TomcatExpert

Enabling SSL Communication and Client Certificate Authentication between Apache Web Server and Apache Tomcat

posted by jfullam on July 9, 2012 07:56 PM

Secure Socket Layer, or SSL, certificates are frequently used to confirm the identity of a server before consuming its services and to secure communications with the server. Typically, when an Apache web server is used to load balance requests to one or more Apache Tomcat servers (including VMware’s commercial version, tc Server), the SSL encryption and certificate authentication is terminated at the web server. Communication between the Apache web server and Tomcat is then trusted and in clear text.

However, there are organizational security policies and B2B scenarios that could mandate secure communication between Apache web server and Tomcat. Furthermore, it could be important to restrict access to Tomcat to known instances of Apache web server.

This tutorial will provide details for a configuration option that enables SSL communication and client certificate authentication between Apache Web Server and Tomcat.

At a high level, this tutorial provides instructions to

    1. Encrypt communication with Tomcat
    2. Restrict communication with Tomcat to known clients
    3. Configure Apache web server to proxy requests to Tomcat using SSL
    4. Configure Apache web server to use a specific client certifica te to authenticate with Tomcat

 

Configure Tomcat / tc Server to use SSL

  • Generate a JKS formatted keystore containing a self-signed certificate for use by Tomcat

 

keytool -genkey -alias tomcat -keyalg RSA -keystore $CATALINA_BASE/conf/tomcat.keystore
  • Configure Tomcat for secure SSL communications by modifying the server.xml file. It is important that the keystoreFile, keyAlias, and keystorePass refer to the keystore, alias, and password respectively that were specified by running the command in the previous step
< Connector SSLEnabled="true"
  		   acceptCount="100"
                   connectionTimeout="20000"
                   executor="tomcatThreadPool"
                   keyAlias="tomcat"
                   keystoreFile="${catalina.base}/conf/tomcat.keystore"
                   keystorePass="changeme"
                   maxKeepAliveRequests="15"
                   port="8443"
                   protocol="org.apache.coyote.http11.Http11Protocol"
                   redirectPort="8443"
                   scheme="https"
                   secure="true"/>

If you are using tc Server, you can streamline the previous steps by creating a new tc Server instance utilizing the bio-ssl template. This includes the required configurations in server.xml and a pre-generated tcserver.keystore file.

tcruntime-instance.sh  create myNewInstance -t bio-ssl

 

Configure Tomcat / tc Server to Validate Client Certificates

openssl genrsa -out ca.key 1024 
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
  • Generate a JKS formatted certificate authority file
keytool -import -keystore cacerts.jks -storepass changeme -alias my_ca &ndash;file ca.crt
  • Modify the server.xml by adding the necessary attributes to configure client certificate authentication. The truststoreFile attribute points to the CA for client certificates created in the last step and clientAuth needs to be set to true.
< Connector SSLEnabled="true"
                   clientAuth="true"
                   truststoreFile="${catalina.base}/conf/cacerts.jks"
                   acceptCount="100"
                   connectionTimeout="20000"
                   executor="tomcatThreadPool"
                   keyAlias="tomcat"
                   keystoreFile="${catalina.base}/conf/tomcat.keystore"
                   keystorePass="changeme"
                   maxKeepAliveRequests="15"
                   port="${bio-ssl.https.port}"
                   protocol="org.apache.coyote.http11.Http11Protocol"
                   redirectPort="${bio-ssl.https.port}"
                   scheme="https"
                   secure="true"/>
  • You can test this configuration by accessing your Tomcat / tc Server instance from a browser. You should be denied access as your browser does not have the required client certificate configured.

 

Configure Apache Web Server / vFabric Web Server (http://www.vmware.com/products/application-platform/vfabric-web-server/overview.html)

  • Create a client certificate and key. Use the same ca.crt as was create above.
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr -config <your openssl.cnf="">
openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr &ndash;out client.crt
</your>
  • Concatenate the client key and certificate files into a new file.
cat client.crt client.key > client.crtkey
  • Configure Web Server to use mod_proxy_http. Ensure you replace instance of “myApp” with the path to your application.
LoadModule proxy_http_module /opt/vfabric-web-server/httpd-2.2/modules/mod_proxy_http.so
 
 
<proxy balancer:="" lbalancer="">
   BalancerMember https://default:8443 route=node1 loadfactor=50 
   ProxySet lbmethod=byrequests stickysession=JSESSIONID|jsessionid
</proxy>
 
ProxyPass /myApp balancer://lbalancer/myApp
ProxyPassReverse /myApp https://default:8443/myApp
 
<location balancer-manager="">
   SetHandler balancer-manager
   Allow from all
</location>
  • Configure mod_ssl to use the generated client certificate / key file when authenticating to tc Server. This directive points to the concatenated file from above.
SSLProxyMachineCertificateFile "ssl/client.crtkey"
  • Configure mod_ssl to use SSL for the proxy engine.
SSLProxyEngine on
  • You can test the complete configuration by accessing your application by pointing your browser to you web server (ie. https://:/myApp. ). Because your web server is configured with the appropriate client certificate, you will see your application.

