<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    keystoreFile="TOMCATHOME/conf/tomcat.p12"
    keystorePass="keypassword"
    keystoreType="PKCS12"
    clientAuth="false"
    sslProtocol="TLS"/>

• Zertifikat: /usr/syno/etc/certificate/system/default/*.pem (4 Files)

openssl pkcs12 -export \
    -in "/usr/syno/etc/certificate/system/default/cert.pem" \
    -inkey "/usr/syno/etc/certificate/system/default/privkey.pem" \
    -certfile "/usr/syno/etc/certificate/system/default/fullchain.pem" \
    -out tomcat.p12 \
    -name tomcat \
    -passout pass:keypassword

• Berechtigungen setzen: chown http, chmod 640 (tomcat.p12)
• Router: Port weiterleiten: 443 → 8443
• Sicherheit → Firewall → Regeln bearbeiten
• Port 8443 freigeben

<Host name="localhost" ...
deployIgnore="@eaDir|.synology|#recycle|.git|.gitignore">

2localhost.org.apache.juli.FileHandler.level = FINE
2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
2localhost.org.apache.juli.FileHandler.prefix = localhost.
2localhost.org.apache.juli.FileHandler.encoding = UTF-8
2localhost.org.apache.juli.FileHandler.formatter = java.util.logging.SimpleFormatter

# %1$tX = Datum und Uhrzeit, X = F,T,...
# %2$s = Source Class Name
# %3$s = Source Method Name
# %$4s = Log-Level
# %5$s = Message
# %6$s = Exception
java.util.logging.SimpleFormatter.format = %1$tF %1$tT [%4$s] %3$s:\n%5$s %6$s\n

<role rolename="rolename"/>

<user username="username" password="password" roles="rolename,..."/>

• User-Login für Servlets
• File: www/project/WEB-INF/web.xml

<security-role>
    <role-name>rolename</role-name>
    <!-- weitere verwendete Rollen -->
</security-role>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>All Resources</web-resource-name>
        <url-pattern>/*</url-pattern>
        <!-- pattern: /index.html, /page/*, *.ext -->
    </web-resource-collection>
    <!-- weitere Web-Resourcen (url-pattern) -->
    <auth-constraint>
        <role-name>rolename</role-name>
        <!-- weitere Zugriffs-Rollen -->
    </auth-constraint>
</security-constraint>
<!-- weitere security-constraints -->
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Secure Area</realm-name>
</login-config>