For use in production environments, you should install a certificate from a trusted certificate authority.

The trusted certificate for the Web Admin Server can be installed during installation or manually imported into Tomcat after installation.

For information about configuring Apache Tomcat with SSL/TLS see, https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html

Choose from one of the following procedures to import the certificate into Tomcat.

Prerequisites

You must have a .pfx or .p12 file that contains the public certificate, its private key, and the intermediate certificates in the Certificate path. You must know the file credentials. For information about exporting a server certificate from the Windows Certificate Store, see How do I Import and Export Server SSL Certificates?

Stop the MOVEit Automaton service using Windows Services. For more information, see Starting and Stopping.

Import an SSL/TLS Certificate into the Tomcat service on a new install (2024.1 and later)

  1. Backup the current SSL/TLS certificate located in the Tomcat\certs directory.
  2. Select from the following options:
    1. If you know the credentials of the current SSL/TLS certificate
      1. Rename the certificate. For example, cert.pfx to cert-expired.pfx
      2. Save the new pfx certificate into the Tomcat\certs directory with the same name and password as the original certificate.
    2. If you do not know the credentials of the current SSL/TLS certificate
      1. Save the new pfx certificate into the Tomcat\certs directory using a new unique name and password. The password cannot contain the < or > characters.
      2. Navigate to the Tomcat\conf directory.
      3. Backup the existing server.xml file before making any changes.
      4. Open the server.xml in a text editor as an administrator.
        Note: To open the server.xml file as an administrator, open the text editor as an administrator and then open the server.xml file in the text editor.
      5. Locate the connector tag for port 443, or whatever port is configured for Tomcat to listen on.
      6. Locate the keystoreFile attribute. Update the file name to that of the .pfx or .p12 in step 1.
      7. Locate the keystorePassattribute and enter the password of the .pfx or .p12 in step 1.
      8. Save the changes to the server.xml file.
  3. Restart MOVEit Automation Web Admin service using Windows services.
  4. To confirm that the correct updated certificate is in place, open Web Admin in a browser.

Import an SSL/TLS Certificate into the Tomcat service after an upgrade to 2024.1 and later

  1. Save the new pfx certificate into the Tomcat\certs directory using a new unique name and password. The password cannot contain the < or > characters.
  2. Navigate to the Tomcat\conf directory.
  3. Backup the existing server.xml file before making any changes. Create an additional copy of the server.xml file to edit. . Do not directly edit the server.xml in the Tomcat folder.
  4. Open the server.xml in a text editor as an administrator.
    Note: To open the server.xml file as an administrator, open the text editor as an administrator and then open the server.xml file in the text editor.
  5. Locate the connector tag for port 443, or whatever port is configured for Tomcat to listen on. For example: 
    <Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol" SSLEnabled="true" scheme="https" secure="true" 
SSLProtocol="TLSv1.2" SSLHonorCipherOrder="true" 
SSLCipherSuite="ALL:!ADH:!SSLv2:!EXP:!LOW:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!DH:!IDEA:!aNULL:!NULL" 
SSLCertificateFile="${catalina.home}\certs\servercert.pem" SSLCertificateKeyFile="${catalina.home}\certs\serverkey.pem" SSLPassword="RGKV7EQ6" 
maxThreads="150" compression="on" compressionMinSize="1024" noCompressionUserAgents="gozilla, traviata" 
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/x-javascript,application/javascript"/>
    1. Remove the following four attributes and their values from the server.xml file:
      • SSLCertificateFile="${catalina.home}\certs\servercert.pem"
      • SSLCertificateKeyFile= "${catalina.home}\certs\serverkey.pem"
      • SSLPassword="XXXXXX"
      • (not present in all configurations) SSLCertficateChainFile="${catalina.home}\certs\serverkey.pem"
    2. Add the following attributes, and their appropriate values:
      • keystoreFile="${catalina.home}\certs\your_new_pfx_file.pfx"
      • keystoreType="PKCS12"
      • keystorePass="Your new PFX private key password"
      The result will look like this example:
      <Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol" SSLEnabled="true" scheme="https" secure="true" SSLProtocol="TLSv1.2" 
SSLHonorCipherOrder="true" SSLCipherSuite="ALL:!ADH:!SSLv2:!EXP:!LOW:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!DH:!IDEA:!aNULL:!NULL" 
keystoreFile="${catalina.home}\certs\progresscert.pfx" keystoreType="PKCS12" keystorePass="test123" maxThreads="150" compression="on" 
compressionMinSize="1024" noCompressionUserAgents="gozilla, traviata" 
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/x-javascript,application/javascript"/>
    3. Save the updated server.xml file to the Tomcat\conf directory. If prompted to overwrite the existing files, click Yes.
  6. Restart MOVEit Automation Web Admin service using Windows services.
  7. To confirm that the correct updated certificate is in place, open Web Admin in a browser.

Troubleshooting

If the Web Admin service fails to start, it may be due to server.xml file permissions, which can be removed during the copy process. To resolve this, right-click the server.xml file, go to Properties > Security. Edit the permissions to add Full control permissions to Administrators and System. Start the Web Admin service.