Jonathan Fullam has over 12 years of experience with software development with a heavy focus on enterprise Java based applications and open source frameworks. Currently employed by SpringSource, a division of VMware, Jonathan advises enterprises on building scalable architectures using modern technologies and tools.  With a passion for public speaking, he most recently presented Test Driven Developement at the 2011 Java Server Side Symposium.  Jonathan received his education from The College of New Jersey where he obtained a B.S. in computer science.

Comments

Apache httpd binaries not avaialable on apache site

I was wondering by seeing no reason for making httpd 64 bit binaries not available on Apache site.Clever enough though quoted "the compiled binaries are provided by volunteers"? looks like major fund flow from Microsoft to Apache foundation started this politics ?. Now people are depending on other contributors, which eventually a good reason to adopt iis on enterprise world ?

Below you will understand

Below you will understand what is important, the idea provides one of the links with an exciting site: Save The Marriage System

Below you will understand

Below you will understand what is important, the idea provides one of the links with an exciting site: Ways To Get Your Ex Back

You possess lifted an

You possess lifted an essential offspring..Blesss for using..I would want to study better latest transactions from this blog..preserve posting.. Survive In Bed

Within this webpage, you'll

Within this webpage, you'll see the page, you need to understand this data. dental implants

I invite you to the page

I invite you to the page where see how much we have in common. How To Give A Hand Job

Below you will understand

Below you will understand what is important, the idea provides one of the links with an exciting site: How to Turn a Guy On

sl786982

I think that everything has been described in systematic manner so that reader could get maximum information and learn many things. . PrintingVIP.com

sl786982

You ought to basically

You ought to basically fantastic not to mention solid advice, which means notice: The Bonding Code Review

sl786982

Very interesting blog. A lot of blogs I see these days don't really provide anything that I'm interested in, but I'm most definitely interested in this one. Just thought that I would post and let you known michael spencer gilroy

sl786982

sl786982

I don’t suppose many of websites give this kind of information. Apprendre la photo

sl786982

sl786982

I read your blogs regularly. Your humoristic way is amusing, continue the good work! feldco

sl786982

sl786982

I really appreciate this wonderful post that you have provided for us. I assure this would be beneficial for most of the people. feldco videos

sl786982

sl786982

Awesome post, exactly what i was searching for and i am anticipating perusing your different posts soon...!! feldco indeed

sl786982

sl786982

I would be supportive on all your articles and blogs as a result of they are simply up to the mark. feldco on twitter

sl786982

sl786982

I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. Feldco facebook page

sl786982

sl786982

I am overwhelmed by your post with such a nice topic. Usually I visit your blogs and get updated through the information you include but today’s blog would be the most appreciable. Well done! title classic boxing gloves

sl786982

sl786982

I experience considerable difficulties my considerations on substance, yet I truly felt I ought to here. Your article is truly awesome. I like the way you composed this data. amazon nutribullet

sl786982

sl786982

You are very brave focuses in this article. I would have never thought to be any of these on the off chance that I didn't go over this. Much appreciated!. sjohn lewis coffee maker

sl786982

sl786982

I feel equally divided between the two. I sometimes feel like Pawel, a citzen without a country. ikea duvet sets

sl786982

sl786982

Superb way of explaining, and great blog to get wonderful information. Lose 10 Pounds In A Month

sl786982

sl786982

Fascinating point for an online journal. I have been looking the Internet for no particular reason and happened upon your site. Impressive post. Much appreciated a ton for sharing your insight!
https://www.mulebar.com/fr/shop/equipement-sportif/

sl786982

sl786982

Wonderful blog post. This is absolute magic from you! I have never seen a more wonderful post than this one. You've really made my day today with this. I hope you keep this up http://www.fivephasesfarm.com/

sl786982

sl786982

I have as of late begun a web journal, the data you give on this website has helped me incredibly. A debt of gratitude is in order for the greater part of your time and work. writing services

sl786982

asidyah

Your once-in-a-lifetime event deserves a photographer who’s a perfect fit. Our list of the most accomplished wedding photographers in Washington, DC makes it easy to find the right match. craigslist flagging service

sl786982

sl786982

I have perused your web journal it is extremely useful for me. I need to express profound gratitude to you. I have bookmark your site for future redesigns. Fermin Ellerbe

