TomcatExpert

Enabling SSL Communication and Client Certificate Authentication between Apache Web Server and Apache Tomcat

posted by jfullam on July 9, 2012 07:56 PM

Secure Socket Layer, or SSL, certificates are frequently used to confirm the identity of a server before consuming its services and to secure communications with the server. Typically, when an Apache web server is used to load balance requests to one or more Apache Tomcat servers (including VMware’s commercial version, tc Server), the SSL encryption and certificate authentication is terminated at the web server. Communication between the Apache web server and Tomcat is then trusted and in clear text.

However, there are organizational security policies and B2B scenarios that could mandate secure communication between Apache web server and Tomcat. Furthermore, it could be important to restrict access to Tomcat to known instances of Apache web server.

This tutorial will provide details for a configuration option that enables SSL communication and client certificate authentication between Apache Web Server and Tomcat.

At a high level, this tutorial provides instructions to

    1. Encrypt communication with Tomcat
    2. Restrict communication with Tomcat to known clients
    3. Configure Apache web server to proxy requests to Tomcat using SSL
    4. Configure Apache web server to use a specific client certifica te to authenticate with Tomcat

 

Configure Tomcat / tc Server to use SSL

  • Generate a JKS formatted keystore containing a self-signed certificate for use by Tomcat

 

keytool -genkey -alias tomcat -keyalg RSA -keystore $CATALINA_BASE/conf/tomcat.keystore
  • Configure Tomcat for secure SSL communications by modifying the server.xml file. It is important that the keystoreFile, keyAlias, and keystorePass refer to the keystore, alias, and password respectively that were specified by running the command in the previous step
< Connector SSLEnabled="true"
  		   acceptCount="100"
                   connectionTimeout="20000"
                   executor="tomcatThreadPool"
                   keyAlias="tomcat"
                   keystoreFile="${catalina.base}/conf/tomcat.keystore"
                   keystorePass="changeme"
                   maxKeepAliveRequests="15"
                   port="8443"
                   protocol="org.apache.coyote.http11.Http11Protocol"
                   redirectPort="8443"
                   scheme="https"
                   secure="true"/>

If you are using tc Server, you can streamline the previous steps by creating a new tc Server instance utilizing the bio-ssl template. This includes the required configurations in server.xml and a pre-generated tcserver.keystore file.

tcruntime-instance.sh  create myNewInstance -t bio-ssl

 

Configure Tomcat / tc Server to Validate Client Certificates

openssl genrsa -out ca.key 1024 
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
  • Generate a JKS formatted certificate authority file
keytool -import -keystore cacerts.jks -storepass changeme -alias my_ca &ndash;file ca.crt
  • Modify the server.xml by adding the necessary attributes to configure client certificate authentication. The truststoreFile attribute points to the CA for client certificates created in the last step and clientAuth needs to be set to true.
< Connector SSLEnabled="true"
                   clientAuth="true"
                   truststoreFile="${catalina.base}/conf/cacerts.jks"
                   acceptCount="100"
                   connectionTimeout="20000"
                   executor="tomcatThreadPool"
                   keyAlias="tomcat"
                   keystoreFile="${catalina.base}/conf/tomcat.keystore"
                   keystorePass="changeme"
                   maxKeepAliveRequests="15"
                   port="${bio-ssl.https.port}"
                   protocol="org.apache.coyote.http11.Http11Protocol"
                   redirectPort="${bio-ssl.https.port}"
                   scheme="https"
                   secure="true"/>
  • You can test this configuration by accessing your Tomcat / tc Server instance from a browser. You should be denied access as your browser does not have the required client certificate configured.

 

Configure Apache Web Server / vFabric Web Server (http://www.vmware.com/products/application-platform/vfabric-web-server/overview.html)

  • Create a client certificate and key. Use the same ca.crt as was create above.
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr -config <your openssl.cnf="">
openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr &ndash;out client.crt
</your>
  • Concatenate the client key and certificate files into a new file.
cat client.crt client.key > client.crtkey
  • Configure Web Server to use mod_proxy_http. Ensure you replace instance of “myApp” with the path to your application.
LoadModule proxy_http_module /opt/vfabric-web-server/httpd-2.2/modules/mod_proxy_http.so
 
 
<proxy balancer:="" lbalancer="">
   BalancerMember https://default:8443 route=node1 loadfactor=50 
   ProxySet lbmethod=byrequests stickysession=JSESSIONID|jsessionid
</proxy>
 
ProxyPass /myApp balancer://lbalancer/myApp
ProxyPassReverse /myApp https://default:8443/myApp
 
<location balancer-manager="">
   SetHandler balancer-manager
   Allow from all
</location>
  • Configure mod_ssl to use the generated client certificate / key file when authenticating to tc Server. This directive points to the concatenated file from above.
SSLProxyMachineCertificateFile "ssl/client.crtkey"
  • Configure mod_ssl to use SSL for the proxy engine.
SSLProxyEngine on
  • You can test the complete configuration by accessing your application by pointing your browser to you web server (ie. https://:/myApp. ). Because your web server is configured with the appropriate client certificate, you will see your application.

