Monday, July 3, 2017

tomcat6 - SSL configuration , Tomcat with Apache and mod_jk




I am looking to configure SSL with tomcat 6 and apache web server, using the tomcat connector mod_jk. I am pretty new to this, so please bear with me.



I have SSL certificate purchased and configured in tomcat using keystore file. It is perfectly working if access tomcat directly via https. Now i need apache in front of tomcat, my question is, do i need to provide certificate both in tomcat and apache or just the tomcat? Isn't apache supposed to just pass on the request to tomcat (using JkExtractSSL) and let it handle ssl authentication (verification of certificate)?



If certificate paths need to be configured in both apache and tomcat, then i have cert.p7b and certreq.csr files, which are surely not apache compatible, can you please tell how can i do that?



I have the following configuration so far:



httpd.conf:




    LoadModule ssl_module modules/mod_ssl.so
LoadModule jk_module modules/mod_jk.so
JkWorkersFile /usr/local/apache2/conf/workers.properties
JkShmFile logs/mod_jk.shm
JkLogFile logs/mod_jk.log
JkLogLevel info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
JkMount /mywebapp/* worker1
JkExtractSSL On

JkHTTPSIndicator HTTPS
JkSESSIONIndicator SSL_SESSION_ID
JkCIPHERIndicator SSL_CIPHER
JkCERTSIndicator SSL_CLIENT_CERT



DocumentRoot "/var/lib/tomcat6/webapps/mywebapp"

Alias /mywebap "/var/lib/tomcat6/webapps/mywebapp"


Options Indexes FollowSymLinks
AllowOverride NONE
Order allow,deny
Allow from all



AllowOverride None
Deny from all




Include conf/extra/httpd-ssl.conf


httpd-ssl-conf:



    


DocumentRoot "/var/lib/tomcat6/webapps/mywebapp"

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLOptions +StdEnvVars +ExportCertData

Alias /mywebapp "/var/lib/tomcat6/webapps/mywebapp"

Options Indexes FollowSymLinks
AllowOverride None

Order allow,deny
Allow from all


JkMount /mywebapp/* worker1


AllowOverride None
Deny from all





Important to mention here is there is no SSLCertificateFile and SSLCertificateKeyFile configured in httpd-ssl.conf, as i am not sure, if it is needed in both tomcat and apache web server. I have it already configured in tomcat using keystore file.


Answer



SSL is used to encrypted communications between a client and your web
service. If you are putting Apache in front of Tomcat, then you need
to configure Apache with the SSL certificate...and you don't need it
at all for Tomcat, because Apache is handling all of the client
communication.





If certificate paths need to be configured in both apache and
tomcat, then i have cert.p7b and certreq.csr files, which are surely
not apache compatible, can you please tell how can i do that?




The .csr file is your certificate request and is not important.



This

question

has links that will help you convert your .p7b file into a
PEM-encoded certificate for use with Apache.



You can also export the PEM-encoded certificate from your keystore
using the -exportcert command:



keytool -exportcert -alias  | openssl x509 -inform der



The JkExtractSSL directive tells Apache to pass some SSL related
information to Tomcat. According to this document, that includes
the following environment variables:




  • SSL_CIPHER

  • SSL_CIPHER_USEKEYSIZE

  • SSL_SESSION_ID

  • SSL_CLIENT_CERT_CHAIN_n



No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...