Securing SailPoint Deployed on Tomcat Server

Secured Socket Layer (SSL) is a protocol which provides the secured way of communication between the client and server with the help of the certificates. When using Apache Tomcat as a server for the deployment of SailPoint, the data that we are dealing with is sensitive in nature. With the help of Self Sign certificates, we can secure Sailpoint IdentityIQ which is hosted on tomcat server without the need of certificate authority (CA).

1 . Creation of Self Sign Certificate

Step 1: Open up the command prompt

Step 2 : Make sure java is installed and type the following command:

keytool -genkey -alias tomcat -keyalg RSA -keystore /path/to/keystore/file/keystore_name

Step 3: Enter the password. The default password for tomcat is “changeit“.

Step 4: Enter all the details for the keystore. i.e. Name, name of OU, name of organization, city, state, country.

Step 5: Hit enter if you want the same password for the keystore. Then keystore will be generated in the specified location.

2 . Configuring the Tomcat Server

Step 1: Navigate to CATALINA_HOME

Step 2: Navigate into the conf directory.

Step 3: Open the server.xml file.

Step 4: comment the default connector port

<Connector port=”8080″ protocol=”HTTP/1.1″


redirectPort=”8443″ />



<Connector port=”8080″ protocol=”HTTP/1.1″


redirectPort=”8443″ />


Step 5: Add the following connector port to the file.

<Connector port=”8443″ protocol=”HTTPS/1.1″ SSLEnabled=”true” maxThreads=”150″ scheme=”https” secure=”true” clientAuth=”false” sslProtocol=”TLS” keystoreFile=”/path/to/keystore/file/” keystorePass=”<password>” />

Step 6: Save the file and start the tomcat server

Step 7: Check the tomcat server URL


Note: The browser will throw the exception saying that the site is not secure, this is due to the self sign certificate which has not been signed off by the CA. You can add the exception in browser and proceed.

The following is the detailed demo for the above steps mentioned:

Mohit Kayla

Leave a Reply

Your email address will not be published.