TomcatExpert

Enabling SSL Communication and Client Certificate Authentication between Apache Web Server and Apache Tomcat

posted by jfullam on July 9, 2012 07:56 PM

Secure Socket Layer, or SSL, certificates are frequently used to confirm the identity of a server before consuming its services and to secure communications with the server. Typically, when an Apache web server is used to load balance requests to one or more Apache Tomcat servers (including VMware’s commercial version, tc Server), the SSL encryption and certificate authentication is terminated at the web server. Communication between the Apache web server and Tomcat is then trusted and in clear text.

However, there are organizational security policies and B2B scenarios that could mandate secure communication between Apache web server and Tomcat. Furthermore, it could be important to restrict access to Tomcat to known instances of Apache web server.

This tutorial will provide details for a configuration option that enables SSL communication and client certificate authentication between Apache Web Server and Tomcat.

At a high level, this tutorial provides instructions to

    1. Encrypt communication with Tomcat
    2. Restrict communication with Tomcat to known clients
    3. Configure Apache web server to proxy requests to Tomcat using SSL
    4. Configure Apache web server to use a specific client certifica te to authenticate with Tomcat

 

Configure Tomcat / tc Server to use SSL

  • Generate a JKS formatted keystore containing a self-signed certificate for use by Tomcat

 

keytool -genkey -alias tomcat -keyalg RSA -keystore $CATALINA_BASE/conf/tomcat.keystore
  • Configure Tomcat for secure SSL communications by modifying the server.xml file. It is important that the keystoreFile, keyAlias, and keystorePass refer to the keystore, alias, and password respectively that were specified by running the command in the previous step
< Connector SSLEnabled="true"
  		   acceptCount="100"
                   connectionTimeout="20000"
                   executor="tomcatThreadPool"
                   keyAlias="tomcat"
                   keystoreFile="${catalina.base}/conf/tomcat.keystore"
                   keystorePass="changeme"
                   maxKeepAliveRequests="15"
                   port="8443"
                   protocol="org.apache.coyote.http11.Http11Protocol"
                   redirectPort="8443"
                   scheme="https"
                   secure="true"/>

If you are using tc Server, you can streamline the previous steps by creating a new tc Server instance utilizing the bio-ssl template. This includes the required configurations in server.xml and a pre-generated tcserver.keystore file.

tcruntime-instance.sh  create myNewInstance -t bio-ssl

 

Configure Tomcat / tc Server to Validate Client Certificates

openssl genrsa -out ca.key 1024 
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
  • Generate a JKS formatted certificate authority file
keytool -import -keystore cacerts.jks -storepass changeme -alias my_ca &ndash;file ca.crt
  • Modify the server.xml by adding the necessary attributes to configure client certificate authentication. The truststoreFile attribute points to the CA for client certificates created in the last step and clientAuth needs to be set to true.
< Connector SSLEnabled="true"
                   clientAuth="true"
                   truststoreFile="${catalina.base}/conf/cacerts.jks"
                   acceptCount="100"
                   connectionTimeout="20000"
                   executor="tomcatThreadPool"
                   keyAlias="tomcat"
                   keystoreFile="${catalina.base}/conf/tomcat.keystore"
                   keystorePass="changeme"
                   maxKeepAliveRequests="15"
                   port="${bio-ssl.https.port}"
                   protocol="org.apache.coyote.http11.Http11Protocol"
                   redirectPort="${bio-ssl.https.port}"
                   scheme="https"
                   secure="true"/>
  • You can test this configuration by accessing your Tomcat / tc Server instance from a browser. You should be denied access as your browser does not have the required client certificate configured.

