Monday, July 3, 2017

tomcat6 - SSL configuration , Tomcat with Apache and mod_jk




I am looking to configure SSL with tomcat 6 and apache web server, using the tomcat connector mod_jk. I am pretty new to this, so please bear with me.



I have SSL certificate purchased and configured in tomcat using keystore file. It is perfectly working if access tomcat directly via https. Now i need apache in front of tomcat, my question is, do i need to provide certificate both in tomcat and apache or just the tomcat? Isn't apache supposed to just pass on the request to tomcat (using JkExtractSSL) and let it handle ssl authentication (verification of certificate)?



If certificate paths need to be configured in both apache and tomcat, then i have cert.p7b and certreq.csr files, which are surely not apache compatible, can you please tell how can i do that?



I have the following configuration so far:



httpd.conf:




    LoadModule ssl_module modules/mod_ssl.so
    LoadModule jk_module modules/mod_jk.so
    JkWorkersFile /usr/local/apache2/conf/workers.properties
    JkShmFile     logs/mod_jk.shm
    JkLogFile logs/mod_jk.log
    JkLogLevel info
    JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
    JkMount  /mywebapp/* worker1
    JkExtractSSL On

    JkHTTPSIndicator HTTPS
    JkSESSIONIndicator SSL_SESSION_ID
    JkCIPHERIndicator SSL_CIPHER
    JkCERTSIndicator SSL_CLIENT_CERT

    

       DocumentRoot "/var/lib/tomcat6/webapps/mywebapp"

       Alias /mywebap "/var/lib/tomcat6/webapps/mywebapp"

       
         Options Indexes FollowSymLinks
         AllowOverride NONE
         Order allow,deny
         Allow from all
       

      
         AllowOverride None
         Deny from all

      

    
    Include conf/extra/httpd-ssl.conf


httpd-ssl-conf:



    


       DocumentRoot "/var/lib/tomcat6/webapps/mywebapp"

        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLOptions +StdEnvVars +ExportCertData

        Alias /mywebapp "/var/lib/tomcat6/webapps/mywebapp"
        
           Options Indexes FollowSymLinks
           AllowOverride None

           Order allow,deny
           Allow from all
        

        JkMount /mywebapp/* worker1

        
           AllowOverride None
           Deny from all


Important to mention here is there is no SSLCertificateFile and SSLCertificateKeyFile configured in httpd-ssl.conf, as i am not sure, if it is needed in both tomcat and apache web server. I have it already configured in tomcat using keystore file.


Answer



SSL is used to encrypted communications between a client and your web
service. If you are putting Apache in front of Tomcat, then you need
to configure Apache with the SSL certificate...and you don't need it
at all for Tomcat, because Apache is handling all of the client
communication.





If certificate paths need to be configured in both apache and
tomcat, then i have cert.p7b and certreq.csr files, which are surely
not apache compatible, can you please tell how can i do that?




The .csr file is your certificate request and is not important.



This

question
has links that will help you convert your .p7b file into a
PEM-encoded certificate for use with Apache.



You can also export the PEM-encoded certificate from your keystore
using the -exportcert command:



keytool -exportcert -alias  | openssl x509 -inform der



The JkExtractSSL directive tells Apache to pass some SSL related
information to Tomcat. According to this document, that includes
the following environment variables:




  • SSL_CIPHER

  • SSL_CIPHER_USEKEYSIZE

  • SSL_SESSION_ID

  • SSL_CLIENT_CERT_CHAIN_n



-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...