Understand the Tomcat shutdown string change in Confluence Data Center 9.2.9+

Summary

This article explains the change to the Tomcat shutdown string in the Confluence Data Center 9.2.9+ server.xml file and how it affects your instance.

Starting Confluence Data Center 9.2.9, the Tomcat server.xml file includes a non-default, complex shutdown string such as C0MP13X5HUTD0WN instead of the traditional SHUTDOWN value. This change is a security hardening measure to reduce the risk of unauthorized shutdown commands being sent to the Tomcat shutdown port.

Solution

If you notice that the shutdown attribute in your server.xml file has changed from the default value to a complex string, you can safely keep this configuration or adjust it to meet your operational and security requirements.

Identify the shutdown configuration in server.xml

1. Locate your Confluence installation directory on the application node.

2. Go to the Tomcat configuration directory, typically the conf subdirectory under the installation directory.

3. Open the server.xml file in a text editor.

4. Find the <Server> element that defines the shutdown port and string, for example:

Understand the shutdown string behavior

The shutdown string is used when sending a shutdown command to the Tomcat shutdown port. Tomcat will only stop when:

• The shutdown port value matches the configured port on the <Server> element.

• The shutdown command string sent to that port matches the configured shutdown attribute exactly.

A complex, non-default shutdown string such as C0MP13X5HUTD0WN is valid and works as long as any shutdown scripts or tools you use send the same string. Using a complex string is considered a good security practice because it makes random or unauthorized shutdown attempts less likely to succeed.

Keep or change the shutdown string

You can choose one of the following approaches based on your operational needs.

Option 1: Keep the complex shutdown string

1. If you are comfortable with the complex shutdown string (for example, C0MP13X5HUTD0WN) and your shutdown scripts are updated to use it, you can leave the configuration as it is.

2. Ensure that any automation, scripts, or operational procedures that stop Confluence via the Tomcat shutdown port use the exact same string defined in the shutdown attribute.

3. No changes are required to Confluence startup. The shutdown string does not affect how Confluence starts.

Option 2: Change the shutdown string

1. Open server.xml in a text editor.

2. Locate the <Server> element, for example: <Server port='8000' shutdown='C0MP13X5HUTD0WN'>

3. Update the shutdown attribute to your preferred value. For example, to restore the traditional value: <Server port='8000' shutdown='SHUTDOWN'>

4. Save the file.

5. Restart Confluence.

Changing the shutdown string back to SHUTDOWN, or to any other non-empty value, does not affect the startup process. Confluence should start and run normally, as long as the server.xml file remains valid.

Operational considerations

• Always keep the shutdown string non-empty.

• Use the same shutdown string consistently across:

  • The server.xml configuration.

  • Any scripts or tools that call the Tomcat shutdown port.

• When upgrading Confluence, compare your existing server.xml with the one from the new version and decide whether to keep the bundled shutdown string, use your existing one, or adopt a new complex value that fits your security standards.

• If you maintain internal documentation or runbooks, record the chosen shutdown string so that your operations team can manage Confluence shutdowns consistently.