diff --git a/docker/Dockerfile.soda b/docker/Dockerfile.soda
index 155b29c90275758a3f61ebbd3b3067759a729f26..305e9df2464ed88351bcebf05513ab0bc27842fa 100644
--- a/docker/Dockerfile.soda
+++ b/docker/Dockerfile.soda
@@ -41,7 +41,7 @@ RUN echo "${INST_DIR}/lib" > /etc/ld.so.conf.d/ast.conf && ldconfig \
  && echo "fits_path_surveys=/srv/surveys" > $WEBAPP_DIR/WEB-INF/classes/cutout.properties
 
 # change webapps-dir and preconfigure port 8080 (no SSL)
-COPY deps/server.xml deps/server-connector.xml ${CATALINA_BASE}/conf/
+COPY deps/server.xml deps/server-connector.xml* ${CATALINA_BASE}/conf/
 COPY deps/soda.logging.properties ${CATALINA_BASE}/conf/
 COPY deps/setenv.sh ${CATALINA_BASE}/bin/
 
diff --git a/docker/Dockerfile.soda.temurin-jammy b/docker/Dockerfile.soda.temurin-jammy
index 893dd8469d58ac05587f27e5fa338b8445dabf83..709444e3e87029aa68b15c750cc75c3653800ef8 100644
--- a/docker/Dockerfile.soda.temurin-jammy
+++ b/docker/Dockerfile.soda.temurin-jammy
@@ -37,7 +37,7 @@ RUN echo "${INST_DIR}/lib" > /etc/ld.so.conf.d/ast.conf && ldconfig \
  && echo "fits_path_surveys=/srv/surveys" > $WEBAPP_DIR/WEB-INF/classes/cutout.properties
 
 # pre-configure port 8080 (no TSL)
-COPY deps/server.xml deps/server-connector.xml ${CATALINA_BASE}/conf/
+COPY deps/server.xml deps/server-connector.xml* ${CATALINA_BASE}/conf/
 COPY deps/soda.logging.properties ${CATALINA_BASE}/conf/
 COPY deps/setenv.sh ${CATALINA_BASE}/bin/
 
diff --git a/docker/example-security/iamtoken/server-connector-8443.xml-self-signed-keystore-jks b/docker/deps/server-connector.xml-8443
similarity index 83%
rename from docker/example-security/iamtoken/server-connector-8443.xml-self-signed-keystore-jks
rename to docker/deps/server-connector.xml-8443
index 02ca4500189bcdf839f61eb03958e8284c4c9205..4ad63d46aff0ad5c714705420d6d9017f1ec7cdc 100644
--- a/docker/example-security/iamtoken/server-connector-8443.xml-self-signed-keystore-jks
+++ b/docker/deps/server-connector.xml-8443
@@ -4,7 +4,7 @@
         <SSLHostConfig>
             <Certificate certificateKeyAlias="tomcat"
                          certificateKeystoreFile="/etc/pki/tls/keystore.jks"
-                         certificateKeystorePassword="tomcatskassl"
+                         certificateKeystorePasswordFile="/etc/pki/tls/keystore.pwd"
                          type="RSA" />
         </SSLHostConfig>
    </Connector>
diff --git a/docker/start-soda.sh.soda b/docker/start-soda.sh.soda
index 90da39c6e8c2ad7644b08c2ae7e679db48774255..5f722c9d76869f6a18a1a181f952180ec71da333 100755
--- a/docker/start-soda.sh.soda
+++ b/docker/start-soda.sh.soda
@@ -8,13 +8,26 @@ whoami
 env
 
 
-## configure SODA
+# configure SODA
 
 mkdir -p $CATALINA_BASE/conf/Catalina/localhost
 cp $WEBAPP_DIR/META-INF/context.xml $CATALINA_BASE/conf/Catalina/localhost/$ACCESS_CONTEXT_ROOT.xml
 
+# configure TLS
 
-## Security
+if [ -f /etc/pki/tls/keystore.jks ] && [ -f /etc/pki/tls/keystore.pwd ];
+then
+   cp $CATALINA_BASE/conf/server-connector.xml-8443 $CATALINA_BASE/conf/server-connector.xml
+fi
+
+case $KEYSTORE_ALIAS in
+   *)
+      echo $KEYSTORE_ALIAS
+      sed -i "s/tomcat/$KEYSTORE_ALIAS/" $CATALINA_BASE/conf/server-connector.xml
+      ;;
+esac
+
+# env SECURITY (deprecated)
 
 case $SECURITY in
    iamtoken)
@@ -23,12 +36,8 @@ case $SECURITY in
       cp /etc/pki/tls/iamtoken.properties $WEBAPP_DIR/WEB-INF/classes/
       rm -f $WEBAPP_DIR/WEB-INF/lib/jjwt-*0.11*.jar
       ;;
-   tls)
-      cp /etc/pki/tls/server-connector.xml $CATALINA_BASE/conf
-      rm -f $WEBAPP_DIR/WEB-INF/lib/jjwt-*.jar
-      ;;
    *)
-      echo "Security not configured, runs open."
+      echo "SECURITY not configured."
       ;;
 esac