---------- Forwarded message ----------
From: Stephen Francis <[EMAIL PROTECTED]>
Date: 3 Apr 2008 19:53
Subject: Solution for hosting multiple secure, certified domains at one
Tomcat instance
To: [EMAIL PROTECTED]
Is this worth posting in your FAQ? The solution works, but the technical
language might need checking!
We wanted to host webapps at multiple domains on the same physical server,
using the same Tomcat instance.
We can use the Virtual Host config in Tomcat's server.xml to set this up if
we don't need to worry about SSL certificates, but we do.
The problem is that the "SSL Handshake" (which requires the right
certificate) happens at the IP level, before the domain name is available to
the web server, so Tomcat receives a network request to make a secure
connection *at an IP address* (not a domain name), and it must choose a
keypair and certificate to use to make this secure connection, before it
knows which domain name is involved.
BUT browsers test that the certificate is correct by matching the
certificate's Common Name (CN) field against the domain name. So if you want
to host multiple, secure, certified, domains from the same webserver, you
have a problem.
Our Solution
1. You need as many fixed IP addresses as you want different domains,
all pointing at the same server.
2. Each different domain name needs to have its DNS settings pointing
to one of the different IP addresses above, so there's a neat one-to-one
mapping (we use zoneedit.com to control our DNS settings). Thus when
you browse to a page in the domain, your browser is given the appropriate IP
address from the DNS server.
3. You then need to map the different IP addresses to different ports
for Tomcat to listen on - we use Linux iptables - rules in the 'nat' table
can match incoming packets by destination port (=443, the default browser
port for https traffic) and destination address = the IP address you set up
for the domain. The Action of each iptables rule redirects the target port -
to 8443, 8444, etc. The first is the standard Tomcat ports for https, since
it is not allowed to use ones < 1024 unless run as root user. We were
already using iptables port redirect for this reason, so this was not a
major change for us.
4. You then need to amend ${CATALINA_HOME}/conf/server.xml to register
connectors for each port, referencing the different certificates you have
through different keystore files. (Note: I tried for a while to have one
keystore file with all the certificates in, under different aliases. Tomcat
did not like this, giving "Couldn't retrieve key" or similar... possibly a
bug in Tomcat?).
<Connector port="8443" scheme="https" secure="true" compression="on"
keyAlias="tomcat" keystoreFile="/path/to/first/domain/cert/keystore.kdb"
keystorePass="password" connectionTimeout="20000" sslProtocol="TLS"
maxSpareThreads="2" maxThreads="150" noCompressionUserAgents="gozilla,
traviata" minSpareThreads="1" clientAuth="false"
compressableMimeTypes="text/html,text/xml" />
<Connector port="8444" scheme="https" secure="true" compression="on"
keyAlias="tomcat" keystoreFile="/path/to/second/domain/cert/keystore.kdb"
keystorePass="password" connectionTimeout="20000" sslProtocol="TLS"
maxSpareThreads="2" maxThreads="150" noCompressionUserAgents="gozilla,
traviata" minSpareThreads="1" clientAuth="false"
compressableMimeTypes="text/html,text/xml" />
etc...
--
Thanks,
Stephen Francis
Technical Director,
Lucidium Information Systems Ltd
M: 07904 586175
--
Thanks,
Stephen Francis
Technical Director,
Lucidium Information Systems Ltd
M: 07904 586175
