Showing results for 
Search instead for 
Did you mean: 
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Learn all about PTC Community Badges. Engage with PTC and see how many you can earn! X

Deploying H2 Docker versions quickly with TLS / SSL

No ratings

This post adds to my previous post: Deploying H2 Docker versions quickly


In addition to configuring the basic Docker Images and Containers, it's also possible to deploy them with a TLS / SSL certificate and access the instances via HTTPS protocol.


For this a valid certificate is required inside a .jks keystore. I'm using a self-signed certificate, but commercial ones are even better! The certificate must be in the name of the machine which runs Docker and which is accessed by the users via browser. In my case this is "mne-docker". The password for the keystore and the private key must be the same - this is a Tomcat limitation. In my case it's super secret and "Password123456".


I have the following directory structure on my Operating System


  • /home/ts/docker/
    • certificates
      • mne-docker.jks
    • twx.8.2.x.h2
      • Dockerfile
      • settings
        • platform-settings.json
        • <license_file>
      • storage
      • Thingworx.war


The Recipe File


In the Recipe File I make sure that I create a new Connector on port 8443, removing the old one on port 8080.

I do this by just replacing via the sed command - also introducing options for content compression.

I'm only replacing the first line of the xml node as it holds all the information I need to change.


Changes to the original version I posted are in green


FROM tomcat:latest
LABEL version = "8.2.0"
LABEL database = "H2"
RUN mkdir -p /cert
RUN mkdir -p /ThingworxPlatform
RUN mkdir -p /ThingworxStorage
RUN mkdir -p /ThingworxBackupStorage
ENV JAVA_OPTS="-server -d64 -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Duser.timezone=GMT -XX:+UseNUMA -XX:+UseG1GC -Djava.library.path=/usr/local/tomcat/webapps/Thingworx/WEB-INF/extensions
RUN sed -i 's/<Connector port="8080" protocol="HTTP\/1.1"/<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" enableLookups="false" keystoreFile="\/cert\/mne-docker.jks" keystorePass="Password123456" ciphers="TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA" compression="on" compressableMimeType="text\/html,text\/xml,text\/plain,text\/css,text\/javascript,application\/javascript,application\/json"/g' /usr/local/tomcat/conf/server.xml
COPY Thingworx.war /usr/local/tomcat/webapps
VOLUME ["/ThingworxPlatform", "/ThingworxStorage", "/cert"]


Note that I also map the /cert directory to the outside, so all of my Containers can access the same certificate. I will access it read-only.





sudo docker build -t twx.8.2.x.h2 .

sudo docker run -d --name=twx.8.2.x.h2 -p 88:8443 -v /home/ts/docker/twx.8.2.x.h2/storage:/ThingworxStorage -v /home/ts/docker/twx.8.2.x.h2/settings:/ThingworxPlatform -v /home/ts/docker/certificates:/cert:ro twx.8.2.x.h2


Mapping to the 8443 port ensures to only allow HTTPS connections.

The :ro in the directory mapping ensures read-only access.


What next


Go ahead! Only secure stuff is kind of secure 😉

For more information on how to import the certificate into a the Windows Certificate Manager so browsers recognize it, see also the Trusting the Root CA chapter in Trust & Encryption - Hands On