Can the Tomcat shutdown port for CEM be changed to use a secure port? If it doesn't support encryption, can this port be shut down or the connection blocked for this port?

The Tomcat shutdown port cannot be configured to use SSL, but can be shut down/disabled by changing the port number to -1 in the Tomcat's server.xml file.

Example:

<Server port="8005" shutdown="CASHUTDOWN"> becomes <Server port="-1" shutdown="CASHUTDOWN">