Upgrade Tomcat 8 to Tomcat 9 with HTTPS TLS

The upgrade from Tomcat 8 to Tomcat 9 is part of the upgrade to Abiquo 5.2.x and environments using HTTPS TLS between the Tomcat servers. (See Configure Abiquo Tomcat with HTTPS for Remote RS)

As part of the upgrade when using HTTPS TLS between Tomcat servers:

• The Catalina connector for HTTPS will be lost on upgrade

• The new secretRequired option is not present

• AJP Connector on Tomcat9 won't allow external connections by default. 

• During the upgrade from Java 8 to Java 11, the default keystore folder location changes, for example: 

  • OLD: keystoreFile="/usr/java/default/jre/lib/security/cacerts"
    NEW: keystoreFile="/usr/java/default/lib/security/cacerts"

Before you start the upgrade, do these steps.

1. On each Tomcat server, from the /opt/abiquo/tomcat/conf folder, back up the server.xml files. For example, for the API server:

   # cd /opt/abiquo/tomcat/conf # cp server.xml ~/server.api.backup.xml

   You will need to restore these files after the upgrade.

Before you restart the Tomcat servers, do these steps.

1. Restore the server.xml files from their backups

2. Edit the server.xml files and add the new secretRequired="false" option to the HTTPS connector

   <Service name="Catalina"> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8009" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/opt/abiquo/tomcat/conf/remoters.jks" keystorePass="changeit" keyAlias="myremoters.bcn.abiquo.com" clientAuth="false" secretRequired="false" sslProtocol="TLS"/>

   
   
   

3. If you have a separate API and UI server, on the API server, edit the server.xml file and allow the AJP connector to listen everywhere, not just on localhost, by setting address="0.0.0.0". Also add secretRequired="false".

   <Connector port="8010" protocol="AJP/1.3" enableLookups="false" tomcatAuthentication="false" connectionTimeout="20000" secretRequired="false" address="0.0.0.0" />