Apache mod_SSL and Tomcat using mod_jk
Hello , I am new to Apache and am using mod_ssl Apache server connected with Tomcat via the mod_jk module - I get the following warning when starting Apache after I start tomcat "Loaded DSO modules/mod_jk.dll uses plain Apache 1.3 API, this module might crash under EAPI! (Please recompile it with -DEAPI) I am trying to get Apache and Tomcat to use SSL . I don't have a certificate configured and get the following error "localhost:443 should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]" Can someone point me to the exact directions on how to configure a certificate and also will this module - mod_jk work with the version of Apache I am using - Apache_1.3.14-mod_ssl_2.7.2-openssl_0.96-win32.zip and Tomcat 3.2.1 I have configured this via the documentation in Tomcat. Any ideas or suggestion on where to go form here would be much appreciated Thanks in advance, Charlie
AW: Apache mod_SSL and Tomcat using mod_jk
#
SSLOptions +FakeBasicAuth
#
# List the ciphers that the client is permitted to negotiate. See the
source
# for a definitive list. For example:
#
#SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA
#
# These two can be used per-directory to require or ban ciphers. Note that
(at
# least in the current version) Apache-SSL will not attempt to renegotiate
if a
# cipher is banned (or not required).
#
#SSLRequireCipher
#SSLBanCipher
#
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait
for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e.
no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach
where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e.
a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers.
Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
#
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
#
# Custom logging
#
CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x
\"%r\" %b"
#
# ab hier Text von MS
#
VirtualHost www.prot-gemeinde.ch:80
ServerName www.prot-gemeinde.ch
ServerAdmin [EMAIL PROTECTED]
ErrorLoglogs/prot-gemeinde_error.log
CustomLog logs/prot-gemeinde_access.log common
DocumentRoot D:/WebSpace/ApacheSSL/tomcat/webapps/Prototyp
DirectoryIndex Formular.htm
Directory "D:/WebSpace/ApacheSSL/tomcat/webapps/Prototyp"
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
/Directory
JkMount /*.jsp ajp13
JkMount /servlet/* ajp13
ScriptAlias /cgi-bin/ "D:/WebSpace/Prototyp/Version10/cgi-bin/"
Directory "D:/WebSpace/Prototyp/Version10/cgi-bin"
AllowOverride None
Options None
/Directory
/VirtualHost
#---
-
VirtualHost www.snakeoil.dom:443
#---
-
SSLOptions +StdEnvVars +ExportCertData
SSLEngine on
ServerName www.snakeoil.dom
ServerAdmin [EMAIL PROTECTED]
ErrorLoglogs/snake_error.log
CustomLog logs/snake_access.log common
DocumentRoot D:/WebSpace/ApacheSSL/tomcat/webapps/securesite
Directory "D:/WebSpace/ApacheSSL/tomcat/webapps/securesite"
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
/Directory
JkMount /*.jsp ajp13
JkMount /servlet/* ajp13
Directory "D:/WebSpace/ApacheSSL/tomcat/webapps/securesite/WEB-INF"
Options none
Deny from all
/Directory
/VirtualHost
-Ursprngliche Nachricht-
Von: Pete Ehli [SMTP:[EMAIL PROTECTED]]
Gesendet am:Dienstag, 16. Januar 2001 08:34
An: [EMAIL PROTECTED]
Betreff:Apache mod_SSL and Tomcat using mod_jk
Hello I am new to Apache and am using mod_ssl Apache server connected with
Tomcat via the mod_jk module - I get the following warning when starting
Apache after I start tomcat "Loaded DSO modules/mod_jk.dll uses plain
Apache 1.3 API, this module might crash under EAPI! (Please recompile it
with -DEAPI) I am trying to get Apache and Tomcat to use SSL . I don't have
a certificate configured and get the following error "localhost:443 should
be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]"
Can someone point me to the exact directions on how to configure a
certificate and also will this module mod_jk work with the version of
Apache I am using - Apache_1.3.14-mod_ssl_2.7.2-openssl_0.96-win32.zip and
Tomcat 3.2.1 I have configured this via the documentation in Tomcat. Any
ideas or suggestion on where to go form here would be much appreciated
- Pete - [EMAIL PROTECTED]
