TomcatExpert

Enabling SSL Communication and Client Certificate Authentication between Apache Web Server and Apache Tomcat

posted by jfullam on July 9, 2012 07:56 PM

Secure Socket Layer, or SSL, certificates are frequently used to confirm the identity of a server before consuming its services and to secure communications with the server. Typically, when an Apache web server is used to load balance requests to one or more Apache Tomcat servers (including VMware’s commercial version, tc Server), the SSL encryption and certificate authentication is terminated at the web server. Communication between the Apache web server and Tomcat is then trusted and in clear text.

However, there are organizational security policies and B2B scenarios that could mandate secure communication between Apache web server and Tomcat. Furthermore, it could be important to restrict access to Tomcat to known instances of Apache web server.

This tutorial will provide details for a configuration option that enables SSL communication and client certificate authentication between Apache Web Server and Tomcat.

At a high level, this tutorial provides instructions to

    1. Encrypt communication with Tomcat
    2. Restrict communication with Tomcat to known clients
    3. Configure Apache web server to proxy requests to Tomcat using SSL
    4. Configure Apache web server to use a specific client certifica te to authenticate with Tomcat

 

Configure Tomcat / tc Server to use SSL

  • Generate a JKS formatted keystore containing a self-signed certificate for use by Tomcat

 

keytool -genkey -alias tomcat -keyalg RSA -keystore $CATALINA_BASE/conf/tomcat.keystore
  • Configure Tomcat for secure SSL communications by modifying the server.xml file. It is important that the keystoreFile, keyAlias, and keystorePass refer to the keystore, alias, and password respectively that were specified by running the command in the previous step
< Connector SSLEnabled="true"
  		   acceptCount="100"
                   connectionTimeout="20000"
                   executor="tomcatThreadPool"
                   keyAlias="tomcat"
                   keystoreFile="${catalina.base}/conf/tomcat.keystore"
                   keystorePass="changeme"
                   maxKeepAliveRequests="15"
                   port="8443"
                   protocol="org.apache.coyote.http11.Http11Protocol"
                   redirectPort="8443"
                   scheme="https"
                   secure="true"/>

If you are using tc Server, you can streamline the previous steps by creating a new tc Server instance utilizing the bio-ssl template. This includes the required configurations in server.xml and a pre-generated tcserver.keystore file.

tcruntime-instance.sh  create myNewInstance -t bio-ssl

 

Configure Tomcat / tc Server to Validate Client Certificates

openssl genrsa -out ca.key 1024 
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
  • Generate a JKS formatted certificate authority file
keytool -import -keystore cacerts.jks -storepass changeme -alias my_ca &ndash;file ca.crt
  • Modify the server.xml by adding the necessary attributes to configure client certificate authentication. The truststoreFile attribute points to the CA for client certificates created in the last step and clientAuth needs to be set to true.
< Connector SSLEnabled="true"
                   clientAuth="true"
                   truststoreFile="${catalina.base}/conf/cacerts.jks"
                   acceptCount="100"
                   connectionTimeout="20000"
                   executor="tomcatThreadPool"
                   keyAlias="tomcat"
                   keystoreFile="${catalina.base}/conf/tomcat.keystore"
                   keystorePass="changeme"
                   maxKeepAliveRequests="15"
                   port="${bio-ssl.https.port}"
                   protocol="org.apache.coyote.http11.Http11Protocol"
                   redirectPort="${bio-ssl.https.port}"
                   scheme="https"
                   secure="true"/>
  • You can test this configuration by accessing your Tomcat / tc Server instance from a browser. You should be denied access as your browser does not have the required client certificate configured.

 

Configure Apache Web Server / vFabric Web Server (http://www.vmware.com/products/application-platform/vfabric-web-server/overview.html)

  • Create a client certificate and key. Use the same ca.crt as was create above.
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr -config <your openssl.cnf="">
openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr &ndash;out client.crt
</your>
  • Concatenate the client key and certificate files into a new file.
cat client.crt client.key > client.crtkey
  • Configure Web Server to use mod_proxy_http. Ensure you replace instance of “myApp” with the path to your application.
LoadModule proxy_http_module /opt/vfabric-web-server/httpd-2.2/modules/mod_proxy_http.so
 
 
<proxy balancer:="" lbalancer="">
   BalancerMember https://default:8443 route=node1 loadfactor=50 
   ProxySet lbmethod=byrequests stickysession=JSESSIONID|jsessionid
</proxy>
 
ProxyPass /myApp balancer://lbalancer/myApp
ProxyPassReverse /myApp https://default:8443/myApp
 
<location balancer-manager="">
   SetHandler balancer-manager
   Allow from all
</location>
  • Configure mod_ssl to use the generated client certificate / key file when authenticating to tc Server. This directive points to the concatenated file from above.
SSLProxyMachineCertificateFile "ssl/client.crtkey"
  • Configure mod_ssl to use SSL for the proxy engine.
SSLProxyEngine on
  • You can test the complete configuration by accessing your application by pointing your browser to you web server (ie. https://:/myApp. ). Because your web server is configured with the appropriate client certificate, you will see your application.

