Thursday, May 15, 2014

SSL configuration on Apache web server and Tomcat application server

Below are some common steps that you need to follow for configuring SSL on any app server or web server 

  1. A certificate (.crt) is required, which will be presented to a browser (client) whenever he will request access from that server.
  2. Configure the certificate on your web/app server, and key also if not included in the certificate itself. **Not explaining about SSL in this post as lot of good articles are already available ** .
  3. Enable your app/web server to support https protocol with a specific port.

Configuring SSL on Tomcat 6 :-

  1. Tomcat stores the certificate in a keystore, which can be created using simple java keytool commands.
  2. First you need to create a keystore, and by default it will create a self - signed certificate(.crt) also, which cab be replaced by any (.crt) if you purchase from authorised site.                                   keytool -genkey -alias domain -keyalg RSA-keysize 2048                                                            the default location of the cert created in windows system is C:\Document and Settings\ user name\
  3. After you enter all the passwords and required information you can export the cert using following command :-                                                                                                                              keytool -export -alias domain -file domain.crt
  4. You need to enable ssl in tomcat by adding/uncommenting following line of code in server.xml
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
  keystoreFile="C:\Documents and Settings\user\.keystore"

    5.   To force all the request to redirect to ssl add following to the web.xml
          < security-constraint >
          < web-resource-collection >
          < web-resource-name >Entire Application< /web-resource-name >
          < url-pattern>/*
          < /web-resource-collection >
          < user-data-constraint >
          < transport-guarantee >CONFIDENTIAL< /transport-guarantee >
          < /user-data-constraint >
          < /security-constraint >
    6. Restart and All done!! You should be able to access your tomcat app server using https at port 8443

Configuring SSL on Apache 2

  1. Install openssl to create the self-signed certificate using the below command :-                                  openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout domain.key -out domain.crt
  2.  The above command will create two files i) domain.key and ii) domain.crt.
  3. Copy these two files in apache\conf folder.
  4. Edit the httpd.conf file and add/enable following entries
           LoadModule ssl_module modules/

         Listen 443
         ServerName localhost
         SSLEngine on
         SSLCertificateFile conf/apachecert.crt
         SSLCertificateKeyFile conf/apachekey.key
JkMount / < app context path >  /* ajp13

       5. Restart and All done!!

Integrating Apache with tomcat :-

Ideally we keep the ports of only web server open so block direct access to app server, and with above configuration we also would need to redirect all request to web applications deployed on tomcat through web server

1. Download mod_jk module for apache tomcat integration. I downloaded the following for using with Apache 2 and windows OS ( tomcat-connectors-1.2.39-windows-x86_64-httpd-2.4.x).

2. Extract the downloaded file and copy the file to the modules folder of apache2.

3. Create a file inside the conf folder of apache2.
# Define 1 real worker named ajp13

# Set properties for worker named ajp13 to use ajp13 protocol,
# and run on port 8009

Note:- Make sure ajp13 connector is enabled in tomcat/conf/server.xml file.

4. Make the following changes in httpd.conf

LoadModule jk_module modules/
JkWorkersFile conf/

JkMount / < app context path > /* ajp13

5. Restart the server and All done!!.

Load Balancer

Apache web server can be used to configure load balancing as well. For testing it I installed two tomcat instances, and deployed same web application on both the instances.

Modification needed in the following files for configuring load balancer

1. worker.properites file
2. httpd.conf file file





 httpd.con file

JkMount / < app context path > /* loadbalancer

No comments:

Post a Comment