I need to configure SSL to access APEX applications using https, I am deploying them on tomcat. but i get 500 internal server error when accessing applications deployed on tomcat with ssl.
using
https://tomcatserver.domain/abc? -- gives 500 internal server error. http://tomcatserver.domain/abc? -- works fine. https://tomcatserver.domain? -- only tomcat without the deployed application works fine.
I have
APEX 23.1 ORDS 20.2.1 Tomcat: 9.0.46
My applications are already running on http without any problem using tomcat and ords.
To configure SSL, First i configured SSL in Tomcat (by editing server.xml) Went well and i can access URL of tomcat application server using https
I add the following in server.xml
<Connector
port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" scheme="https" secure="true"
maxHttpHeaderSize="8192"
maxThreads="200" minSpareThreads="10"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
acceptorThreadCount="2"
compression="on"
URIEncoding="UTF-8"
>
<SSLHostConfig>
<Certificate
certificateKeystoreFile="somepath\qwas.pfx"
certificateKeystorePassword="******"
certificateKeystoreType="PKCS12"
/>
</SSLHostConfig>
</Connector>
Now i add the following to web.xml in C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf\web.xml and also in C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\abc\WEB-INF\web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
But still deployed application give me 500 internal server error when accessing using https
I get 500 internal server error
What am i missing here?
Looking at the documentation for SSL setup for the current latest version of Tomcat 9 (9.0.86), the server.xml file does not use a nested
SSLHostConfigelement for configuring SSL, all the information is specified as attributes of the Connector.What I would recommend is downloading the zip version of Tomcat instead of the executable (so you don't overwrite your current setup) and look at the sample
server.xmlto use as a reference. For my APEX installation, I do not modify theweb.xmlat all and just use what comes with the default Tomcat setup.As Jeff had suggested upgrading ORDS in the comments (which I agree with), I would also recommend upgrading your version of Tomcat. Tomcat 9.0.46 was released almost 3 years ago and there have been multiple CVEs that have been patched since then.
If you want to ensure that all of your applications are only accessed using HTTPS, you can configure Tomcat to only be open on one port that using HTTPS, or you can configure APEX to force HTTPS within the instance settings.