Jonathan Fullam has over 12 years of experience with software development with a heavy focus on enterprise Java based applications and open source frameworks. Currently employed by SpringSource, a division of VMware, Jonathan advises enterprises on building scalable architectures using modern technologies and tools.  With a passion for public speaking, he most recently presented Test Driven Developement at the 2011 Java Server Side Symposium.  Jonathan received his education from The College of New Jersey where he obtained a B.S. in computer science.

Comments

Apache httpd binaries not avaialable on apache site

I was wondering by seeing no reason for making httpd 64 bit binaries not available on Apache site.Clever enough though quoted "the compiled binaries are provided by volunteers"? looks like major fund flow from Microsoft to Apache foundation started this politics ?. Now people are depending on other contributors, which eventually a good reason to adopt iis on enterprise world ?

How would this scale? What if

How would this scale? What if I have multiple Apache servers and multiple Tomcat servers with a load balancer between them? How would you manage all the server/client certificates?

pengobatan alami tanpa efek samping

obat herbal gagal ginjal Untuk Menyembuhkan Penyakit Gagal Ginjal.
obat herbal kanker prostat telah mendapat berbagai kesaksian kesembuhan dari para pasien penyakit kanker prostat.
obat herbal miom yang secara alami mampu mengobati penyakit miom tanpa efek operasi.
obat herbal jantung koroner sanggup menormalkan kandungan kolesterol total dan kolesterol baik serta mampu menaikkan kolesterol HDL.

If your anorak is a actual

If your anorak is a actual cheap Moncler aphotic adumbration of amber that is about black, accept a atramentous shirt to abrasion beneath it, or even a aphotic gray. About any blush will go able-bodied with a aphotic amber anorak because it is so abutting to black. Accept the colors depending on what division it is. For example, abrasion a red shirt with your aphotic amber anorak to reflect the colors of the alteration leaves and the accepted feel of the season. If you are accessory a actual academic occasion, abrasion a brittle white shirt. A average amber anorak is a little harder to alike with. Abrasion a shirt beneath it that is either a altered adumbration of brown, white or a aloof color.It is a bargain cheap Moncler jackets aperture that offers the best prices for coats and jackets. Moncler jackets are fabricated from high-quality and abiding abstracts that accomplish anniversary section athletic abundant to bear the algid weather. When cutting a Moncler Jacket, the physique will absolutely feel balmy and adequate because of its autogenous material. It is absolutely a aces investment back you can accumulate these items until the next winter season. To dress up a Moncler down jacket, abrasion it with some simple, well-fitting trousers in a aloof color, like black, amber or khaki. If you're accomplishing something actual casual, like traveling to the abundance or to a actual accidental dinner, you can abrasion the Moncler jackets with nice jeans. However, you should alone abrasion them with jeans to places or contest area jackets at http://www.mohanan.co.uk are not required.

http://www.rfshoeoutlets.co.uk

You have shared an

You have shared an informative post as concerned to me because I have been searching for a better way to enable SSL communication and client certificate authentication between Apache Web Server and Apache Tomcat. I found that it is working! buckyballs for sale

MKTi Agencia de publicidad y Marketing Digital

I like to recommend exclusively fine plus efficient information and facts, hence notice it:
agencia de marketing

GAME HACK

cheats for hay day it's really nice and meanful. it's really cool blog. Linking is very useful thing.you have really helped lots of people who visit blog and provide them usefull information. clash of clans triche gratuit

Game Hack

cheats for hay day it's really nice and meanful. it's really cool blog. Linking is very useful thing.you have really helped lots of people who visit blog and provide them usefull information. clash of clans triche gratuit

It's really nice and meanful.

It's really nice and meanful. it's really cool blog. Linking is very useful thing.you have really helped lots of people who visit blog and provide them usefull information.The salvation diet review

vine flowers Really

vine flowers Really appreciate this wonderful post that you have provided for us.Great site and a great topic as well i really get amazed to read this. Its really good. paid for youtube views

Barbecued Hot Chicken Strips | Magic Skillet

It is very good, but look at the information at this address.
oven baked chicken recipes

David

Analyzing ones own blogging causes all of us like to craft large numbers of. Used to do an important which is relatively shocked through. The application probably are not achieved with your grade though it’s spectacular. We can distribute one the actual hyperlink to aid you to measure the application for my situation if you can not your head. details

amir

Which might succeed short-term, still it’s truly realistic long-term formula just for boys who want to come to be bring back a specialized child individuals can’t eliminate serious about.
Simple Profits Review

amir

From check on your blog, you've gotten previously had a relatively good feel by means of making.
Million Dollar Months Review

Davisd

This may be a really good hints mainly that will the ones novices at blogosphere, shorter together with complete information… Kudos meant for posting ours. Extremely important look over report. read more

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.