Jonathan Fullam has over 12 years of experience with software development with a heavy focus on enterprise Java based applications and open source frameworks. Currently employed by SpringSource, a division of VMware, Jonathan advises enterprises on building scalable architectures using modern technologies and tools.  With a passion for public speaking, he most recently presented Test Driven Developement at the 2011 Java Server Side Symposium.  Jonathan received his education from The College of New Jersey where he obtained a B.S. in computer science.

Comments

Apache httpd binaries not avaialable on apache site

I was wondering by seeing no reason for making httpd 64 bit binaries not available on Apache site.Clever enough though quoted "the compiled binaries are provided by volunteers"? looks like major fund flow from Microsoft to Apache foundation started this politics ?. Now people are depending on other contributors, which eventually a good reason to adopt iis on enterprise world ?

Below you will understand

Below you will understand what is important, the idea provides one of the links with an exciting site: Save The Marriage System

Below you will understand

Below you will understand what is important, the idea provides one of the links with an exciting site: Ways To Get Your Ex Back

You possess lifted an

You possess lifted an essential offspring..Blesss for using..I would want to study better latest transactions from this blog..preserve posting.. Survive In Bed

Within this webpage, you'll

Within this webpage, you'll see the page, you need to understand this data. dental implants

I invite you to the page

I invite you to the page where see how much we have in common. How To Give A Hand Job

Below you will understand

Below you will understand what is important, the idea provides one of the links with an exciting site: How to Turn a Guy On

sl786982

I think that everything has been described in systematic manner so that reader could get maximum information and learn many things. . PrintingVIP.com

sl786982

You ought to basically

You ought to basically fantastic not to mention solid advice, which means notice: The Bonding Code Review

How would this scale? What if

How would this scale? What if I have multiple Apache servers and multiple Tomcat servers with a load balancer between them? How would you manage all the server/client certificates?

pengobatan alami tanpa efek samping

obat herbal gagal ginjal Untuk Menyembuhkan Penyakit Gagal Ginjal.
obat herbal kanker prostat telah mendapat berbagai kesaksian kesembuhan dari para pasien penyakit kanker prostat.
obat herbal miom yang secara alami mampu mengobati penyakit miom tanpa efek operasi.
obat herbal jantung koroner sanggup menormalkan kandungan kolesterol total dan kolesterol baik serta mampu menaikkan kolesterol HDL.

sl786982

Such sites are important because they provide a large dose of useful information ... Key West To Miami Tours

sl786982

If your anorak is a actual

If your anorak is a actual cheap Moncler aphotic adumbration of amber that is about black, accept a atramentous shirt to abrasion beneath it, or even a aphotic gray. About any blush will go able-bodied with a aphotic amber anorak because it is so abutting to black. Accept the colors depending on what division it is. For example, abrasion a red shirt with your aphotic amber anorak to reflect the colors of the alteration leaves and the accepted feel of the season. If you are accessory a actual academic occasion, abrasion a brittle white shirt. A average amber anorak is a little harder to alike with. Abrasion a shirt beneath it that is either a altered adumbration of brown, white or a aloof color.It is a bargain cheap Moncler jackets aperture that offers the best prices for coats and jackets. Moncler jackets are fabricated from high-quality and abiding abstracts that accomplish anniversary section athletic abundant to bear the algid weather. When cutting a Moncler Jacket, the physique will absolutely feel balmy and adequate because of its autogenous material. It is absolutely a aces investment back you can accumulate these items until the next winter season. To dress up a Moncler down jacket, abrasion it with some simple, well-fitting trousers in a aloof color, like black, amber or khaki. If you're accomplishing something actual casual, like traveling to the abundance or to a actual accidental dinner, you can abrasion the Moncler jackets with nice jeans. However, you should alone abrasion them with jeans to places or contest area jackets at http://www.mohanan.co.uk are not required.

http://www.rfshoeoutlets.co.uk

You have shared an

You have shared an informative post as concerned to me because I have been searching for a better way to enable SSL communication and client certificate authentication between Apache Web Server and Apache Tomcat. I found that it is working! buckyballs for sale

MKTi Agencia de publicidad y Marketing Digital

I like to recommend exclusively fine plus efficient information and facts, hence notice it:
agencia de marketing

GAME HACK

cheats for hay day it's really nice and meanful. it's really cool blog. Linking is very useful thing.you have really helped lots of people who visit blog and provide them usefull information. clash of clans triche gratuit

Game Hack

cheats for hay day it's really nice and meanful. it's really cool blog. Linking is very useful thing.you have really helped lots of people who visit blog and provide them usefull information. clash of clans triche gratuit

It's really nice and meanful.

