When your web application moves beyond hobby status, the first hardening step is wrapping every byte in TLS. Tomcat makes the process painless once you understand where the moving parts live. In this guide you will create (or import) a certificate, wire it into Tomcat’s connector, and verify that the padlock appears in every browser.
Why HTTPS on Tomcat Matters
Plain HTTP exposes cookies, credentials, and payloads to anyone on the wire. Search engines penalize insecure sites, browsers now flag non-TLS pages as “Not Secure”, and compliance frameworks such as PCI-DSS simply forbid clear-text traffic. Turning on HTTPS:
Encrypts data in transit
Proves server identity to clients
Unlocks HTTP/2 and modern protocols
Keeps Google and your security team happy
Prerequisites and Environment
Before touching configuration files ensure:
Tomcat 9.x or 10.x is installed and starts cleanly on port 8080
JAVA_HOME points to JDK 8+ (keytool comes with the JDK)
OpenSSL 1.1+ if you prefer generating private keys externally
Server DNS name (e.g. app.ankurm.com) resolves to the VM or container
When you deploy a Java web application on Apache Tomcat and place it behind a reverse proxy or a load balancer (like Nginx, Apache httpd, or an AWS Elastic Load Balancer), a common challenge arises: Tomcat no longer sees the original client’s IP address. Instead, methods like request.getRemoteAddr() return the IP address of the load balancer itself.
This can be a significant problem for features that rely on the client’s IP, such as:
Security and rate-limiting
Geolocation-based services
Audit logging and analytics
User session tracking
Fortunately, Tomcat provides a clean, built-in solution to this problem: the RemoteIpValve. This post will guide you through understanding the problem and implementing the fix in your server.xml file.
As a developer, I’m always looking for ways to streamline my workflow, especially when it comes to deploying applications. If you’re working with Maven and Tomcat, the Tomcat Maven Plugin is an absolute game-changer. It allows you to deploy, start, stop, and even redeploy your web applications directly from your Maven build, eliminating the need for manual server interactions. In this post, we’ll dive deep into using this powerful plugin, complete with practical examples to get you up and running quickly.
Let’s get started!
What is the Tomcat Maven Plugin?
The Tomcat Maven Plugin is a Maven plugin that provides goals for running and deploying web applications to an embedded or standalone Tomcat server. It simplifies the development and testing cycle by allowing you to manage your application’s lifecycle within your Maven project.