[Previous patch with this title was for the wrong file. Correct patch follows. --cp]
HTML cleanup & typo fixes in tomcat-ssl-howto.html
[salt:tarball/jakarta-tomcat-3.2.1/doc] pepper% diff -u tomcat-ssl-howto.html
tomcat-ssl-howto.html.patch
--- tomcat-ssl-howto.html Tue Dec 12 16:36:22 2000
+++ tomcat-ssl-howto.html.patch Tue Jan 30 12:05:20 2001
@@ -1,3 +1,4 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<!-- $Id $ -->
@@ -45,41 +46,61 @@
</td>
</tr>
</table>
+
<h1>Tomcat and SSL</h1>
+
<p>By Gomez Henri <tt><<a
href="mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</a>></tt></p>
+
<h2>Table of Contents</h2>
+
<ul>
<li><a href="#s2">Tomcat and SSL</a></li>
<li><a href="#s3">Building tomcat with SSL support</a></li>
<li><a href="#s4">Tomcat with Apache and mod_jk</a></li>
- <li><a href="#s5">SSL via apache</a></li>
- <li><a href="#s6">SSL direct</a></li>
+ <li><a href="#s5">SSL via Apache</a></li>
+ <li><a href="#s6">Direct SSL</a></li>
<li><a href="#s7">Credits</a></li>
</ul>
+
<hr>
+
<h2><a name=s2>Tomcat and SSL</a></h2>
-<p>Tomcat could use SSL directly (via an HTTP connector supporting SSL) or via
- an Apache SSLified (<a href="http://www.apachessl.org">Apache-SSL</a> or
apache-mod_ssl)
+
+<p>Tomcat can use SSL directly (via an HTTP connector supporting SSL) or via
+ an SSL-capable Apache (<a
+ href="http://www.apachessl.org">Apache-SSL</a> or <a
+ href="http://www.modssl.org">apache+mod_ssl</a>)
with the mod_jk connector.</p>
+
<hr>
+
<h2><a name=s3>Building tomcat with SSL support</a></h2>
-<p>If you want to rebuild the tomcat with SSL, be carefull of your CLASSPATH.
- I used to clear the CLASSPATH env var to avoid conflict in jar. A common case
- of conflict is for XML parsers (xerces & jaxp). tomcat need a recent XML parser
- like Apache Group xerces 1.1.2 or Sun's jaxp 1.0.1.</p>
-<p>At build time, (via ant), tomcat will check for some libs and will then included
- more or less options. It's the case of SSL support. If you have the JSSE 1.0.2
- jars in your CLASSPATH, tomcat will be built with SSL (SSLSocketFactory). tomcat
- will use the JSSE jars (jcert.jar, jsse.jar, jnet.jar).This software COULDN'T
- BE INCLUDED in tomcat. You'll have to go to <a
href="http://java.sun.com/products/jsse/%20">jsse
- home page </a>and download from there the domestic (US/Canada) or global archive.
- Then copy the 3 jars in tomcat runtime classpath lib ($TOMCAT_HOME/lib).</p>
+
+<p>If you want to rebuild tomcat with SSL, be careful of your
+ CLASSPATH. I used to clear the CLASSPATH environment variable to avoid
+ conflict in jar. A common cause of conflict is XML parsers (xerces
+ & jaxp). Tomcat needs a recent XML parser like the Apache Group's
+ xerces 1.1.2 or Sun's jaxp 1.0.1.</p>
+<p>At build time, (via ant), tomcat will check for some libs and will
+ then include various options, possibly including SSL support. If you
+ have the JSSE 1.0.2 jars in your CLASSPATH, tomcat will be built with
+ SSL (SSLSocketFactory). Tomcat will use the JSSE jars (jcert.jar,
+ jsse.jar, jnet.jar). This software COULDN'T BE INCLUDED in tomcat.
