Enabling SSL for the Tomcat manager application

  1. Modify the deployment descriptor of the Tomcat manager application.
  2. Using your favorite editor, open the deployment descriptor for the Tomcat manager application:

    $ vi ${tomcat_home}/webapps/manager/WEB-INF/web.xml
    

    Locate the <security-constraint> elements (near the bottom of the file):

    <!-- Define a Security Constraint on this Application -->
    <!-- NOTE:  None of these roles are present in the default users file -->
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>
          HTML Manager interface (for humans)
        </web-resource-name>
        <url-pattern>/html/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <role-name>manager-gui</role-name>
      </auth-constraint>
    </security-constraint>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>
          Text Manager interface (for scripts)
        </web-resource-name>
        <url-pattern>/text/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <role-name>manager-script</role-name>
      </auth-constraint>
    </security-constraint>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>JMX Proxy interface</web-resource-name>
        <url-pattern>/jmxproxy/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <role-name>manager-jmx</role-name>
      </auth-constraint>
    </security-constraint>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>Status interface</web-resource-name>
        <url-pattern>/status/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <role-name>manager-gui</role-name>
         <role-name>manager-script</role-name>
         <role-name>manager-jmx</role-name>
         <role-name>manager-status</role-name>
      </auth-constraint>
    </security-constraint>
    
    

    The Tomcat 7 version of the manager application deployment descriptor contains a <security-constraint> section for each of the four possible ContactPaths (as per Manager Application section of the Tomcat Migration Guide).

    Add a <user-data-constraint> with a <transport-guarantee> of CONFIDENTIAL for the desired ContactPaths to to enable port-forwarding to port 8443:

    <!-- Define a Security Constraint on this Application -->
    <!-- NOTE:  None of these roles are present in the default users file -->
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>
         HTML Manager interface (for humans)
        </web-resource-name>
        <url-pattern>/html/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <role-name>manager-gui</role-name>
      </auth-constraint>
        <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
    </security-constraint>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>
         Text Manager interface (for scripts)
        </web-resource-name>
        <url-pattern>/text/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <role-name>manager-script</role-name>
      </auth-constraint>
        <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
    </security-constraint>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>JMX Proxy interface</web-resource-name>
        <url-pattern>/jmxproxy/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <role-name>manager-jmx</role-name>
      </auth-constraint>
        <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
    </security-constraint>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>Status interface</web-resource-name>
        <url-pattern>/status/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <role-name>manager-gui</role-name>
         <role-name>manager-script</role-name>
         <role-name>manager-jmx</role-name>
         <role-name>manager-status</role-name>
      </auth-constraint>
        <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
    </security-constraint>
    
    
  3. Verify SSL has been enabled for the Tomcat manager application.
  4. Restart Tomcat and verify SSL has been enabled for the Tomcat manager application: http://localhost:8080/manager/html/

    Tomcat manager authentication prompt

    Troubleshooting

    • Check the XML syntax in web.xml to make sure it is well-formed and without error.
    • Did you specify a <transport-guarantee> of CONFIDENTIAL?
    • Did you restart Tomcat after you made your changes to web.xml?