sl786982

mosto

Jasa penyewaan mobil di malang berlokasi di daerah perkotaan dan biasa melayani para wisatawan yang datang ke malang batu yang membutuhkan transportasi wisata di kota dingin tersebut. Tempat penyewaan mobil di di malang batu bisa di booking secara online dengan kesepakatan. Biasanya pihak penyedia rental akan meminta uang DP dengan cara ditransfer sebagai tanda jadi kesepakatan antara penyedia rental mobil di malang terpercaya dan pihak yang akan menyewa. Tempat sewa mobil di malang terpercaya sewa mobil di malang.
Tempat sewa mobil di surabaya yang lokasinya berdekatan dengan stasiun atau bandara juanda sangat banyak. Anda bisa booking mudah dengan menghubungi kontak telpon kantor penyewaan mobil di kota surabaya tersebut. Anda bisa meminta pihak rental menjemput anda ke lokasi anda sampai dan nanti juga bisa meminta antar ke lokasi terakhir ketika masa sewa mobil sudah berakhir. Paket ini disebut paket sewa mobil surabaya free antar jemput. Lokasi sewa mobil surabaya yang bertarif murah sewa mobil di surabaya kota.
Ada 2 wahana yang bisa kelilingi ketika berkunjung ke wisata jatim park 2 yaitu museum satwa dan batu secret zoo. Kedua wahana tersebut merupakan kebun binatang modern yang dikemas dengan elegan dan sangat bersih. Cocok untuk wisata edukasi keluarga yang ingin mengetahui lebih dalam tentang satwa-satwa di dunia yang sudah mulai langka. Ada banyak macam replika satwa yang terpampang di museum satwa dan batu secret zoo dan juga ada keterangan yang bisa anda baca untuk mengetahui jenis-jenis satwa tersebut.

This article is an appealing

This article is an appealing wealth of informative data that is interesting and well-written. I commend your hard work on this and thank you for this information. You’ve got what it takes to get attention.
cow hides

sl786982

I think this is a better than regular content. You create this information amazing and hair in. You provide perusers a ton to consider and I welcome that type of writing http://www.actua-net.com/

sl786982

Superbly written article. if

I went over this website and I believe you have a lot of wonderful information, saved to my bookmarks
latest technology news updates

sdsds

Thank you for such a well written article. It’s full of insightful information and entertaining descriptions. Your point of view is the best among many.
Tow Truck near me

DANI

Thanks for sharing the info, keep up the good work going.... I really enjoyed exploring your site. good resource...
top tech

prince U.S

What a fantabulous post this has been. Never seen this kind of useful post. I am grateful to you and expect more number of posts like these. Thank you very much.
synthetic grass

I really loved reading your

I really loved reading your blog. It was very well authored and easy to understand. Unlike other blogs I have read which are really not that good.Thanks alot!
bundapoker.net

Positive site, where did u

Positive site, where did u come up with the information on this posting? I'm pleased I discovered it though, ill be checking back soon to find out what additional posts you include.
condo cebu

dssdsd

I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.
PS4 Home

dsdsds

Interesting and amazing how your post is! It Is Useful and helpful for me That I like it very much. and I am looking forward to Hearing from your next..
Gamerbolt.com

dsdsds

I found your this post while searching for information about blog-related research ... It's a good post .. keep posting and updating information.
Invokana amputation Lawsuit

dss

Thanks for sharing this quality information with us. I really enjoyed reading. Will surely going to share this URL with my friends.
GoldenSlot

prince U.S

I have read your blog it is very helpful for me. I want to say thanks to you. I have bookmark your site for future updates.
read more

dsdsd

I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well..
white dress

Thank you for taking the time

Thank you for taking the time to publish this information very useful!
http://iogames.center/snakepit-io/

Great Article it its really

Great Article it its really informative and innovative keep us posted with new updates. its was really valuable. thanks a lot.
see

DANI

I really appreciate the kind of topics you post here. Thanks for sharing us a great information that is actually helpful. Good day!
acupuncture scheduler

Thanks for your post. I’ve

Thanks for your post. I’ve been thinking about writing a very comparable post over the last couple of weeks. I’ll probably keep it short and sweet and link to this instead if thats cool. Thanks.
espositori plexiglass da banco

Interesting and amazing how

This content is written very well. Your use of formatting when making your points makes your observations very clear and easy to understand. Thank you.
http://agungqq.club/

You are a gem for sharing the

You are a gem for sharing the data on this topic with us. It's been almost a month now and today is the day I finally have the data I needed on this topic. I don't know where I would be without you. Quanto Custa Um Curso De Maquiagem

I should thank the author for

I should thank the author for creating a flat out best class article here. This will be viewed as one of the best articles on this site. I surmise that is a significant good thing to have. voyance discount

Honestly, I am so pleased

Honestly, I am so pleased that you were able to share this informative article here. As most people reading this article know, I have started work on a new project and I need amazing content for that. It makes me ecstatic to say this article provided me that. https://como-descargar.info/

This article has to be the

This article has to be the most accurate of any articles in the history of articles. I don't know why but I just like this post and I will print out a page of this article. And I will read it all night long! https://pokeduel.net/

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.