+ You'll have to go to the <a
+ href="http://java.sun.com/products/jsse/">jsse home page</a> and
+ download the domestic (US/Canada) or global archive from there. Then
+ copy the 3 jars into tomcat's runtime classpath lib
+ ($TOMCAT_HOME/lib).</p>
+
<hr>
+
<h2><a name=s4>Tomcat with Apache and mod_jk</a></h2>
-<p>If you use Apache with SSL (apache-ssl or apache-mod_ssl), the apache connector
- mod_jk will be able to forward to tomcat some SSL informations if JkExtractSSL
- directive is present in your httpd.conf. </p>
-<p>Informations are :</p>
+
+<p>If you use Apache with SSL (Apache-SSL or apache+mod_ssl) and the
+ JkExtractSSL directive in httpd.conf, the apache connector
+ mod_jk will be able to pass some SSL information to tomcat.</p>
+<p>This information is:</p>
+
<table width="75%" border="1">
<tr>
<td>HTTPS</td>
@@ -98,8 +119,10 @@
<td>SSL Certificate of client</td>
</tr>
</table>
-<p>Since apache-ssl and apache-mod_ssl use differents env vars, you could adapt
- SSL vars via the following JK vars </p>
+
+<p>Since Apache-SSL and apache+mod_ssl use different environment variables, you
+ can set SSL variables from the following JK variables</p>
+
<ul>
<li>JkExtractSSL</li>
<li>JkHTTPSIndicator</li>
@@ -107,153 +130,182 @@
<li>JkCIPHERIndicator</li>
<li>JkCERTSIndicator: </li>
</ul>
-<p>here is an example of directive to include in httpd.conf for use with mod_ssl
-</p>
-<p><font face="Courier New, Courier, mono" size="-1"># Should mod_jk send SSL
- information to Tomact (default is On)<br>
- JkExtractSSL On <br>
- # What is the indicator for SSL (default is HTTPS)<br>
- JkHTTPSIndicator HTTPS <br>
- # What is the indicator for SSL session (default is SSL_SESSION_ID) <br>
- JkSESSIONIndicator SSL_SESSION_ID <br>
- # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) <br>
- JkCIPHERIndicator SSL_CIPHER <br>
- # What is the indicator for the client SSL certificated (default is
SSL_CLIENT_CERT)
- <br>
- JkCERTSIndicator SSL_CLIENT_CERT </font></p>
-<p>When using mod_jk with Apache & mod_ssl it is essential to specify "SSLOptions
- +StdEnvVars +ExportCertData" in the httpd.conf file.<br>
- Otherwise mod_ssl will not produce the neccessary environment variables for
+
+<p>here is an example of directives to include in httpd.conf for use with
+ mod_ssl:</p>
+
+<pre># Should mod_jk send SSL information to Tomcat (default is On)
+JkExtractSSL On
+# What is the indicator for SSL (default is HTTPS)
+JkHTTPSIndicator HTTPS
+# What is the indicator for SSL session (default is SSL_SESSION_ID)
+JkSESSIONIndicator SSL_SESSION_ID
+# What is the indicator for client SSL cipher suit (default is SSL_CIPHER)
+JkCIPHERIndicator SSL_CIPHER
+# What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT)
+JkCERTSIndicator SSL_CLIENT_CERT
+</pre>
+
+<p>When using mod_jk with Apache & mod_ssl it is essential to specify
+ "SSLOptions +StdEnvVars +ExportCertData" in the httpd.conf file.<br>
+ Otherwise mod_ssl will not produce the necessary environment variables for
mod_jk. (Tilo Christ <[EMAIL PROTECTED]>)</p>
-<p>Warning, even if mod_jk support both ajp12 (old version from ApacheJServ) and
- ajp13, only ajp13 could forward SSL informations to tomcat.</p>
+<p>Warning: Even if mod_jk supports both ajp12 (the old version from
+ Apache JServ) and ajp13, only ajp13 can forward SSL information to
+ tomcat.</p>
+
<hr>
-<h2><a name=s5>SSL via apache</a></h2>
-<p>mod_jk seems to support the VirtualHost directive of Apache. It's specialy
- usefull when using an apache-mod_ssl with tomcat.<br>
+
+<h2><a name=s5>SSL via Apache</a></h2>
+
+<p>mod_jk seems to support the VirtualHost directive of Apache. It's especially
+ useful when using apache+mod_ssl with tomcat.<br>
This config will easily secure your webapps via Apache SSL support. Just take
- care of setting these jk vars outside VirtualHost directives :</p>
