Securing Traffic Between a Load Balancer and XTAM

Although some people consider securing the internal traffic inside XTAM server farm an unnecessary overkill, others may consider it a potential security vulnerability.

Regardless of either position, the XTAM solution does provide a rather straightforward process to secure the traffic between a load balancer and your XTAM web container(s).




Before you begin, please consider the following:

  • This applies to deployments where one or more XTAM nodes are configured behind a load balancer (as shown in the graphic above) or it could be used to secure external traffic to an XTAM server without the use of a load balancer.
  • This requires that you have possession of a SSL certificate from a trusted CA. One is required if it is configured for wildcards, however multiple may be necessary if the URL is explicitly defined.
  • If your security certificates are packaged in a format different than PFX, please contact support for additional assistance.
  • If your XTAM instance was deployed prior to April 2, 2018, please contact support for additional assistance.
  • If you are unsure if this is necessary for your deployment, please consult with your security or IT department.


  1. A deployed XTAM instance that is accessible from a load balancer, not configured to use localhost. Your XTAM instance should be using a URL like

  3. Your Load Balancer (Microsoft IIS or Apache HTTPD Server) is configured to pass external traffic to XTAM server using re-write rules to HTTP port 8080.

  5. Trusted SSL certificate file in PFX format and its associated password for your domain name like in item 1 above. In our example, that certificate would be for or *

Note: If you are using Apache, then the pfx file will need to be converted from individual certificate and private key files.

Configuring your XTAM Web Container(s) to accept HTTPS Traffic

  1. Login to the server that is hosting your XTAM server.

  3. Open a command window and navigate to $XTAM_HOME. This is the installation folder for XTAM.

  5. Next, we will need to encrypt your SSL certificate password by using the command below. This will generate your encrypted certificate password that will be used in a later step.
    1. For Windows, substitute your SSL certificate password with {PASSWORD} and issue this command:

      bin\PamDirectory Encrypt {PASSWORD}

    3. For Unix, substitute your SSL certificate password with {PASSWORD} and issue this command:

      bin/ Encrypt {PASSWORD}

  7. Open the file {XTAM_HOME}/web/conf/server.xml. Locate this line in the file:

    <!-- Define an AJP 1.3 Connector on port 8009 -->


    Immediately before that line, paste the following text:

               keystoreFile="PATH_TO_CERTIFICATE.pfx" keystorePass="ENCRYPTED_OR_CLEAR_PASSWORD"
               port="8443" maxThreads="200"
               scheme="https" secure="true" SSLEnabled="true" proxyPort="443"
               clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"/>

  9. In the above pasted text, replace


    keystoreFile=”PATH_TO_CERTIFICATE.pfx” with your SSL certificate location

    keystorePass=”ENCRYPTED_OR_CLEAR_PASSWORD” with your encrypted password from step 3, that includes everything in the output except Ok:


  10. Save and close this server.xml file.


  12. Restart the PamManagement (Windows) or pammanager (Linux) service.


  14. When the service is running again (takes ~ 60 seconds), check the XTAM server availability to server SSL traffic from the load balancer server using a URL similar to this:


  16. Re-write your load balancer rules referenced in Pre-requisite #2 to access the downstream XTAM server using the HTTPS protocol. When finished, restart IIS or Apache.


  18. Test XTAM accessibility from all available locations, internally and optionally externally, to ensure communication and functionality is working as it was previously.


  20. (Optional) You may now disable the connector on port 8080 also configured in the server.xml file. The disabled connector will look like this:

            <Connector port="8080" protocol="HTTP/1.1"
                   connectionTimeout="20000" secure="true"
                   redirectPort="8443" />

  22. Restart the PamManagement (Windows) or pammanager (Linux) service.