Datei: ATT00010.html
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
RE: Apache mod_SSL and Tomcat using mod_jk
-Message d'origine- De: Pete Ehli [mailto:[EMAIL PROTECTED]] Date: mardi 16 janvier 2001 08:34 : [EMAIL PROTECTED] Objet: Apache mod_SSL and Tomcat using mod_jk Hello I am new to Apache and am using mod_ssl Apache server connected with Tomcat via the mod_jk module - I've just done that ... (absolute beginer) I get the following warning when starting Apache after I start tomcat "Loaded DSO modules/mod_jk.dll uses plain Apache 1.3 API, this module might crash under EAPI! (Please recompile it with -DEAPI) same for me... it seems to works anyway... note that I had to install JSSE 102 from sun java site... I've put it into the JRE 1.3 as documented (jar in lib/ext) and changed the security provider list in some properties file as documented... For tomcat servlet/jsp to be able to call-back HTTPS as a client I had to add a -D... that sets the implementor of URL... documented in JSSE also... I also had to set the keystore of jsse extract from tomcat.bat: :runServer rem Running Tomcat in this window if "%2" == "-security" goto runSecure %_RUNJAVA% %TOMCAT_OPTS% -Dtomcat.home="%TOMCAT_HOME%" -Djavax.net.ssl.trustStore="%TOMCAT_HOME%/conf/ssl/cacerts" -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol org.apache.tomcat.startup.Tomcat %2 %3 %4 %5 %6 %7 %8 %9 goto cleanup I am trying to get Apache and Tomcat to use SSL . I don't have a certificate configured and get the following error "localhost:443 should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]" Can someone point me to the exact directions on how to configure a certificate and also will this module I had to use the snakeoil certificates an keys as documented... all is configured in a virtual host on port 443... the last problem is tha the snakeoil certificate have a /CN= different from my host DNS name (sure, it is a dummy certificate), and thus the HTTPS URL connector refuse to trust an HTTPS server whose certificat CN is different from it's DNS name... I've found example of config files on the web... note the the ifdefined SSL does not works with the apache/mod_ssl found on mod_ssl.org... I have used the IfModule mod_ssl.c I've put parts of the config files at the end... mod_jk work with the version of Apache I am using - Apache_1.3.14-mod_ssl_2.7.2-openssl_0.96-win32.zip and Tomcat 3.2.1 I have configured this via the documentation in Tomcat. Any ideas or suggestion on where to go form here would be much appreciated if some one can explai me how to generate a good server certificat with openssl or keytool... 8) -- here is the SSL config included at the end of the httpd.conf in apache ## ## SSL Support ## ## When we also provide SSL we have to listen to the ## standard HTTP port (see above) and to the HTTPS port ## LoadModule ssl_module modules/ApacheModuleSSL.dll IfModule mod_ssl.c Listen 8000 Listen 8443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First either `none' # or `dbm:/path/to/file' for the mechanism to use and # second the expiring timeout (in seconds). #SSLSessionCachenone #SSLSessionCacheshm:logs/ssl_scache(512000) SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual explusion semaphore the # SSL engine uses internally for inter-process synchronization. #SSLMutex file:logs/ssl_mutex # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 # Logging: # The home of the dedicated SSL protocol logfile. Errors are # additionally duplicated in the general error log file. Put # this somewhere where it cannot be used for symlink attacks on # a real server (i.e. somewhere where only root can write). # Log levels are (ascending order: higher ones
RE: Apache mod_SSL and Tomcat using mod_jk
