8080" protocol="HTTP/1.1"
           executor="sharedHttpThreadPool"
           connectionTimeout="20000" />
<Connector port="8081" protocol="HTTP/1.1"
           executor="sharedHttpThreadPool"
           connectionTimeout="20000" />

3. How to setup HTTPS with a self-signed certificate?

This example is adapted from the Connect2id server Docker guide.

Generate a random 16 character password and save it to a file in the Tomcat configuration directory:

export KEYSTORE_PASSWORD=$(openssl rand -base64 16)
echo $KEYSTORE_PASSWORD > tomcat/conf/keystore-password.txt

Create a Java keystore with a single RSA key pair and a self-signed certificate for it:

keytool -genkeypair \
    -alias tomcat \
    -keyalg RSA \
    -keysize 2048 \
    -validity 730 \
    -keystore /usr/local/tomcat/conf/keystore.jks \
    -storepass $KEYSTORE_PASSWORD \
    -keypass $KEYSTORE_PASSWORD \
    -dname "CN=localhost"

Edit the tomcat/conf/server.xml configuration file and add a new Connector element, making sure the paths to the keystore and password files are correctly set:

<Connector port="8443"
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           SSLEnabled="true"
           maxThreads="150"
           scheme="https"
           secure="true"
           clientAuth="false"
           sslProtocol="TLS"
           sslEnabledProtocols="TLSv1.3">
    <SSLHostConfig> \
        <Certificate \
            certificateKeystoreFile="/path/to/tomcat/conf/keystore.jks" \
            certificateKeystorePasswordFile="/path/to/tomcat/conf/keystore-password.txt" \
            type="RSA" />
    </SSLHostConfig>
</Connector>