Jira Data Center 11.0.x and Tomcat 10.1 SSL Configuration Guide

Platform Notice: Data Center Only - This article only applies to Atlassian apps on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Jira Data Center 11.0.x ships with Apache Tomcat 10.1. Customers terminating SSL directly on Tomcat must adapt configurations to use the newer SSLHostConfig model for TLS/SSL settings.

  • Tomcat 10.1 introduces a distinct SSLHostConfig block for TLS settings; prior in-line Connector attributes may be ignored or cause misconfiguration.

  • Sites terminating SSL on Tomcat must refactor server.xml to avoid startup warnings, TLS handshake failures, or loss of secure access.

  • Connector protocol and APR/Native deprecations may affect existing AJP/HTTP configurations and cipher compatibility.

  • If these settings are not enabled, then Jira startup will fail with below error:

24-Jan-2026 11:10:16.346 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to start component [Connector["https-jsse-nio-7010"]] org.apache.catalina.LifecycleException: Protocol handler start failed at org.apache.catalina.connector.Connector.startInternal(Connector.java:1115) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) at org.apache.catalina.core.StandardService.startInternal(StandardService.java:423) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:868) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) at org.apache.catalina.startup.Catalina.start(Catalina.java:758) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:580) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:342) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473) Caused by: java.lang.IllegalArgumentException: No SSLHostConfig element was found with the hostName [_default_] to match the defaultSSLHostConfigName for the connector [https-jsse-nio-7010] at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:84) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224) at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1431) at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1514) at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:644) at org.apache.catalina.connector.Connector.startInternal(Connector.java:1112) ... 10 more

Solution

TLS material (keystores, certs, ciphers, protocols) now resides inside SSLHostConfig nested under Connector.

  • Backup <JIRA_installation_directory>/conf/server.xmland keystore files.

  • Confirm Java 21 environment per Jira 11 platform uplift and validate supported cipher/protocol policies.

  • Edit Connector and add SSLHostConfig (placeholder)

    • Add or update the HTTPS Connector to use NIO/NIO2, enable SSL, and nest SSLHostConfig with Certificate. Replace paths, passwords, and port with your environment values.

Jira Data Center 11.0.x and Tomcat 10.1 server.xml configuration

<!-- Placeholder example (JSSE, NIO) --> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true"> <SSLHostConfig honorCipherOrder="true" protocols="TLSv1.2,TLSv1.3"> <Certificate certificateKeystoreFile="/path/to/keystore.p12" certificateKeystorePassword="REPLACE_WITH_SECURE_VALUE" certificateKeystoreType="PKCS12" type="RSA" /> </SSLHostConfig> </Connector> <!-- Optional: OpenSSL-backed JSSE implementation --> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" scheme="https" secure="true" SSLEnabled="true" sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"> <SSLHostConfig> <Certificate certificateFile="/path/to/server.crt" certificateKeyFile="/path/to/server.key" certificateChainFile="/path/to/chain.pem" type="RSA" /> </SSLHostConfig> </Connector>

References

Updated on February 20, 2026
Platform
Data Center only
App
Jira Software Data Center (11.0 and later)
On this pageSummarySolution

Still need help?

The Atlassian Community is here for you.
Ask the Community