---------- Forwarded message ---------- From: Stephen Francis <[EMAIL PROTECTED]> Date: 3 Apr 2008 19:53 Subject: Solution for hosting multiple secure, certified domains at one Tomcat instance To: [EMAIL PROTECTED]
Is this worth posting in your FAQ? The solution works, but the technical language might need checking! We wanted to host webapps at multiple domains on the same physical server, using the same Tomcat instance. We can use the Virtual Host config in Tomcat's server.xml to set this up if we don't need to worry about SSL certificates, but we do. The problem is that the "SSL Handshake" (which requires the right certificate) happens at the IP level, before the domain name is available to the web server, so Tomcat receives a network request to make a secure connection *at an IP address* (not a domain name), and it must choose a keypair and certificate to use to make this secure connection, before it knows which domain name is involved. BUT browsers test that the certificate is correct by matching the certificate's Common Name (CN) field against the domain name. So if you want to host multiple, secure, certified, domains from the same webserver, you have a problem. Our Solution 1. You need as many fixed IP addresses as you want different domains, all pointing at the same server. 2. Each different domain name needs to have its DNS settings pointing to one of the different IP addresses above, so there's a neat one-to-one mapping (we use zoneedit.com to control our DNS settings). Thus when you browse to a page in the domain, your browser is given the appropriate IP address from the DNS server. 3. You then need to map the different IP addresses to different ports for Tomcat to listen on - we use Linux iptables - rules in the 'nat' table can match incoming packets by destination port (=443, the default browser port for https traffic) and destination address = the IP address you set up for the domain. The Action of each iptables rule redirects the target port - to 8443, 8444, etc. The first is the standard Tomcat ports for https, since it is not allowed to use ones < 1024 unless run as root user. We were already using iptables port redirect for this reason, so this was not a major change for us. 4. You then need to amend ${CATALINA_HOME}/conf/server.xml to register connectors for each port, referencing the different certificates you have through different keystore files. (Note: I tried for a while to have one keystore file with all the certificates in, under different aliases. Tomcat did not like this, giving "Couldn't retrieve key" or similar... possibly a bug in Tomcat?). <Connector port="8443" scheme="https" secure="true" compression="on" keyAlias="tomcat" keystoreFile="/path/to/first/domain/cert/keystore.kdb" keystorePass="password" connectionTimeout="20000" sslProtocol="TLS" maxSpareThreads="2" maxThreads="150" noCompressionUserAgents="gozilla, traviata" minSpareThreads="1" clientAuth="false" compressableMimeTypes="text/html,text/xml" /> <Connector port="8444" scheme="https" secure="true" compression="on" keyAlias="tomcat" keystoreFile="/path/to/second/domain/cert/keystore.kdb" keystorePass="password" connectionTimeout="20000" sslProtocol="TLS" maxSpareThreads="2" maxThreads="150" noCompressionUserAgents="gozilla, traviata" minSpareThreads="1" clientAuth="false" compressableMimeTypes="text/html,text/xml" /> etc... -- Thanks, Stephen Francis Technical Director, Lucidium Information Systems Ltd M: 07904 586175 -- Thanks, Stephen Francis Technical Director, Lucidium Information Systems Ltd M: 07904 586175