 

Configure Apache Web Server / vFabric Web Server (http://www.vmware.com/products/application-platform/vfabric-web-server/overview.html)

  • Create a client certificate and key. Use the same ca.crt as was create above.
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr -config <your openssl.cnf="">
openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr &ndash;out client.crt
</your>
  • Concatenate the client key and certificate files into a new file.
cat client.crt client.key > client.crtkey
  • Configure Web Server to use mod_proxy_http. Ensure you replace instance of “myApp” with the path to your application.
LoadModule proxy_http_module /opt/vfabric-web-server/httpd-2.2/modules/mod_proxy_http.so
 
 
<proxy balancer:="" lbalancer="">
   BalancerMember https://default:8443 route=node1 loadfactor=50 
   ProxySet lbmethod=byrequests stickysession=JSESSIONID|jsessionid
</proxy>
 
ProxyPass /myApp balancer://lbalancer/myApp
ProxyPassReverse /myApp https://default:8443/myApp
 
<location balancer-manager="">
   SetHandler balancer-manager
   Allow from all
</location>
  • Configure mod_ssl to use the generated client certificate / key file when authenticating to tc Server. This directive points to the concatenated file from above.
SSLProxyMachineCertificateFile "ssl/client.crtkey"
  • Configure mod_ssl to use SSL for the proxy engine.
SSLProxyEngine on
  • You can test the complete configuration by accessing your application by pointing your browser to you web server (ie. https://:/myApp. ). Because your web server is configured with the appropriate client certificate, you will see your application.

Jonathan Fullam has over 12 years of experience with software development with a heavy focus on enterprise Java based applications and open source frameworks. Currently employed by SpringSource, a division of VMware, Jonathan advises enterprises on building scalable architectures using modern technologies and tools.  With a passion for public speaking, he most recently presented Test Driven Developement at the 2011 Java Server Side Symposium.  Jonathan received his education from The College of New Jersey where he obtained a B.S. in computer science.

Comments

Apache httpd binaries not avaialable on apache site

I was wondering by seeing no reason for making httpd 64 bit binaries not available on Apache site.Clever enough though quoted "the compiled binaries are provided by volunteers"? looks like major fund flow from Microsoft to Apache foundation started this politics ?. Now people are depending on other contributors, which eventually a good reason to adopt iis on enterprise world ?

Below you will understand

Below you will understand what is important, the idea provides one of the links with an exciting site: Save The Marriage System

Below you will understand

Below you will understand what is important, the idea provides one of the links with an exciting site: Ways To Get Your Ex Back

You possess lifted an

You possess lifted an essential offspring..Blesss for using..I would want to study better latest transactions from this blog..preserve posting.. Survive In Bed

Within this webpage, you'll

Within this webpage, you'll see the page, you need to understand this data. dental implants

I invite you to the page

I invite you to the page where see how much we have in common. How To Give A Hand Job

Below you will understand

Below you will understand what is important, the idea provides one of the links with an exciting site: How to Turn a Guy On

sl786982

I think that everything has been described in systematic manner so that reader could get maximum information and learn many things. . PrintingVIP.com

sl786982

You ought to basically

You ought to basically fantastic not to mention solid advice, which means notice: The Bonding Code Review

sl786982

Very interesting blog. A lot of blogs I see these days don't really provide anything that I'm interested in, but I'm most definitely interested in this one. Just thought that I would post and let you known michael spencer gilroy

sl786982

sl786982

I don’t suppose many of websites give this kind of information. Apprendre la photo

sl786982

sl786982

I read your blogs regularly. Your humoristic way is amusing, continue the good work! feldco

sl786982

sl786982

I really appreciate this wonderful post that you have provided for us. I assure this would be beneficial for most of the people. feldco videos

sl786982

sl786982

Awesome post, exactly what i was searching for and i am anticipating perusing your different posts soon...!! feldco indeed

sl786982

sl786982

I would be supportive on all your articles and blogs as a result of they are simply up to the mark. feldco on twitter

sl786982

sl786982

I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. Feldco facebook page

sl786982

sl786982

I am overwhelmed by your post with such a nice topic. Usually I visit your blogs and get updated through the information you include but today’s blog would be the most appreciable. Well done! title classic boxing gloves