It's really nice and meanful. it's really cool blog. Linking is very useful thing.you have really helped lots of people who visit blog and provide them usefull information.The salvation diet review

vine flowers Really

vine flowers Really appreciate this wonderful post that you have provided for us.Great site and a great topic as well i really get amazed to read this. Its really good. paid for youtube views

Barbecued Hot Chicken Strips | Magic Skillet

It is very good, but look at the information at this address.
oven baked chicken recipes

David

Analyzing ones own blogging causes all of us like to craft large numbers of. Used to do an important which is relatively shocked through. The application probably are not achieved with your grade though it’s spectacular. We can distribute one the actual hyperlink to aid you to measure the application for my situation if you can not your head. details

home decorating southwest style | mission del rey southwest

The information that I got from this article More hints was exceptionally indispensable for me to finish the paper that I was given.home decorating southwest style | mission del rey southwest

amir

Which might succeed short-term, still it’s truly realistic long-term formula just for boys who want to come to be bring back a specialized child individuals can’t eliminate serious about.
Simple Profits Review

BlackMen

It's really nice and meanful. it's really cool blog.cccam server

amir

From check on your blog, you've gotten previously had a relatively good feel by means of making.
Million Dollar Months Review

Davisd

This may be a really good hints mainly that will the ones novices at blogosphere, shorter together with complete information… Kudos meant for posting ours. Extremely important look over report. read more

Excellent article. I am

Excellent article. I am facing many of these issues as well..
Mortgage Broker Calgary

I was very impressed by this

I was very impressed by this post, this site has always been pleasant news Thank you very much for such an interesting post, and I meet them more often then I visited this site. www.benitech.nl/openslaande-deuren/

OC Housing News

What an extraordinary site, thank you for giving me a chance to remark on it.
Orange County Real Estate

Belonging to the start

Belonging to the start looking from your blogging, you have got possessed a relatively good go through through authoring. I m happy I found this blog. Thank you for sharing with us,I too always learn something new from your post. http://mcxbulliontips.in/

Pretty! This has been an

Pretty! This has been an extremely wonderful post. Thanks for supplying these details.
Edmonton Mortgage Broker
Life Insurance Vancouver
Life Insurance Calgary

alex

This makes you stand way out from many other writers that push poorly written content.recuperação de hd

New York Credit Repair Consulting

MDB is Legal Credit Score Repair Consulting in NY. Madam Bella of New York will help you to Increase & Improve fast credit score.
Credit Score Consulting New York

I surmise I have chosen an

I surmise I have chosen an intelligent and mind blowing website with interesting material.nose job atlanta

day trade alerts

Prepare even more article content on this subject niche you now have a truly great suggestion that will persuade writters. day trade alerts

That belong to the start

That belong to the start looking from your writing your weblog, you have got owned and operated a relatively good go through through publishing. I m satisfied I came across your weblog. Thank you for discussing with us the full report,I too always understand something new from your site.

That are part of the begin

That are part of the begin looking from your composing your blog website, you have got managed a relatively excellent go through through posting from this source. I m pleased I came across your blog website. Thank you for talking about with us the complete review,I too always comprehend something new from your website.

Personal Injury Attorney Stone Mountain Ga | 678-445-7423

I recommend only good and reliable information, so see it:
car accident lawyer stone mountain ga

jhonwattson

I have read a few of the articles on your website now, and I really like your style of blogging. I added it to my favorites blog site list and will be checking back soon. Please check out my site as well and let me know what you think.  site

alex

Great employment! You all do an incredible blog, and have some extraordinary substance. Keep doing awesome.Brazil Honeymoon Resort

Any way I'll be subscribing

Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info.litter welcome mat

alikhann

I have read a few of the articles on your website now, and I really like your style of blogging. I added it to my favorites blog site list and will be checking back soon. Please check out my site as well and let me know what you think.  http://www.digitaljournal.com/pr/2882047

Find a Life Coach Marietta Ga | 404-982-4300 For More Coaching I

One particular promote a good amount of web sites on your world wide web firewood Our class can be permitted to continue being thinking of buying and selling domains ever before in your own life learn foot work in may possibly. career coaching marietta ga

Personal Injury Attorney Roswell Ga | Call 678-445-7423

On that website page, you'll see your description, why not read through this.
motorcycle accident lawyer roswell ga

alikhann

Congratulations to all those pretty angels who won the title. It would have been great if the photographs of these children were added along with the name, so that everyone would get to know  auto accident lawyers cartersville ga

alikhann

Checking any blog may make others just want to come up with a greater number of. I did a fabulous which i was first lovely content by means of. The software most likely conducted for the tier still it’s exceptional. stock alerts 

alex

I really wana thank you for providing such informative and qualitative material so often.electrician perth

alikhann

I have read a few of the articles on your website now, and I really like your style of blogging. I added it to my favorites blog site list and will be checking back soon. Please check out my site as well and let me know what you think.  latinas en new york

Way To Skinny

This is helpful, nonetheless it can be crucial so that you can check out the following website:
master cleanse Beyonce

alikhann

I have read a few of the articles on your website now, and I really like your style of blogging. I added it to my favorites blog site list and will be checking back soon. Please check out my site as well and let me know what you think.  Phoenix Airport shuttle service

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.