After the connector refactoring the JIoEndpoint that allowed to specify arbitrary ServerSocketFactory is no longer available.
However the AJP connector is almost ready to accept SSL connections if you allow some changes to Tomcat's codebase: the AbstractAjpProtocol class just lacks an implementation of the addSslHostConfig and findSslHostConfigs or better it has implementations that don't store or return anything with a very explicit comment:
SSL is not supported in AJP
If you change them as in AbstractHttp11Protocol, you'll be able to configure an AJP connector the same way you configure a HTTP/1.1 connector:
<Connector SSLEnabled="true" port="8009" protocol="AJP/1.3">
<SSLHostConfig ...>
<Certificate ... />
</SSLHostConfig>
</Connector>
Regarding the certificate storage you can implement your own KeyStoreSpi and security provider and use:
<Certificate certificateKeystoreProvider="your_provider"
certificateKeystoreType="your_type"
... />
Thank you. I had contacted tomcat users group also. The answer I got was also in similar directions
The answer from the tomcat-users group was not as detailed as yours. So your answer helped me. However, my final requirement is to read the certificate from a custom key store for AJP SSL also. Our Keystore already implements java.security.KeyStoreSpi. However I am not quite clear which classes in tomcat I should focus on making use of it. Do you have any guidelines?
You must create, test and register a custom security
Provider(cf. Oracle's documentation) which will provide only your custom keystore type. Once that is done you just need to providecertificateKeystoreTypein the<Certificate>element and Tomcat should use it.