-<p> <font face="Courier New, Courier, mono" size="-1">JkWorkersFile
/etc/httpd/conf/workers.properties<br>
- JkLogFile /var/log/httpd/mod_jk.log <br>
- JkLogLevel warn</font> </p>
-<p>The jk redirect stuff could be set in virtual hosts : <virtualhost
_default_:443></p>
-<p><font face="Courier New, Courier, mono" size="-1"><VirtualHost
_default_:443><br>
- SSLEngine on <br>
- SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
- <br>
- <br>
- </font><font face="Courier New, Courier, mono" size="-1"># other SSL stuff<br>
- </font><font face="Courier New, Courier, mono" size="-1"><br>
- Alias /alesia "/var/tomcat/webapps/alesia" <directory "/var/tomcat/webapps/alesia">
- <br>
- <Directory "/var/tomcat/webapps/alesia"></directory><br>
- <directory "/var/tomcat/webapps/alesia">Options Indexes FollowSymLinks </directory>
- <br>
- </Directory> <br>
- <br>
- JkMount /alesia/servlet/* ajp13 <br>
- JkMount /alesia/*.jsp ajp13 <location "/alesia/WEB-INF/"><br>
- </location><br>
- <Location "/alesia/WEB-INF/"><br>
- AllowOverride None<br>
- Deny from all<br>
- </Location> </font></p>
-<p><font face="Courier New, Courier, mono"
size="-1"></VirtualHost></font><virtualhost _default_:443></virtualhost></p>
+ care of setting these JK variables outside VirtualHost directives:</p>
+
+<pre>JkWorkersFile /etc/httpd/conf/workers.properties
+JkLogFile /var/log/httpd/mod_jk.log
+JkLogLevel warn
+</pre>
+
+<p>The JK redirect stuff could be set in virtual hosts: <virtualhost
+ _default_:443></p>
+
+<pre><VirtualHost _default_:443>
+SSLEngine on
+SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+# other SSL stuff
+Alias /alesia "/var/tomcat/webapps/alesia"
+
+<Directory "/var/tomcat/webapps/alesia">
+ <Directory "/var/tomcat/webapps/alesia"></Directory>
+ <Directory "/var/tomcat/webapps/alesia">Options Indexes FollowSymLinks
+</Directory>
+</Directory>
+
+JkMount /alesia/servlet/* ajp13
+JkMount /alesia/*.jsp ajp13
+
+<Location "/alesia/WEB-INF/">
+</Location>
+
+<Location "/alesia/WEB-INF/">
+ AllowOverride None
+ Deny from all
+</Location>
+
+</VirtualHost>
+<!--
+
+<virtualhost _default_:443></virtualhost>
+-->
+</pre>
+
<hr>
-<h2><a name=s6>SSL direct</a></h2>
-<p>If you want tomcat run HTTP/SSL, you need to create a SSL certificate. For
- more informations about SSL and certificates, I suggest you could take a look
- at <a href="http://www.openssl.org">OpenSSL</a> (OpenSource SSL implementation)
- and <a href="http://www.modssl.org">ModSSL</a> (SSL support for Apache)</p>
-<h3><a name=s61><font size="+1">Verify tomcat server.xml configuration
file</font></a></h3>
+
+<h2><a name=s6>Direct SSL</a></h2>
+
+<p>If you want tomcat to serve HTTP/SSL (https) directly, you need to
+ create a SSL certificate. For more information about SSL and
+ certificates, I suggest you could take a look at <a
+ href="http://www.openssl.org">OpenSSL</a> (Open Source SSL
+ implementation) and <a href="http://www.modssl.org">mod_ssl</a> (SSL
+ support for Apache)</p>
+
+<h3><a name=s61><font size="+1">Verify tomcat server.xml configuration
+ file</font></a></h3>
+
<blockquote>
<p> To use the HTTP with SSL connector in tomcat, verify that it is activated
in server.xml</p>
- <p><font face="Courier New, Courier, mono" size="-1"><Connector
className="org.apache.tomcat.service.PoolTcpConnector"><br>
- <Parameter name="handler"
value="org.apache.tomcat.service.http.HttpConnectionHandler"/><br>
- <Parameter name="port" value="8443"/><br>
- <Parameter name="socketFactory" value="org.apache.tomcat.net.SSLSocketFactory"
- /><br>
- <Parameter name="keystore" value="/var/tomcat/conf/keystore" /></font><font
face="Courier New, Courier, mono" size="-1">
- <br>
- <Parameter name="keypass" value="changeit"/><br>
- <Parameter name="clientAuth" value="true"/> <br>
- </Connector> </font></p>
- <p>In this example we indicate the keystore is file
<b>/var/tomcat/conf/keystore</b>.
