TomcatExpert

Enabling SSL Communication and Client Certificate Authentication between Apache Web Server and Apache Tomcat

posted by jfullam on July 9, 2012 07:56 PM

Secure Socket Layer, or SSL, certificates are frequently used to confirm the identity of a server before consuming its services and to secure communications with the server. Typically, when an Apache web server is used to load balance requests to one or more Apache Tomcat servers (including VMware’s commercial version, tc Server), the SSL encryption and certificate authentication is terminated at the web server. Communication between the Apache web server and Tomcat is then trusted and in clear text.

However, there are organizational security policies and B2B scenarios that could mandate secure communication between Apache web server and Tomcat. Furthermore, it could be important to restrict access to Tomcat to known instances of Apache web server.

This tutorial will provide details for a configuration option that enables SSL communication and client certificate authentication between Apache Web Server and Tomcat.

At a high level, this tutorial provides instructions to

    1. Encrypt communication with Tomcat
    2. Restrict communication with Tomcat to known clients
    3. Configure Apache web server to proxy requests to Tomcat using SSL
    4. Configure Apache web server to use a specific client certifica te to authenticate with Tomcat

 

Configure Tomcat / tc Server to use SSL

  • Generate a JKS formatted keystore containing a self-signed certificate for use by Tomcat

 

keytool -genkey -alias tomcat -keyalg RSA -keystore $CATALINA_BASE/conf/tomcat.keystore
  • Configure Tomcat for secure SSL communications by modifying the server.xml file. It is important that the keystoreFile, keyAlias, and keystorePass refer to the keystore, alias, and password respectively that were specified by running the command in the previous step
< Connector SSLEnabled="true"
  		   acceptCount="100"
                   connectionTimeout="20000"
                   executor="tomcatThreadPool"
                   keyAlias="tomcat"
                   keystoreFile="${catalina.base}/conf/tomcat.keystore"
                   keystorePass="changeme"
                   maxKeepAliveRequests="15"
                   port="8443"
                   protocol="org.apache.coyote.http11.Http11Protocol"
                   redirectPort="8443"
                   scheme="https"
                   secure="true"/>

If you are using tc Server, you can streamline the previous steps by creating a new tc Server instance utilizing the bio-ssl template. This includes the required configurations in server.xml and a pre-generated tcserver.keystore file.

tcruntime-instance.sh  create myNewInstance -t bio-ssl

 

Configure Tomcat / tc Server to Validate Client Certificates

openssl genrsa -out ca.key 1024 
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
  • Generate a JKS formatted certificate authority file
keytool -import -keystore cacerts.jks -storepass changeme -alias my_ca &ndash;file ca.crt
  • Modify the server.xml by adding the necessary attributes to configure client certificate authentication. The truststoreFile attribute points to the CA for client certificates created in the last step and clientAuth needs to be set to true.
< Connector SSLEnabled="true"
                   clientAuth="true"
                   truststoreFile="${catalina.base}/conf/cacerts.jks"
                   acceptCount="100"
                   connectionTimeout="20000"
                   executor="tomcatThreadPool"
                   keyAlias="tomcat"
                   keystoreFile="${catalina.base}/conf/tomcat.keystore"
                   keystorePass="changeme"
                   maxKeepAliveRequests="15"
                   port="${bio-ssl.https.port}"
                   protocol="org.apache.coyote.http11.Http11Protocol"
                   redirectPort="${bio-ssl.https.port}"
                   scheme="https"
                   secure="true"/>
  • You can test this configuration by accessing your Tomcat / tc Server instance from a browser. You should be denied access as your browser does not have the required client certificate configured.

 

Configure Apache Web Server / vFabric Web Server (http://www.vmware.com/products/application-platform/vfabric-web-server/overview.html)

  • Create a client certificate and key. Use the same ca.crt as was create above.
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr -config <your openssl.cnf="">
openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr &ndash;out client.crt
</your>
  • Concatenate the client key and certificate files into a new file.
cat client.crt client.key > client.crtkey
  • Configure Web Server to use mod_proxy_http. Ensure you replace instance of “myApp” with the path to your application.
LoadModule proxy_http_module /opt/vfabric-web-server/httpd-2.2/modules/mod_proxy_http.so
 
 
<proxy balancer:="" lbalancer="">
   BalancerMember https://default:8443 route=node1 loadfactor=50 
   ProxySet lbmethod=byrequests stickysession=JSESSIONID|jsessionid
</proxy>
 
ProxyPass /myApp balancer://lbalancer/myApp
ProxyPassReverse /myApp https://default:8443/myApp
 
<location balancer-manager="">
   SetHandler balancer-manager
   Allow from all
</location>
  • Configure mod_ssl to use the generated client certificate / key file when authenticating to tc Server. This directive points to the concatenated file from above.
SSLProxyMachineCertificateFile "ssl/client.crtkey"
  • Configure mod_ssl to use SSL for the proxy engine.
SSLProxyEngine on
  • You can test the complete configuration by accessing your application by pointing your browser to you web server (ie. https://:/myApp. ). Because your web server is configured with the appropriate client certificate, you will see your application.

Jonathan Fullam has over 12 years of experience with software development with a heavy focus on enterprise Java based applications and open source frameworks. Currently employed by SpringSource, a division of VMware, Jonathan advises enterprises on building scalable architectures using modern technologies and tools.  With a passion for public speaking, he most recently presented Test Driven Developement at the 2011 Java Server Side Symposium.  Jonathan received his education from The College of New Jersey where he obtained a B.S. in computer science.

Comments

Apache httpd binaries not avaialable on apache site

I was wondering by seeing no reason for making httpd 64 bit binaries not available on Apache site.Clever enough though quoted "the compiled binaries are provided by volunteers"? looks like major fund flow from Microsoft to Apache foundation started this politics ?. Now people are depending on other contributors, which eventually a good reason to adopt iis on enterprise world ?

How would this scale? What if

How would this scale? What if I have multiple Apache servers and multiple Tomcat servers with a load balancer between them? How would you manage all the server/client certificates?

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.