We Keep Coding

How to enable h3 in Tomcat?

How to configure/enable http3 in tomcat? Any documented steps would help. I checked tomcat official documentation but nothing could be found. Here is my current connector tag from server.xml -
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" keystoreFile="mykeystorejks"
keystorePass="****" server="Unknown"
sslEnabledProtocols="TLSv1.2"
ciphers="!aNULL,!eNULL,!EXPORT,!DES,!MD5,!PSK,!RC4,!3DES,!CBC3,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
/>

Apache Tomcat does not support HTTP/3.
If you really need HTTP/3 support then you would need to place Tomcat behind a reverse proxy that does support HTTP/3 and then proxy the requests to Tomcat over one of the supported protocols (AJP, HTTP/1.1, HTTP/2).

Configuring Tomcat to use Windows Certificate Store for SSL

I've deployed a number of SSL configurations, including both Tomcat (cacerts + keytool) and IIS (Windows Certificate Store + netsh http sslcert) so I'm familiar with these procedures.
Has anyone come up with a way to point Tomcat's SSL connector to a Windows Store (i.e. configuration, extension, plugin, etc.)? Just looking to centralize management of SSL deployments to one store, vs. having multiple stores.

According to the answer on "SSL enabling in Tomcat Windows server" you can specify keystore type as "Windows-My" in configuration of connector in server.xml, it worked for me on Tomcat 8.0.22 as well
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
keyAlias="<alias of the cert>"
keystoreFile=""
keystoreType="Windows-My"
clientAuth="false"
sslProtocol="TLS"
keepAliveTimeout="200000" />

<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
keyAlias="<alias of the cert>"
keystoreFile=""
keystorePass=""
keystoreType="Windows-My"
clientAuth="false"
sslProtocol="TLS"
keepAliveTimeout="200000" />
keystoreFile and keystorePass has to be set to empty string. see my comment at bz.apache.org "BUG 56021"
If not set they will default to values that causes trouble.
keyAlias should be either the friendly name (if it has one) or the common name of the certificate.

It seems not possible. From tomcat 8 documentation https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores.
Windows Store would require an specific connector similar to the 'WINDOWS-MY' of JSSE.
There is no reference in documentation to any plugin or connector to Windows Certificate Store.

While Dmitry's solution works on Tomcat 8.0, from Tomcat 8.5 onward there is a small caveat: you need to explicitly set JSSE as SSLImplementation. Hence the configuration becomes (considering also the new structure introduced in Tomcat 8.5):
<Connector port="8443"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
scheme="https" secure="true" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreType="Windows-MY"
certificateKeystoreFile=""
certificateKeyAlias="tomcat" />
</SSLHostConfig>
</Connector>
Alternatively, one can also set useOpenSSL="false" on the AprLifecycleListener.

JASIG CAS certificate

We have some problems with SSO (single sign on) authentication. We use JASIG CAS and our implmentation is not working. It is allert "You are currently accessing CAS over a non-secure connection. Single Sign On WILL NOT WORK. In order to have single sign on work, you MUST log in over HTTPS." But we added the sertificate to Tomcat server.xml
our settings in server.xml
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keyAlias="myalias"
keystoreFile="C:\Program Files\Java\jdk1.8.0_65\bin\ssoServer.jks"
keystorePass="12345678" />

If you did add the cert, then why are you going over localhost and 8080?

Change localhost with port to domain name

My webapp is built using JAVA(Backend) + JavaScript(FrontEnd) and I'm using Tomcat 8.0 as server.
Currently the URL to the webapp is "localhost:8083/myapp/index.jsp" and I have been trying to change it to a domain name in the hosts file (Under win/sys32/drivers/etc/..) and server.xml (under Tomcat) but unfortunately I wasn't able to achieve that. Any tips please?