sl786982

sl786982

I experience considerable difficulties my considerations on substance, yet I truly felt I ought to here. Your article is truly awesome. I like the way you composed this data. amazon nutribullet

sl786982

sl786982

You are very brave focuses in this article. I would have never thought to be any of these on the off chance that I didn't go over this. Much appreciated!. sjohn lewis coffee maker

sl786982

sl786982

I feel equally divided between the two. I sometimes feel like Pawel, a citzen without a country. ikea duvet sets

sl786982

sl786982

Superb way of explaining, and great blog to get wonderful information. Lose 10 Pounds In A Month

sl786982

sl786982

Fascinating point for an online journal. I have been looking the Internet for no particular reason and happened upon your site. Impressive post. Much appreciated a ton for sharing your insight!
https://www.mulebar.com/fr/shop/equipement-sportif/

sl786982

sl786982

Wonderful blog post. This is absolute magic from you! I have never seen a more wonderful post than this one. You've really made my day today with this. I hope you keep this up http://www.fivephasesfarm.com/

sl786982

sl786982

I have as of late begun a web journal, the data you give on this website has helped me incredibly. A debt of gratitude is in order for the greater part of your time and work. writing services

sl786982

asidyah

Your once-in-a-lifetime event deserves a photographer who’s a perfect fit. Our list of the most accomplished wedding photographers in Washington, DC makes it easy to find the right match. craigslist flagging service

sl786982

sl786982

I have perused your web journal it is extremely useful for me. I need to express profound gratitude to you. I have bookmark your site for future redesigns. Fermin Ellerbe

sl786982

mosto

Jasa penyewaan mobil di malang berlokasi di daerah perkotaan dan biasa melayani para wisatawan yang datang ke malang batu yang membutuhkan transportasi wisata di kota dingin tersebut. Tempat penyewaan mobil di di malang batu bisa di booking secara online dengan kesepakatan. Biasanya pihak penyedia rental akan meminta uang DP dengan cara ditransfer sebagai tanda jadi kesepakatan antara penyedia rental mobil di malang terpercaya dan pihak yang akan menyewa. Tempat sewa mobil di malang terpercaya sewa mobil di malang.
Tempat sewa mobil di surabaya yang lokasinya berdekatan dengan stasiun atau bandara juanda sangat banyak. Anda bisa booking mudah dengan menghubungi kontak telpon kantor penyewaan mobil di kota surabaya tersebut. Anda bisa meminta pihak rental menjemput anda ke lokasi anda sampai dan nanti juga bisa meminta antar ke lokasi terakhir ketika masa sewa mobil sudah berakhir. Paket ini disebut paket sewa mobil surabaya free antar jemput. Lokasi sewa mobil surabaya yang bertarif murah sewa mobil di surabaya kota.
Ada 2 wahana yang bisa kelilingi ketika berkunjung ke wisata jatim park 2 yaitu museum satwa dan batu secret zoo. Kedua wahana tersebut merupakan kebun binatang modern yang dikemas dengan elegan dan sangat bersih. Cocok untuk wisata edukasi keluarga yang ingin mengetahui lebih dalam tentang satwa-satwa di dunia yang sudah mulai langka. Ada banyak macam replika satwa yang terpampang di museum satwa dan batu secret zoo dan juga ada keterangan yang bisa anda baca untuk mengetahui jenis-jenis satwa tersebut.