- The keystore password is <b>changeit</b> and we want client to authentificate.</p>
- <blockquote> </blockquote>
+
+<pre><Connector className="org.apache.tomcat.service.PoolTcpConnector">
+<Parameter name="handler"
+value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
+<Parameter name="port" value="8443"/>
+<Parameter name="socketFactory" value="org.apache.tomcat.net.SSLSocketFactory"/>
+<Parameter name="keystore" value="/var/tomcat/conf/keystore" />
+<Parameter name="keypass" value="changeit"/>
+<Parameter name="clientAuth" value="true"/>
+</Connector>
+</pre>
+
+<p>In this example we indicate the keystore is file
+ <strong>/var/tomcat/conf/keystore</strong>.
+ The keystore password is <strong>changeit</strong> and we want
+ clients to authentificate.</p>
</blockquote>
+
<h3><a name=s62>Generate a SSL certificate (RSA) for tomcat</a></h3>
+
<blockquote>
- <p>I succeed (at least) with my IBM JDK 1.3 after : </p>
+ <p>I succeed (at least) with my IBM JDK 1.3 after:</p>
</blockquote>
+
<ul>
- <li> jsse jars <b>MUST BE IN BOTH CLASSPATH</b> and <b>$JAVA_HOME/jre/lib/ext
- (JAVA > 1.2)<br>
- </b><br>
+ <li>jsse jars <strong>MUST BE IN BOTH CLASSPATH</strong> and
+ <strong>$JAVA_HOME/jre/lib/ext
+ (JAVA > 1.2)</strong>
</li>
- <li> from server.xml doc.You _need_ to set up a server certificate if you want
- this to work, and you need JSSE. <br>
- <br>
+ <li>from server.xml doc.You _need_ to set up a server certificate if you want
+ this to work, and you need JSSE.
<ul>
- <li> Add JSSE jars to CLASSPATH </li>
- <li> Edit $JAVA_HOME/jre/lib/security/java.security Add:
security.provider.2=com.sun.net.ssl.internal.ssl.Provider</li>
- <li> Do: <font face="Courier New, Courier, mono" size="-1">keytool -genkey
- -alias tomcat -keyalg RSA</font> RSA is essential to work with Netscape
- and IIS. Use "changeit" as password. ( or add keypass attribute ) You
+ <li>Add JSSE jars to CLASSPATH</li>
+ <li>Edit $JAVA_HOME/jre/lib/security/java.security<br>
+ Add: security.provider.2=com.sun.net.ssl.internal.ssl.Provider</li>
+ <li>Do: <code>keytool -genkey -alias tomcat -keyalg RSA</code><br>
+ RSA is essential to work with Netscape
+ and IIS. Use "changeit" as password (or add keypass attribute). You
don't need to sign the certificate. You can set parameter keystore and
- keypass if you want to change the default ( user.home/.keystore with changeit
- )<br>
- <br>
- </li>
+ keypass if you want to change the default
+ ($HOME/.keystore with changeit)</li>
</ul>
</li>
- <li> I suggest you install jcert.jar, jnet.jar and jsse.jar in
$JAVA_HOME/jre/lib/ext
- and then add them to CLASSPATH export <br>
- <br>
- <font size="-1" face="Courier New, Courier,
mono">CLASSPATH=$JAVA_HOME/jre/lib/ext/jcert.jar:$CLASSPATH
- export CLASSPATH=$JAVA_HOME/jre/lib/ext/jnet.jar:$CLASSPATH export
CLASSPATH=$JAVA_HOME/jre/lib/ext/jsse.jar:$CLASSPATH</font><br>
+ <li>I suggest you install jcert.jar, jnet.jar and jsse.jar in
+ $JAVA_HOME/jre/lib/ext
+ and then add them to your CLASSPATH export <br>
<br>
- You could also copy the 3 jars in $TOMCAT_HOME/lib/ so there are automatically
- added to CLASSPATH at tomcat startup (tomcat.sh).</li>
+
+<pre>CLASSPATH=$JAVA_HOME/jre/lib/ext/jcert.jar:$CLASSPATH
+export CLASSPATH=$JAVA_HOME/jre/lib/ext/jnet.jar:$CLASSPATH
+export CLASSPATH=$JAVA_HOME/jre/lib/ext/jsse.jar:$CLASSPATH
+</pre>
+
+ You could also copy the 3 jars into $TOMCAT_HOME/lib/ so they are
+ under the existing CLASSPATH at tomcat startup (tomcat.sh).</li>
</ul>
-<p> </p>
+
<h3><a name=s63>Importing SSL certificates</a></h3>
-<p>It's possible to import certificates generated with <a
href="http://www.openssl.org">OpenSSL</a>.
