Below are some common steps that you need to follow for configuring SSL on any app server or web server
- A certificate (.crt) is required, which will be presented to a browser (client) whenever he will request access from that server.
- Configure the certificate on your web/app server, and key also if not included in the certificate itself. **Not explaining about SSL in this post as lot of good articles are already available ** .
- Enable your app/web server to support https protocol with a specific port.
Configuring SSL on Tomcat 6 :-
- Tomcat stores the certificate in a keystore, which can be created using simple java keytool commands.
- First you need to create a keystore, and by default it will create a self - signed certificate(.crt) also, which cab be replaced by any (.crt) if you purchase from authorised site. keytool -genkey -alias domain -keyalg RSA-keysize 2048 the default location of the cert created in windows system is C:\Document and Settings\ user name\
- After you enter all the passwords and required information you can export the cert using following command :- keytool -export -alias domain -file domain.crt
- You need to enable ssl in tomcat by adding/uncommenting following line of code in server.xml
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:\Documents and Settings\user\.keystore"
keystorePass="*****"
5. To force all the request to redirect to ssl add following to the web.xml
< security-constraint >
< web-resource-collection >< web-resource-name >Entire Application< /web-resource-name >
< url-pattern>/*
< user-data-constraint >
< transport-guarantee >CONFIDENTIAL< /transport-guarantee >
< /user-data-constraint >
< /security-constraint >
6. Restart and All done!! You should be able to access your tomcat app server using https at port 8443
Configuring SSL on Apache 2
- Install openssl to create the self-signed certificate using the below command :- openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout domain.key -out domain.crt
- The above command will create two files i) domain.key and ii) domain.crt.
- Copy these two files in apache\conf folder.
- Edit the httpd.conf file and add/enable following entries
LoadModule ssl_module modules/mod_ssl.so
Listen 443
ServerName localhost
SSLEngine on
SSLCertificateFile conf/apachecert.crt
SSLCertificateKeyFile conf/apachekey.key
JkMount / < app context path > /* ajp13
5. Restart and All done!!
Integrating Apache with tomcat :-
Ideally we keep the ports of only web server open so block direct access to app server, and with above configuration we also would need to redirect all request to web applications deployed on tomcat through web server
1. Download mod_jk module for apache tomcat integration. I downloaded the following for using with Apache 2 and windows OS ( tomcat-connectors-1.2.39-windows-x86_64-httpd-2.4.x).
2. Extract the downloaded file and copy the file mod_jk.so to the modules folder of apache2.
3. Create a worker.properties file inside the conf folder of apache2.
worker.properties
# Define 1 real worker named ajp13
worker.list=ajp13
# Set properties for worker named ajp13 to use ajp13 protocol,
# and run on port 8009
worker.ajp13.type=ajp13
worker.ajp13.host=localhost
worker.ajp13.port=8009
worker.ajp13.lbfactor=50
worker.ajp13.cachesize=10
worker.ajp13.cache_timeout=600
worker.ajp13.socket_keepalive=1
worker.ajp13.socket_timeout=300
Note:- Make sure ajp13 connector is enabled in tomcat/conf/server.xml file.
4. Make the following changes in httpd.conf
LoadModule jk_module modules/mod_jk.so
JkWorkersFile conf/workers.properties
JkMount / < app context path > /* ajp13
5. Restart the server and All done!!.
Load Balancer
Apache web server can be used to configure load balancing as well. For testing it I installed two tomcat instances, and deployed same web application on both the instances.
Modification needed in the following files for configuring load balancer
1. worker.properites file
2. httpd.conf file
worker.properties file
worker.list=loadbalancer
worker.tcruntime8280.port=8009
worker.tcruntime8280.host=localhost
worker.tcruntime8280.type=ajp13
worker.tcruntime8280.lbfactor=1
worker.tcruntime8380.port=8008
worker.tcruntime8380.host=localhost
worker.tcruntime8380.type=ajp13
worker.tcruntime8380.lbfactor=1
worker.loadbalancer.type=lb
worker.loadbalancer.balanced_workers=tcruntime8280,tcruntime8380
httpd.con file
JkMount / < app context path > /* loadbalancer