This article is an appealing

This article is an appealing wealth of informative data that is interesting and well-written. I commend your hard work on this and thank you for this information. You’ve got what it takes to get attention.
cow hides

sl786982

I think this is a better than regular content. You create this information amazing and hair in. You provide perusers a ton to consider and I welcome that type of writing http://www.actua-net.com/

sl786982

sl786982

I feel truly rich to have seen your page and envision such a mix of all the in like way overwhelming conditions looking. check

sl786982

Good website! I truly love

Good website! I truly love how it is easy on my eyes it is. I am wondering how I might be notified whenever a new post has been made. I have subscribed to your RSS which may do the trick? Have a great day!
Hitting Drills

I have read a few of the

I have read a few of the articles on your website now, and I really like your style of blogging. I added it to my favorites blog site list and will be checking back soon. Please check out my site as well and let me know what you think.
new futura condo

This is a brilliant blog! I'm

This is a brilliant blog! I'm very happy with the comments!..
cdl new futura new futura top new futura showflat

Excellent .. Amazing .. I’ll

Excellent .. Amazing .. I’ll bookmark your blog and take the feeds also…I’m happy to find so many useful info here in the post, we need work out more techniques in this regard, thanks for sharing.
SEO Salt Lake City

Thanks for posting this info.

Thanks for posting this info. I just want to let you know that I just check out your site and I find it very interesting and informative. I can't wait to read lots of your posts.
Motor Yacht Charter

Thanks for posting this info.

Thanks for posting this info. I just want to let you know that I just check out your site and I find it very interesting and informative. I can't wait to read lots of your posts.
learn here

This type of message always

This type of message always inspiring and I prefer to read quality content, so happy to find good place to many here in the post, the writing is just great, thanks for the post.
look at here

Thanks for the blog loaded

Thanks for the blog loaded with so many information. Stopping by your blog helped me to get what I was looking for.
Tambopata tours

This was a really great

This was a really great contest and hopefully I can attend the next one. It was alot of fun and I really enjoyed myself..
best brain supplements 2017

DANi

Nice post. I was checking constantly this blog and I am impressed! Extremely helpful information specially the last part I care for such info a lot. I was seeking this particular information for a very long time. Thank you and good luck.
הדפסה על חולצות

Your blog provided us with

Your blog provided us with valuable information to work with. Each & every tips of your post are awesome. Thanks a lot for sharing. Keep blogging..
proplex

Excellent .. Amazing .. I’ll

Excellent .. Amazing .. I’ll bookmark your blog and take the feeds also…I’m happy to find so many useful info here in the post, we need work out more techniques in this regard, thanks for sharing.
Lelio Vieira Carneiro Junior

I found your this post while

I found your this post while searching for information about blog-related research ... It's a good post .. keep posting and updating information.
Sheraton Mactan Residences

Excellent .. Amazing .. I’ll

Excellent .. Amazing .. I’ll bookmark your blog and take the feeds also…I’m happy to find so many useful info here in the post, we need work out more techniques in this regard, thanks for sharing.
read the article

Excellent .. Amazing .. I’ll

Excellent .. Amazing .. I’ll bookmark your blog and take the feeds also…I’m happy to find so many useful info here in the post, we need work out more techniques in this regard, thanks for sharing.
go here

thanks for j sharing with

thanks for j sharing with that awesome articles thanks u a lot
rasoio elettrico | regolabarba | ferro da stiro con caldaia | Friggitrice ad Aria | scopa a vapore | ripetitore wifi | ripetitore wifi amplificatore wifi piastra a vapore | miglior aspirapolvere | skateboard elettrico | passeggino leggero | miglior smartphone | tablet per bambini -èjkk

How would this scale? What if

How would this scale? What if I have multiple Apache servers and multiple Tomcat servers with a load balancer between them? How would you manage all the server/client certificates?

http://celebrities.wiki/celebrity/kirsty-graham

This was really what I was hunting down, and I am lively to came here ! http://celebrities.wiki/celebrity/kirsty-graham

Lord of the Ocean

This is genuinely an astounding scrutinized for me. I have bookmarked it and I am countering looking articles. Keep doing radiant You have made a magnificent showing up. Lord of the Ocean

sl786982

My friend mentioned to me your blog, so I thought I’d read it for myself. Very interesting insights, will be back for more! pulsa elektrik

sl786982

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.