For use in production environments, you should install a certificate from a trusted certificate authority.

The trusted certificate for the Web Admin Server can be installed during installation or manually imported into Tomcat after installation.

For information about configuring Apache Tomcat with SSL/TLS see, https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html

Choose from one of the following procedures to import the certificate into Tomcat:

Prerequisites

  • You must have a .pfx or .p12 file that contains:
    • the public certificate,
    • its private key,
    • and the intermediate certificates in the certificate path.
  • You must know the password for the certificate file. For information about exporting a server certificate from the Windows Certificate Store, see How do I Import and Export Server SSL Certificates?
  • Stop the MOVEit Automaton service using Windows Services. For more information, see Starting and Stopping.

Import an SSL/TLS Certificate into Tomcat for new installations, upgrades, and previously converted installations using PFX keystores

  1. Backup the current SSL/TLS certificate located in the Tomcat\certs directory.
  2. Select from the following options:
    1. If you know the credentials of the current SSL/TLS certificate
      1. Rename the certificate. For example, cert.pfx to cert-expired.pfx
      2. Save the new pfx certificate into the Tomcat\certs directory with the same name and password as the original certificate.
    2. If you do not know the credentials of the current SSL/TLS certificate
      1. Save the new pfx certificate into the Tomcat\certs directory using a new unique name and password.

        The password cannot contain the < or > characters.

      2. Navigate to the Tomcat\conf directory.
      3. Backup the existing server.xml file before making any changes.
      4. Open the server.xml in a text editor as an administrator.
        Note: To open the server.xml file as an administrator, open the text editor as an administrator and then open the server.xml file in the text editor.
      5. Locate the connector tag for port 443 (or the port configured for Tomcat to listen on). Navigate to the Certificate tag: Connector > SSLHostConfig > Certificate.
      6. Locate the CertificateKeyStoreFile attribute in the Connector’s Certificate tag, and update its value to the name of the .pfx or .p12 in step i.
      7. Locate the CertificateKeyStorePasswordattribute in the same Certificate tag, and update its value to the password of the .pfx or .p12 in step i.
      8. Save the changes to the server.xml file.
  3. Restart MOVEit Automation Web Admin service using Windows services.
  4. To confirm that the correct updated certificate is in place, open Web Admin in a browser.

Import an SSL/TLS Certificate into Tomcat for upgrades using PEM certs and converting existing installs to use PFX certificates

  1. Save the new pfx certificate into the Tomcat\certs directory using a new unique name and password. The password cannot contain the < or > characters.
  2. Navigate to the Tomcat\conf directory.
  3. Backup the existing server.xml file before making any changes. Create an additional copy of the server.xml file to edit. . Do not directly edit the server.xml in the Tomcat folder.
  4. Open the server.xml in a text editor as an administrator.
    Note: To open the server.xml file as an administrator, open the text editor as an administrator and then open the server.xml file in the text editor.
  5. Locate the connector tag for port 443, or whatever port is configured for Tomcat to listen on. Navigate to the Certificate tag: Connector > SSLHostConfig > Certificate. For example: 
     <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" maxThreads="150" compression="on" compressionMinSize="1024" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/x-javascript,application/javascript">
	<SSLHostConfig sslProtocol="TLSv1.2" honorCipherOrder="true" ciphers="ALL:!ADH:!SSLv2:!EXP:!LOW:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!DH:!IDEA:!aNULL:!NULL">
		<Certificate certificateFile="${catalina.home}\certs\servercert.pem" certificateKeyFile="${catalina.home}\certs\serverkey.pem" certificateKeyPassword="keyPassword"/>
	</SSLHostConfig>
</Connector>
    1. Remove the following attributes and their values from the Certificate tag:
      • CertificateFile="${catalina.home}\certs\servercert.pem"
      • CertificateKeyFile= "${catalina.home}\certs\serverkey.pem"
      • CertificateKeyPassword="keyPassword"
    2. Add the following attributes, and their appropriate values:
      • certificateKeystoreFile="${catalina.home}\certs\your_new_pfx_file.pfx"
      • certificateKeystoreType="PKCS12"
      • certificateKeystorePassword="Your new PFX private key password"
      The result will look like this example:
      <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" maxThreads="150" compression="on" compressionMinSize="1024" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/x-javascript,application/javascript">
	<SSLHostConfig sslProtocol="TLSv1.2+TLSv1.3" honorCipherOrder="true" ciphers="ALL:!ADH:!SSLv2:!EXP:!LOW:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!DH:!IDEA:!aNULL:!NULL">
		<Certificate certificateKeystoreFile="${catalina.home}\certs\servercert.pfx" certificateKeystorePassword="keystorePassword" certificateKeystoreType="PKCS12"/>
	</SSLHostConfig>
</Connector>
    3. Save the updated server.xml file to the Tomcat\conf directory. If prompted to overwrite the existing files, click Yes.
  6. Restart MOVEit Automation Web Admin using Windows services.
  7. To confirm that the correct updated certificate is in place, open Web Admin in a browser.

Troubleshooting

If the Web Admin service fails to start, it may be due to server.xml file permissions, which can be removed during the copy process. To resolve this, right-click the server.xml file, go to Properties > Security. Edit the permissions to add Full control permissions to Administrators and System. Start the Web Admin service.