- Here are the steps needed to generate such certs with OpenSSL : </p>
+
+<p>It's possible to import certificates generated with <a
+ href="http://www.openssl.org">OpenSSL</a>. Here are the steps needed
+ to generate such certs with OpenSSL:</p>
+
<ul>
- <li>To generate a new request and a new key <br>
- <pre><font face="Courier New, Courier, mono">openssl req -new -out REQ.pem
-keyout KEY.pem</font> </pre>
- </li>
+ <li>To generate a new request and a new key<br>
+ <code>openssl req -new -out REQ.pem -keyout KEY.pem</code></li>
<li>To generate a self signed x509 certificate from a certificate request using
- a supplied key, and we want to see the text form of the output certificate
- (which we will put in the file selfSign.pem
- <p><font face="Courier New, Courier, mono" size="-1">openssl req -x509 -in
- REQ.pem -key KEY.pem -out CERT.pem</font> </p>
- </li>
- <li>Verify that the signature is correct on a certificate request.
- <p><font face="Courier New, Courier, mono" size="-1">openssl req -verify -in
- REQ.pem</font> </p>
- </li>
- <li>Verify that the signature was made using a specified public key
- <p><font face="Courier New, Courier, mono" size="-1">openssl req -verify -in
- REQ.pem -key KEY.pem</font> </p>
- </li>
- <li>Print the contents of a certificate request
- <p><font face="Courier New, Courier, mono" size="-1">openssl req -text -in
- REQ.pem</font> </p>
- </li>
- <li>To import the CERT in keystore, you just do next :
- <p><font face="Courier New, Courier, mono" size="-1">keytool -import -v
-trustcacerts
- -alias tomcat -file</font> <font size="-1" face="Courier New, Courier,
mono">CERT.pem</font>
- </p>
- </li>
+ a supplied key, and see the text form of the output certificate
+ (which we will put into the file selfSign.pem<br>
+ <code>openssl req -x509 -in REQ.pem -key KEY.pem -out
+ CERT.pem</code></li>
+ <li>Verify that the signature is correct on a certificate request.<br>
+ <code>openssl req -verify -in REQ.pem</code></li>
+ <li>Verify that the signature was made using a specified public key<br>
+ <code>openssl req -verify -in REQ.pem -key KEY.pem</code></li>
+ <li>Print the contents of a certificate request<br>
+ <code>openssl req -text -in REQ.pem</code></li>
+ <li>To import the CERT in keystore, just:<br>
+ <code>keytool -import -v -trustcacerts -alias tomcat -file
+ CERT.pem</code></li>
</ul>
+
<hr>
+
<h2><a name=s7>Credits</a></h2>
+
<p>This document was created by <a href="mailto:[EMAIL PROTECTED]">Gomez Henri</a>.
Thanks to [EMAIL PROTECTED] for import info. Feel free to contact me for more
updates.</p>
+
<table width="100%" border="0" cellpadding="10" cellspacing="0">
<tr>
<td>
@@ -265,6 +317,7 @@
</td>
</tr>
</table>
+
</body>
</html>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
