I'll include in source the attached document about tomcat, ssl and mod_jk RegardsTitle: Tomcat and SSL
|
|
Tomcat and SSL
By Gomez Henri <[EMAIL PROTECTED]>
Table of Contents
- Tomcat and SSL
- Building tomcat with SSL support
- Tomcat with Apache and mod_jk
- SSL via apache
- SSL direct
- Credits
Tomcat and SSL
Tomcat could use SSL directly (via an HTTP connector supporting SSL) or via an Apache SSLified (Apache-SSL or apache-mod_ssl) with the mod_jk connector.
Building tomcat with SSL support
If you want to rebuild the tomcat with SSL, be carefull of your CLASSPATH. I used to clear the CLASSPATH env var to avoid conflict in jar. A common case of conflict is for XML parsers (xerces & jaxp). tomcat need a recent XML parser like Apache Group xerces 1.1.2 or Sun's jaxp 1.0.1.
At build time, (via ant), tomcat will check for some libs and will then included more or less options. It's the case of SSL support. If you have the JSSE 1.0.2 jars in your CLASSPATH, tomcat will be built with SSL (SSLSocketFactory). tomcat will use the JSSE jars (jcert.jar, jsse.jar, jnet.jar).This software COULDN'T BE INCLUDED in tomcat. You'll have to go to jsse home page and download from there the domestic (US/Canada) or global archive. Then copy the 3 jars in tomcat runtime classpath lib ($TOMCAT_HOME/lib).
Tomcat with Apache and mod_jk
If you use Apache with SSL (apache-ssl or apache-mod_ssl), the apache connector mod_jk will be able to forward to tomcat some SSL informations if JkExtractSSL directive is present in your httpd.conf.
Informations are :
| HTTPS | apache redirect to tomcat from an SSL area |
| SSL_SESSION_ID | SSL session ID |
| SSL_CIPHER | SSL CIPHER used |
| SSL_CLIENT_CERT | SSL Certificate of client |
Since apache-ssl and apache-mod_ssl use differents env vars, you could adapt SSL vars via the following JK vars
- JkExtractSSL
- JkHTTPSIndicator
- JkSESSIONIndicator
- JkCIPHERIndicator
- JkCERTSIndicator:
here is an example of directive to include in httpd.conf for use with mod_ssl
# Should mod_jk send SSL
information to Tomact (default is On)
JkExtractSSL On
# What is the indicator for SSL (default is HTTPS)
JkHTTPSIndicator HTTPS
# What is the indicator for SSL session (default is SSL_SESSION_ID)
JkSESSIONIndicator SSL_SESSION_ID
# What is the indicator for client SSL cipher suit (default is SSL_CIPHER)
JkCIPHERIndicator SSL_CIPHER
# What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT)
JkCERTSIndicator SSL_CLIENT_CERT
Warning, even if mod_jk support both ajp12 (old version from ApacheJServ) and ajp13, only ajp13 could forward SSL informations to tomcat.
SSL via apache
mod_jk seems to support the VirtualHost directive of Apache. It's specialy
usefull when using an apache-mod_ssl with tomcat.
This config will easily secure your webapps via Apache SSL support. Just take
care of setting these jk vars outside VirtualHost directives :
JkWorkersFile /etc/httpd/conf/workers.properties
JkLogFile /var/log/httpd/mod_jk.log
JkLogLevel warn
The jk redirect stuff could be set in virtual hosts :
<VirtualHost _default_:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# other SSL stuff
Alias /alesia "/var/tomcat/webapps/alesia"
<Directory "/var/tomcat/webapps/alesia">
</Directory>
JkMount /alesia/servlet/* ajp13
JkMount /alesia/*.jsp ajp13
<Location "/alesia/WEB-INF/">
AllowOverride None
Deny from all
</Location>
</VirtualHost>
SSL direct
If you want tomcat run HTTP/SSL, you need to create a SSL certificate. For more informations about SSL and certificates, I suggest you could take a look at OpenSSL (OpenSource SSL implementation) and ModSSL (SSL support for Apache)
Verify tomcat server.xml configuration file
To use the HTTP with SSL connector in tomcat, verify that it is activated in server.xml
<Connector className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter name="handler" value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
<Parameter name="port" value="8443"/>
<Parameter name="socketFactory" value="org.apache.tomcat.net.SSLSocketFactory" />
</Connector>
Generate a SSL certificate (RSA) for tomcat
I succeed (at least) with my IBM JDK 1.3 after :
- jsse jars MUST BE IN BOTH CLASSPATH and $JAVA_HOME/jre/lib/ext
(JAVA > 1.2)
- from server.xml doc.You _need_ to set up a server certificate if you want
this to work, and you need JSSE.
- Add JSSE jars to CLASSPATH
- Edit $JAVA_HOME/jre/lib/security/java.security Add: security.provider.2=com.sun.net.ssl.internal.ssl.Provider
- Do: keytool -genkey
-alias tomcat -keyalg RSA RSA is essential to work with Netscape
and IIS. Use "changeit" as password. ( or add keypass attribute ) You
don't need to sign the certificate. You can set parameter keystore and
keypass if you want to change the default ( user.home/.keystore with changeit
)
- I suggest you install jcert.jar, jnet.jar and jsse.jar in $JAVA_HOME/jre/lib/ext
and then add them to CLASSPATH export
CLASSPATH=$JAVA_HOME/jre/lib/ext/jcert.jar:$CLASSPATH export CLASSPATH=$JAVA_HOME/jre/lib/ext/jnet.jar:$CLASSPATH export CLASSPATH=$JAVA_HOME/jre/lib/ext/jsse.jar:$CLASSPATH
You could also copy the 3 jars in $TOMCAT_HOME/lib/ so there are automatically added to CLASSPATH at tomcat startup (tomcat.sh).
Importing SSL certificates
It's possible to import certificates generated with OpenSSL. Here are the steps needed to generate such certs with OpenSSL :
- To generate a new request and a new key
openssl req -new -out REQ.pem -keyout KEY.pem
- To generate a self signed x509 certificate from a certificate request using
a supplied key, and we want to see the text form of the output certificate
(which we will put in the file selfSign.pem
openssl req -x509 -in REQ.pem -key KEY.pem -out CERT.pem
- Verify that the signature is correct on a certificate request.
openssl req -verify -in REQ.pem
- Verify that the signature was made using a specified public key
openssl req -verify -in REQ.pem -key KEY.pem
- Print the contents of a certificate request
openssl req -text -in REQ.pem
- To import the CERT in keystore, you just do next :
keytool -import -v -trustcacerts -alias tomcat -file CERT.pem
Credits
This document was created by Gomez Henri. Thanks to [EMAIL PROTECTED] for import info. Feel free to contact me for more updates.
|
Copyright ©1999-2000 The Apache Software Foundation |
