SSL configuration on Apache web server and Tomcat application server

Below are some common steps that you need to follow for configuring SSL on any app server or web server 

1. A certificate (.crt) is required, which will be presented to a browser (client) whenever he will request access from that server.
2. Configure the certificate on your web/app server, and key also if not included in the certificate itself. **Not explaining about SSL in this post as lot of good articles are already available ** .
3. Enable your app/web server to support https protocol with a specific port.

Configuring SSL on Tomcat 6 :-

1. Tomcat stores the certificate in a keystore, which can be created using simple java keytool commands.
2. First you need to create a keystore, and by default it will create a self - signed certificate(.crt) also, which cab be replaced by any (.crt) if you purchase from authorised site.                                   keytool -genkey -alias domain -keyalg RSA-keysize 2048                                                            the default location of the cert created in windows system is C:\Document and Settings\ user name\
3. After you enter all the passwords and required information you can export the cert using following command :-                                                                                                                              keytool -export -alias domain -file domain.crt
4. You need to enable ssl in tomcat by adding/uncommenting following line of code in server.xml

               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
  keystoreFile="C:\Documents and Settings\user\.keystore"
  keystorePass="*****" 

    

    5.   To force all the request to redirect to ssl add following to the web.xml

          < security-constraint >

          < web-resource-collection >
          < web-resource-name >Entire Application< /web-resource-name >
          < url-pattern>/*

          < /web-resource-collection >
          < user-data-constraint >
          < transport-guarantee >CONFIDENTIAL< /transport-guarantee >
          < /user-data-constraint >
          < /security-constraint >
  
    6. Restart and All done!! You should be able to access your tomcat app server using https at port 8443

Configuring SSL on Apache 2

1. Install openssl to create the self-signed certificate using the below command :-                                  openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout domain.key -out domain.crt
2.  The above command will create two files i) domain.key and ii) domain.crt.
3. Copy these two files in apache\conf folder.
4. Edit the httpd.conf file and add/enable following entries

           LoadModule ssl_module modules/mod_ssl.so

         Listen 443

         ServerName localhost

         SSLEngine on

         SSLCertificateFile conf/apachecert.crt

         SSLCertificateKeyFile conf/apachekey.key

JkMount / < app context path >  /* ajp13

       5. Restart and All done!!

Integrating Apache with tomcat :-

Ideally we keep the ports of only web server open so block direct access to app server, and with above configuration we also would need to redirect all request to web applications deployed on tomcat through web server

1. Download mod_jk module for apache tomcat integration. I downloaded the following for using with Apache 2 and windows OS ( tomcat-connectors-1.2.39-windows-x86_64-httpd-2.4.x).

2. Extract the downloaded file and copy the file mod_jk.so to the modules folder of apache2.

3. Create a worker.properties file inside the conf folder of apache2. 

worker.properties

# Define 1 real worker named ajp13

worker.list=ajp13

# Set properties for worker named ajp13 to use ajp13 protocol,

# and run on port 8009

worker.ajp13.type=ajp13

worker.ajp13.host=localhost

worker.ajp13.port=8009

worker.ajp13.lbfactor=50

worker.ajp13.cachesize=10

worker.ajp13.cache_timeout=600

worker.ajp13.socket_keepalive=1

worker.ajp13.socket_timeout=300

Note:- Make sure ajp13 connector is enabled in tomcat/conf/server.xml file.

4. Make the following changes in httpd.conf

LoadModule jk_module modules/mod_jk.so

JkWorkersFile conf/workers.properties

JkMount / < app context path > /* ajp13

5. Restart the server and All done!!.

Load Balancer

Apache web server can be used to configure load balancing as well. For testing it I installed two tomcat instances, and deployed same web application on both the instances.

Modification needed in the following files for configuring load balancer

1. worker.properites file

2. httpd.conf file

worker.properties file

worker.list=loadbalancer

worker.tcruntime8280.port=8009

worker.tcruntime8280.host=localhost

worker.tcruntime8280.type=ajp13

worker.tcruntime8280.lbfactor=1

worker.tcruntime8380.port=8008

worker.tcruntime8380.host=localhost

worker.tcruntime8380.type=ajp13

worker.tcruntime8380.lbfactor=1

worker.loadbalancer.type=lb

worker.loadbalancer.balanced_workers=tcruntime8280,tcruntime8380 

 httpd.con file

JkMount / < app context path > /* loadbalancer