I am looking to configure SSL with tomcat 6 and apache web server, using the tomcat connector mod_jk. I am pretty new to this, so please bear with me.
I have SSL certificate purchased and configured in tomcat using keystore file. It is perfectly working if access tomcat directly via https. Now i need apache in front of tomcat, my question is, do i need to provide certificate both in tomcat and apache or just the tomcat? Isn't apache supposed to just pass on the request to tomcat (using JkExtractSSL) and let it handle ssl authentication (verification of certificate)?
If certificate paths need to be configured in both apache and tomcat, then i have cert.p7b and certreq.csr files, which are surely not apache compatible, can you please tell how can i do that?
I have the following configuration so far:
httpd.conf:
LoadModule ssl_module modules/mod_ssl.so
LoadModule jk_module modules/mod_jk.so
JkWorkersFile /usr/local/apache2/conf/workers.properties
JkShmFile logs/mod_jk.shm
JkLogFile logs/mod_jk.log
JkLogLevel info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
JkMount /mywebapp/* worker1
JkExtractSSL On
JkHTTPSIndicator HTTPS
JkSESSIONIndicator SSL_SESSION_ID
JkCIPHERIndicator SSL_CIPHER
JkCERTSIndicator SSL_CLIENT_CERT
DocumentRoot "/var/lib/tomcat6/webapps/mywebapp"
Alias /mywebap "/var/lib/tomcat6/webapps/mywebapp"
Options Indexes FollowSymLinks
AllowOverride NONE
Order allow,deny
Allow from all
AllowOverride None
Deny from all
Include conf/extra/httpd-ssl.conf
httpd-ssl-conf:
DocumentRoot "/var/lib/tomcat6/webapps/mywebapp"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLOptions +StdEnvVars +ExportCertData
Alias /mywebapp "/var/lib/tomcat6/webapps/mywebapp"
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
JkMount /mywebapp/* worker1
AllowOverride None
Deny from all
Important to mention here is there is no SSLCertificateFile and SSLCertificateKeyFile configured in httpd-ssl.conf, as i am not sure, if it is needed in both tomcat and apache web server. I have it already configured in tomcat using keystore file.
Answer
SSL is used to encrypted communications between a client and your web
service. If you are putting Apache in front of Tomcat, then you need
to configure Apache with the SSL certificate...and you don't need it
at all for Tomcat, because Apache is handling all of the client
communication.
If certificate paths need to be configured in both apache and
tomcat, then i have cert.p7b and certreq.csr files, which are surely
not apache compatible, can you please tell how can i do that?
The .csr
file is your certificate request and is not important.
This
question
has links that will help you convert your .p7b
file into a
PEM-encoded certificate for use with Apache.
You can also export the PEM-encoded certificate from your keystore
using the -exportcert
command:
keytool -exportcert -alias | openssl x509 -inform der
The JkExtractSSL
directive tells Apache to pass some SSL related
information to Tomcat. According to this document, that includes
the following environment variables:
SSL_CIPHER
SSL_CIPHER_USEKEYSIZE
SSL_SESSION_ID
SSL_CLIENT_CERT_CHAIN_
n
No comments:
Post a Comment