Hello I am new to Apache and am using mod_ssl Apache server connected with Tomcat via the mod_jk module - I've just done that ... (absolute beginer) I get the following warning when starting Apache after I start tomcat "Loaded DSO modules/mod_jk.dll uses plain Apache 1.3 API, this module might crash under EAPI! (Please recompile it with -DEAPI) The module as been compiled on a Standard Apache and you want it to run on a EAPI Apache (ie using mod_ssl). If you're using a Linux Redhat or compatible take a look at my RPM at :ftp://ftp.falsehope.com/home/gomez/tomcat/ or at http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.2.1/rpms/ same for me... it seems to works anyway... note that I had to install JSSE 102 from sun java site... I've put it into the JRE 1.3 as documented (jar in lib/ext) and changed the security provider list in some properties file as documented... For tomcat servlet/jsp to be able to call-back HTTPS as a client I had to add a -D... that sets the implementor of URL... documented in JSSE also... I also had to set the keystore of jsse extract from tomcat.bat: :runServer rem Running Tomcat in this window if "%2" == "-security" goto runSecure %_RUNJAVA% %TOMCAT_OPTS% -Dtomcat.home="%TOMCAT_HOME%" -Djavax.net.ssl.trustStore="%TOMCAT_HOME%/conf/ssl/cacerts" -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol org.apache.tomcat.startup.Tomcat %2 %3 %4 %5 %6 %7 %8 %9 goto cleanup I am trying to get Apache and Tomcat to use SSL . I don't have a certificate configured and get the following error "localhost:443 should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]" Can someone point me to the exact directions on how to configure a certificate and also will this module I had to use the snakeoil certificates an keys as documented... all is configured in a virtual host on port 443... the last problem is tha the snakeoil certificate have a /CN= different from my host DNS name (sure, it is a dummy certificate), and thus the HTTPS URL connector refuse to trust an HTTPS server whose certificat CN is different from it's DNS name... I've found example of config files on the web... note the the ifdefined SSL does not works with the apache/mod_ssl found on mod_ssl.org... I have used the IfModule mod_ssl.c I've put parts of the config files at the end... mod_jk work with the version of Apache I am using - Apache_1.3.14-mod_ssl_2.7.2-openssl_0.96-win32.zip and Tomcat 3.2.1 I have configured this via the documentation in Tomcat. Any ideas or suggestion on where to go form here would be much appreciated if some one can explai me how to generate a good server certificat with openssl or keytool... 8) -- here is the SSL config included at the end of the httpd.conf in apache ## ## SSL Support ## ## When we also provide SSL we have to listen to the ## standard HTTP port (see above) and to the HTTPS port ## LoadModule ssl_module modules/ApacheModuleSSL.dll IfModule mod_ssl.c Listen 8000 Listen 8443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First either `none' # or `dbm:/path/to/file' for the mechanism to use and # second the expiring timeout (in seconds). #SSLSessionCachenone #SSLSessionCacheshm:logs/ssl_scache(512000) SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual explusion semaphore the # SSL engine uses internally for inter-process synchronization. #SSLMutex file:logs/ssl_mutex # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 # Logging: # The home of the dedicated SSL protocol logfile. Errors are # additionally duplicated in the general error log file. Put # this somewhere where it cannot be used for symlink attacks on # a real server (i.e. somewhere where
Apache mod_SSL and Tomcat using mod_jk
Hello I am new to Apache and am using mod_ssl Apache server connected with Tomcat via the mod_jk module - I get the following warning when starting Apache after I start tomcat "Loaded DSO modules/mod_jk.dll uses plain Apache 1.3 API, this module might crash under EAPI! (Please recompile itwith -DEAPI) I am trying to get Apache and Tomcat to use SSL . I don't have a certificate configured and get the following error "localhost:443 should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]" Can someone point me to the exact directions on how to configure a certificate and also will this module mod_jk work with the version of Apache I am using - Apache_1.3.14-mod_ssl_2.7.2-openssl_0.96-win32.zip and Tomcat 3.2.1 I have configured this via the documentation in Tomcat. Any ideas or suggestion on where to go form here would be much appreciated - Pete - [EMAIL PROTECTED]
