This page last changed on May 12, 2008 by twong.

This document describes how to configure Confluence to use a HTTPS encrypted secure socket layer for user logins and page data.

Unencrypted confidential data within Confluence may be intercepted by an attacker. To secure user logins, you can enable access via HTTPS (HTTP over SSL), and require its use for pages where passwords are sent. In some cases where issue data is sensitive, all pages can be set to be accessed over HTTPS.

Enabling SSL access is different for each application server, but specifying which pages to require protection for is generic. This document is specific to Tomcat, the default application server shipped with Confluence.

Adding Secure User Logins

Adding HTTPS requires a valid SSL certificate. If you have a Certificate prepared, skip to the 'Modify the <INSTALL>/conf/server.xml File' section.

Creating A New SSL Certificate

On Windows, perform the following at the command prompt:

"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA

Or on other platforms, perform the following at the command prompt:

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

Some questions will be asked, including a password for the certificate (the default is 'changeit'). Please note down what you choose, as it will be used in the next step.

Modify the <INSTALL>/conf/server.xml File

In the confluence directory, open the conf/server.xml file and insert one of the following just after the closing </Engine> tag:

  1. For users of Confluence 2.2 or later:
    Open conf/server.xml, uncomment the lines:
    <Connector port="8443" maxHttpHeaderSize="8192"
                       maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                       enableLookups="false" disableUploadTimeout="true"
                       acceptCount="100" scheme="https" secure="true"
                       clientAuth="false" sslProtocol="TLS"
                       URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>" />

    Or for users of Confluence 2.1.x or earlier, add or uncomment the following lines:

    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443" minProcessors="5" maxProcessors="75"
    	   enableLookups="true" acceptCount="100" debug="0" scheme="https" secure="true"
    	   useURIValidationHack="false" disableUploadTimeout="true"  URIEncoding="UTF-8">
    		 <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" keystorePass="<MY_CERTIFICATE_PASSWORD>" />
    	  </Connector>
  2. Change <MY_CERTIFICATE_PASSWORD> to the password you entered for the certificate when you generated it.

If you have a Certificate Prepared

If you just created your new Certificate or your existing one is in the default location, skip to the 'Testing SSL' section. By default, Tomcat will look for the certificates in C:\Documents and Settings\\#CURRENT_USER#\.keystore on Windows or ~/.keystore on Unix. If your Certificate is not in this location, you will need to update your <INSTALL>/conf/server.xml file as outlined below, so that Tomcat can find it. Advanced users who require an official CA-issued key pair for their Certificate can find instructions in the Tomcat documentation.

  1. For users of Confluence 2.2 or later:
    Open conf/server.xml, add the keystoreFile="<MY_CERTIFICATE_LOCATION>" parameter to the Connector tag as shown below:
    <Connector port="8443" maxHttpHeaderSize="8192"
                       maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                       enableLookups="false" disableUploadTimeout="true"
                       acceptCount="100" scheme="https" secure="true"
                       clientAuth="false" sslProtocol="TLS"
                       URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>" keystoreFile="<MY_CERTIFICATE_LOCATION>" />

    Or for users of Confluence 2.1.x or earlier, change the <Factory> tag to following:

    <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" keystoreFile="<MY_CERTIFICATE_LOCATION>" keystorePass="<MY_CERTIFICATE_PASSWORD>" />
  2. Change <MY_CERTIFICATE_LOCATION> to the path of the Certificate.

Testing SSL

Restart Tomcat and access your instance on https://<MY_BASE_URL>:8443/.

For more detailed information on setting up SSL with Tomcat (including additional configuration options), have a look at Tomcat 4 SSL Howto or Tomcat 5.5 SSL Howto.

Although HTTPS is now activated and available, the old HTTP URLs (http://localhost:8080) are still available. In most situations one wants these URLs to continue working, but for some to redirect to their HTTPS equivalent.

If you have changed the port that the SSL connector is running on from the preconfigured value of 8443, you must update the redirectPort attribute of the standard HTTP connector to reflect the new SSL port. Tomcat needs this information to know which port to redirect to when an incoming request needs to be secure.

If security is a concern, we recommend using SSL encryption site wide, for the reasons listed here: CONF-4116. To do this:

Edit the confluence/WEB-INF/web.xml file and add the following declaration to the end, before the </web-app> tag:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Restricted URLs</web-resource-name>
    <url-pattern>*.action</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

Once this change is made, restart Confluence and access http://localhost:8080. You should be redirected to https://localhost:8443/login.action.

Document generated by Confluence on Jun 24, 2008 18:01