I think you can just give a new port attribute value, do not add address attribute and should Tomcat be bind to all addresses. If you want to serve just one hostname give address="192.168.1.2" attribute.
<Connector port="80" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
connectionTimeout="60000" redirectPort="443"
acceptCount="1000" acceptorThreadCount="2" maxConnections="10000" maxThreads="400"
compression="on" compressionMinSize="2048"
compressableMimeType="application/json, text/json, application/xml, text/xml"
/>
<Connector port="443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
connectionTimeout="60000"
acceptCount="1000" acceptorThreadCount="2" maxConnections="10000" maxThreads="400"
keystoreFile="./keystore.jks" keystorePass="mypwd" keyAlias="tomcat"
SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
compression="on" compressionMinSize="2048"
compressableMimeType="application/json, text/json, application/xml, text/xml"
/>

secure AJP connector not rendering

We have a hybris server behind an apache web server that are linked with ajp connectors. This is working perfectly however for some reason after updating to hybris 5.3 (and tomcat 7) the secure ajp connector is not rendering.
In the hybris tomcat config folder we have this in the server.xml:
${tomcat.connectors.ajp.plain}
which renders on ant clean all to this in the platform server.xml
<Connector protocol="AJP/1.3" port="8009" proxyPort="80" redirectPort="443" />
this works for non secure connections however we need to also render the secure connector:
<Connector protocol="AJP/1.3" port="8010" proxyPort="443" scheme="https" secure="true" />
I could just hard code this into the server.xml but that doesn't seem like the best way to do it. and I can't find where ${tomcat.connectors.ajp.plain} is actually rendered. Is there a similar property somewhere that will render the secure connector using the ports defined in the local.properties?

I'm afraid you have to declare it manually in your server.xml template in the configuration directory.
In actual fact, I prefer to do this for both AJP connectors as the templated one injected by the variable you mention is not very well configured and I have seen significant performance issues as a result. For example the number of threads is not specified and it is not associated with an executor. This means that when under large load, the number of active threads can grow to a silly number and cause the whole thing to fall over.
In fact, below is a snippet of the config/tomcat/conf/server.xml I use, which I have developed over 7 years of working exclusively on Hybris. Not only does it have sensible configurations, it also uses the more performant non-blocking IO protocols.
Hope this helps.
<Executor name="hybrisExecutor"
namePrefix="hybrisHTTP"
maxThreads="${tomcat.maxthreads}"
minSpareThreads="${tomcat.minsparethreads}"
maxIdleTime="${tomcat.maxidletime}"/>
<Connector port="${tomcat.http.port}"
maxHttpHeaderSize="8192"
maxThreads="${tomcat.maxthreads}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
executor="hybrisExecutor"
enableLookups="false"
acceptCount="${tomcat.acceptcount}"
connectionTimeout="20000"
URIEncoding="UTF-8"
disableUploadTimeout="true" />
<Connector port="${tomcat.ssl.port}"
maxHttpHeaderSize="8192"
maxThreads="${tomcat.maxthreads}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
executor="hybrisExecutor"
enableLookups="false"
acceptCount="${tomcat.acceptcount}"
connectionTimeout="20000"
disableUploadTimeout="true"
URIEncoding="UTF-8"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="${catalina.home}/lib/keystore"
keystorePass="123456" />
<!--
We explicitly declare the AJP connectors as we want to separate HTTP and SSL traffic and the default connector setting Hybris provides is not good enough.
-->
<Connector protocol="org.apache.coyote.ajp.AjpNioProtocol"
executor="hybrisExecutor"
enableLookups="false"
acceptCount="${tomcat.acceptcount}"
connectionTimeout="120000"
maxThreads="${tomcat.maxthreads}"
port="${tomcat.ajp.port}"
proxyPort="${proxy.http.port}"
redirectPort="${proxy.ssl.port}"
URIEncoding="UTF-8"
useIPVHosts="${tomcat.ajp.useipv}" />
<Connector protocol="org.apache.coyote.ajp.AjpNioProtocol"
executor="hybrisExecutor"
enableLookups="false"
acceptCount="${tomcat.acceptcount}"
connectionTimeout="120000"
maxThreads="${tomcat.maxthreads}"
port="${tomcat.ajp.secureport}"
proxyPort="${proxy.ssl.port}"
redirectPort="${proxy.http.port}"
scheme="https"
secure="true"
URIEncoding="UTF-8"
useIPVHosts="${tomcat.ajp.useipv}" />
The variables are just properties you declare in local.properties. They are substituted at build time by the ant deploy task when it builds the actual server.xml in the platform tomcat directory.

I think you should try with:
<Connector
protocol="AJP/1.3"
port="8010"
connectionTimeout="20000"
scheme="https"
SSLEnabled="true"
secure="true"
maxThreads="200"
proxyPort="443"/>