Not able to redirect http to https

Question

Please look into my server.xml ; I am not able to redirect port 8019 to https (port 443). I tried various examples on the web but I still cannot get it working. Could anyone help me with what is wrong with my server.xml ?

<Connector port="8019" protocol="HTTP/1.1"
           connectionTimeout="100000"
           redirectPort="443" />

<Connector port="443" maxHttpHeaderSize="8192" SSLEnabled="true"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true" clientAuth="false"
keystoreFile="C:\zenfortecertificate\3_zensar_com.pfx" keystorePass="[my password]" keystoreType="PKCS12"
sslEnabledProtocols="TLSv1.2" 
ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"/>

<Connector port="8019" protocol="AJP/1.3" redirectPort="443" />

<Engine name="Catalina" defaultHost="zenforte-stg.zensar.com">
  <Host name="localhost"  appBase="webapps"
        unpackWARs="true" autoDeploy="true">
    [...]
  </Host>
  <Host name="zenforte-stg.zensar.com"  appBase="zen_webapps"
        unpackWARs="true" autoDeploy="true"/> 
</Engine>

Answer 1

There are a few problems with your server.xml . Some of them have to do with your actual question, others are just things you might want to think about.

First, you have two <Connector> elements on the same port (8019):

<Connector port="8019" protocol="HTTP/1.1" connectionTimeout="100000" redirectPort="443" />

and

<Connector port="8019" protocol="AJP/1.3" redirectPort="443" />

So the first thing to do is to pick a connector and remove the other one. If you want to use the AJP protocol with your reverse-proxy or load balancer, then keep the AJP one. Otherwise, use the HTTP one.

The key to redirecting HTTP -> HTTPS is the redirectPort in your non-secure <Connector> (on port 8019, whichever one AJP/HTTP you choose). But the redirect doesn't happen unless your application asks for it. In order to do that, you need this in your application's WEB-INF/web.xml :

    <security-constraint>
      <web-resource-collection>
        <web-resource-name>Everything</web-resource-name>
        <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
    </security-constraint>

This tells the container (Tomcat) that the application expects "confidential" communication and it will automatically redirect any non-confidential (ie insecure) requests to the confidential (ie encrypted) protocol on the other port (https/443).

Some other considerations:

1. Your connectionTimeout of 100 seconds is a long time . You probably want that to be much lower otherwise clients can tie-up your server without accomplishing any work.
2. Your <Connector> contains all of your secure configuration. Modern Tomcats use a <SSLHostConfig> for all that configuration. This suggests an old configuration with a new server or, worse, an old server. You should try to upgrade to the latest server and use the latest configuration style. The newer configuration style gives you greater control over the configuration and makes it clearer what is happening. (For example, if you want to use RSA + ECDSA, the configuration is more explicit using <SSLHostConfig> + <Certificate> than just specifying the keystore and hoping for the best.
3. If you aren't using the "localhost" <Host > in your configuration, remove it. Even better, if you don't have any other <Host> s defined, just allow the "localhost" one to cover everything. This makes your configuration less customized from the default, and therefore you have fewer changes to maintain from the stock server.xml .
4. Specifying disableUploadTimeout="true" doesn't have any effect unless you also specify connectionUploadTimeout