Liferay Support does not recommend or endorse specific third-party products over others. Liferay is not responsible for any instructions herein or referenced regarding these products. Any implementation of these principles is the responsibility of the subscriber.
This article will describe an example way to set up HTTPS in Tomcat without using an external server like Apache. The following steps are for Liferay DXP 7.3 though minor changes could be made to apply it to other versions of Liferay DXP, the primary change is the contents of the Tomcat's
server.xml <Connector> configurations.
- DXP 7.3
- Apache Tomcat 9.x
- Open a terminal to the tomcat folder of the Liferay DXP 7.3 bundle. Example: /home/user/Liferay/Bundles/liferay-dxp-7.3.10-ga1/tomcat-9.0.37
- Within that terminal use the following command:
keytool -genkey -alias tomcat -keyalg RSA -keystore keystore
- Fill out the requested information and provide new passwords as required. An example of the questions that will be asked for:
What is your first and last name?
[Unknown]: joe bloggs
What is the name of your organizational unit?
What is the name of your organization?
[Unknown]: liferay inc
What is the name of your City or Locality?
What is the name of your State or Province?
What is the two-letter country code for this unit?
Is CN=joe bloggs, OU=liferay, O=liferay inc, L=Chicago, ST=IL, C=us correct?
4. To do that use the following command from the same terminal as in step 3:
keytool -export -alias tomcat -keypass changeit -file server.crt -keystore keystore
5. It is important to note that the terminal being used should be opened to the Liferay bundle’s Tomcat folder. However the target of the command will be the JDK's cacerts file. An example:
keytool -import -alias tomcat -file server.crt -keypass changeit -keystore "/usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts"
NOTE - If this process has been completed previously the JVM may be expecting the previously used password, which may be “changeit”
6. Next update the Tomcat’s server.xml file (/tomcat-9.0.37/conf/server.xml) with the following. As noted above the following is for the version of Tomcat bundle with Liferay DXP 7.3 older versions of Tomcat may require different Connector settings.
6A. Remove the following <Connector:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
6B. Add the following and update the keystoreFile and keystorePass values as needed:
scheme="https" secure="true" SSLEnabled="true"
- Within the Liferay DXP 7.3 bundle’s portal-ext.property file add the following property which tells the DXP to use https:
- Access the bundle at https://localhost:8443, it may be necessary to accept browser security notifications and warnings as self-signed certificates are not trusted by most modern browsers.
To set the entire site to use HTTPS, set this in portal-ext.properties:
To set only the login page to be HTTPS, set this in portal-ext.properties:
Within an SSL production environment, if you receive a "Certificate Error" that defines your SSL certificate as not a "Trusted Root", you may need to obtain a digital signature from a certificate authority provider.