Versions Compared

Old Version 6

changes.mady.by.user Xavier Haurie

Saved on

compared with

New Version 7

changes.mady.by.user Xavier Haurie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Tomcat should accept requests on port 8009, but only from localhost, and redirect to the SSL port 6443. Port 8009 and 6443 should not be reachable from outside the localhost, which is a change from the non-SSO Shrine installation where clients connect to port 6443. 

Configure port 6443 – set your own keystore a connector to listen to https requests on port 6443:

    <Connector port="6443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true">
        <SSLHostConfig clientAuth="none" sslProtocol="TLS" sslEnabledProtocols="TLSv1.3,TLSv1.2"
               honorCipherOrder="true" ciphers="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,
               TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256">
            <Certificate certificateKeystoreFile="/opt/shrine/shrine.keystore"
                         certificateKeystorePassword="changeit<changeit>"
                         certificateKeyAlias="[your-certificate-alias, e.g *.domain-name]" />
        </SSLHostConfig>
    </Connector>

...