theforeman · ehelms · Apr 23, 2026
diff --git a/src/roles/candlepin/tasks/certs.yml b/src/roles/candlepin/tasks/certs.yml
@@ -46,6 +46,26 @@
   notify:
     - Restart candlepin
 
+- name: Create the podman secret for Tomcat certificate
+  containers.podman.podman_secret:
+    state: present
+    name: candlepin-tomcat-cert
+    path: "{{ candlepin_tomcat_certificate }}"
+    labels:
+      app: tomcat
+  notify:
+    - Restart candlepin
+
+- name: Create the podman secret for Tomcat key
+  containers.podman.podman_secret:
+    state: present
+    name: candlepin-tomcat-key
+    path: "{{ candlepin_tomcat_key }}"
+    labels:
+      app: tomcat
+  notify:
+    - Restart candlepin
+
 - name: Create the podman secret for Tomcat keystore
   containers.podman.podman_secret:
     state: present

diff --git a/src/roles/candlepin/tasks/main.yml b/src/roles/candlepin/tasks/main.yml
@@ -76,6 +76,8 @@
     secrets:
       - 'candlepin-ca-cert,target=/etc/candlepin/certs/candlepin-ca.crt,mode=0440,type=mount'
       - 'candlepin-ca-key,target=/etc/candlepin/certs/candlepin-ca.key,mode=0440,type=mount'
+      - 'candlepin-tomcat-cert,target=/etc/candlepin/certs/tomcat.crt,mode=0440,type=mount'
+      - 'candlepin-tomcat-key,target=/etc/candlepin/certs/tomcat.key,mode=0440,type=mount'
       - 'candlepin-tomcat-keystore,target=/etc/candlepin/certs/keystore,mode=0440,type=mount'
       - 'candlepin-tomcat-truststore,target=/etc/candlepin/certs/truststore,mode=0440,type=mount'
       - 'candlepin-candlepin-conf,target=/etc/candlepin/candlepin.conf,mode=0440,type=mount'

diff --git a/src/roles/candlepin/templates/server.xml.j2 b/src/roles/candlepin/templates/server.xml.j2
@@ -20,8 +20,8 @@
  -->
 <Server port="8005" shutdown="SHUTDOWN">
 
-  <!--APR library loader. Documentation at /docs/apr.html -->
-  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+  <!--OpenSSL library loader using FFM. Documentation at /docs/apr.html -->
+  <Listener className="org.apache.catalina.core.OpenSSLLifecycleListener" />
   <!-- Prevent memory leaks due to use of particular java/javax APIs-->
   <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
   <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
@@ -62,24 +62,21 @@
          APR (HTTP/AJP) Connector: /docs/apr.html
          Define a non-SSL HTTP/1.1 Connector on port 8080
     -->
-    <!-- Define a SSL HTTP/1.1 Connector on port <%= $ssl_port %>
-         This connector uses the JSSE configuration, when using APR, the
-         connector should be using the OpenSSL style configuration
-         described in the APR documentation -->
+    <!-- Define a SSL HTTP/1.1 Connector using OpenSSL via FFM -->
 
     <Connector port="{{ candlepin_ssl_port }}"
                address="{{ candlepin_hostname }}"
-               protocol="HTTP/1.1"
+               protocol="org.apache.coyote.http11.Http11NioProtocol"
                SSLEnabled="true"
-               maxThreads="150" scheme="https" secure="true"
-               clientAuth="want"
-               sslProtocol="{{ candlepin_tls_versions | join(',') }}"
-               sslEnabledProtocols="{{ candlepin_tls_versions | join(',') }}"
-               keystoreFile="/etc/candlepin/certs/keystore"
-               keystorePass="{{ candlepin_keystore_password }}"
-               keystoreType="PKCS12"
-               ciphers="{{ candlepin_ciphers | join(',\n                   ') }}"
-    />
+               maxThreads="150" scheme="https" secure="true">
+        <SSLHostConfig certificateVerification="optional"
+                       protocols="{{ candlepin_tls_versions | join(',') }}"
+                       caCertificateFile="/etc/candlepin/certs/candlepin-ca.crt"
+                       ciphers="{{ candlepin_ciphers | join(':') }}">
+            <Certificate certificateFile="/etc/candlepin/certs/tomcat.crt"
+                         certificateKeyFile="/etc/candlepin/certs/tomcat.key" />
+        </SSLHostConfig>
+    </Connector>
 
 
     <!-- An Engine represents the entry point (within Catalina) that processes

diff --git a/src/roles/candlepin/templates/tomcat.conf b/src/roles/candlepin/templates/tomcat.conf
@@ -19,7 +19,7 @@ TOMCAT_CFG_LOADED="1"
 TOMCATS_BASE="/var/lib/tomcats/"
 
 # Where your java installation lives
-JAVA_HOME="/usr/lib/jvm/jre-17"
+JAVA_HOME="/usr/lib/jvm/jre-25"
 
 # Where your tomcat installation lives
 CATALINA_HOME="/usr/share/tomcat"
@@ -28,7 +28,7 @@ CATALINA_HOME="/usr/share/tomcat"
 CATALINA_TMPDIR="/var/cache/tomcat/temp"
 
 # You can pass some parameters to java here if you wish to
-JAVA_OPTS="-Xms1024m -Xmx4096m -Dcom.redhat.fips=false"
+JAVA_OPTS="-Xms1024m -Xmx4096m -Dcom.redhat.fips=false --enable-native-access=ALL-UNNAMED"
 
 # You can change your tomcat locale here