[Previous patch with this title was for the wrong file. Correct patch follows. --cp] HTML cleanup & typo fixes in tomcat-ssl-howto.html [salt:tarball/jakarta-tomcat-3.2.1/doc] pepper% diff -u tomcat-ssl-howto.html tomcat-ssl-howto.html.patch --- tomcat-ssl-howto.html Tue Dec 12 16:36:22 2000 +++ tomcat-ssl-howto.html.patch Tue Jan 30 12:05:20 2001 @@ -1,3 +1,4 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <!-- $Id $ --> @@ -45,41 +46,61 @@ </td> </tr> </table> + <h1>Tomcat and SSL</h1> + <p>By Gomez Henri <tt><<a href="mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</a>></tt></p> + <h2>Table of Contents</h2> + <ul> <li><a href="#s2">Tomcat and SSL</a></li> <li><a href="#s3">Building tomcat with SSL support</a></li> <li><a href="#s4">Tomcat with Apache and mod_jk</a></li> - <li><a href="#s5">SSL via apache</a></li> - <li><a href="#s6">SSL direct</a></li> + <li><a href="#s5">SSL via Apache</a></li> + <li><a href="#s6">Direct SSL</a></li> <li><a href="#s7">Credits</a></li> </ul> + <hr> + <h2><a name=s2>Tomcat and SSL</a></h2> -<p>Tomcat could use SSL directly (via an HTTP connector supporting SSL) or via - an Apache SSLified (<a href="http://www.apachessl.org">Apache-SSL</a> or apache-mod_ssl) + +<p>Tomcat can use SSL directly (via an HTTP connector supporting SSL) or via + an SSL-capable Apache (<a + href="http://www.apachessl.org">Apache-SSL</a> or <a + href="http://www.modssl.org">apache+mod_ssl</a>) with the mod_jk connector.</p> + <hr> + <h2><a name=s3>Building tomcat with SSL support</a></h2> -<p>If you want to rebuild the tomcat with SSL, be carefull of your CLASSPATH. - I used to clear the CLASSPATH env var to avoid conflict in jar. A common case - of conflict is for XML parsers (xerces & jaxp). tomcat need a recent XML parser - like Apache Group xerces 1.1.2 or Sun's jaxp 1.0.1.</p> -<p>At build time, (via ant), tomcat will check for some libs and will then included - more or less options. It's the case of SSL support. If you have the JSSE 1.0.2 - jars in your CLASSPATH, tomcat will be built with SSL (SSLSocketFactory). tomcat - will use the JSSE jars (jcert.jar, jsse.jar, jnet.jar).This software COULDN'T - BE INCLUDED in tomcat. You'll have to go to <a href="http://java.sun.com/products/jsse/%20">jsse - home page </a>and download from there the domestic (US/Canada) or global archive. - Then copy the 3 jars in tomcat runtime classpath lib ($TOMCAT_HOME/lib).</p> + +<p>If you want to rebuild tomcat with SSL, be careful of your + CLASSPATH. I used to clear the CLASSPATH environment variable to avoid + conflict in jar. A common cause of conflict is XML parsers (xerces + & jaxp). Tomcat needs a recent XML parser like the Apache Group's + xerces 1.1.2 or Sun's jaxp 1.0.1.</p> +<p>At build time, (via ant), tomcat will check for some libs and will + then include various options, possibly including SSL support. If you + have the JSSE 1.0.2 jars in your CLASSPATH, tomcat will be built with + SSL (SSLSocketFactory). Tomcat will use the JSSE jars (jcert.jar, + jsse.jar, jnet.jar). This software COULDN'T BE INCLUDED in tomcat. + You'll have to go to the <a + href="http://java.sun.com/products/jsse/">jsse home page</a> and + download the domestic (US/Canada) or global archive from there. Then + copy the 3 jars into tomcat's runtime classpath lib + ($TOMCAT_HOME/lib).</p> + <hr> + <h2><a name=s4>Tomcat with Apache and mod_jk</a></h2> -<p>If you use Apache with SSL (apache-ssl or apache-mod_ssl), the apache connector - mod_jk will be able to forward to tomcat some SSL informations if JkExtractSSL - directive is present in your httpd.conf. </p> -<p>Informations are :</p> + +<p>If you use Apache with SSL (Apache-SSL or apache+mod_ssl) and the + JkExtractSSL directive in httpd.conf, the apache connector + mod_jk will be able to pass some SSL information to tomcat.</p> +<p>This information is:</p> + <table width="75%" border="1"> <tr> <td>HTTPS</td> @@ -98,8 +119,10 @@ <td>SSL Certificate of client</td> </tr> </table> -<p>Since apache-ssl and apache-mod_ssl use differents env vars, you could adapt - SSL vars via the following JK vars </p> + +<p>Since Apache-SSL and apache+mod_ssl use different environment variables, you + can set SSL variables from the following JK variables</p> + <ul> <li>JkExtractSSL</li> <li>JkHTTPSIndicator</li> @@ -107,153 +130,182 @@ <li>JkCIPHERIndicator</li> <li>JkCERTSIndicator: </li> </ul> -<p>here is an example of directive to include in httpd.conf for use with mod_ssl -</p> -<p><font face="Courier New, Courier, mono" size="-1"># Should mod_jk send SSL - information to Tomact (default is On)<br> - JkExtractSSL On <br> - # What is the indicator for SSL (default is HTTPS)<br> - JkHTTPSIndicator HTTPS <br> - # What is the indicator for SSL session (default is SSL_SESSION_ID) <br> - JkSESSIONIndicator SSL_SESSION_ID <br> - # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) <br> - JkCIPHERIndicator SSL_CIPHER <br> - # What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT) - <br> - JkCERTSIndicator SSL_CLIENT_CERT </font></p> -<p>When using mod_jk with Apache & mod_ssl it is essential to specify "SSLOptions - +StdEnvVars +ExportCertData" in the httpd.conf file.<br> - Otherwise mod_ssl will not produce the neccessary environment variables for + +<p>here is an example of directives to include in httpd.conf for use with + mod_ssl:</p> + +<pre># Should mod_jk send SSL information to Tomcat (default is On) +JkExtractSSL On +# What is the indicator for SSL (default is HTTPS) +JkHTTPSIndicator HTTPS +# What is the indicator for SSL session (default is SSL_SESSION_ID) +JkSESSIONIndicator SSL_SESSION_ID +# What is the indicator for client SSL cipher suit (default is SSL_CIPHER) +JkCIPHERIndicator SSL_CIPHER +# What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT) +JkCERTSIndicator SSL_CLIENT_CERT +</pre> + +<p>When using mod_jk with Apache & mod_ssl it is essential to specify + "SSLOptions +StdEnvVars +ExportCertData" in the httpd.conf file.<br> + Otherwise mod_ssl will not produce the necessary environment variables for mod_jk. (Tilo Christ <[EMAIL PROTECTED]>)</p> -<p>Warning, even if mod_jk support both ajp12 (old version from ApacheJServ) and - ajp13, only ajp13 could forward SSL informations to tomcat.</p> +<p>Warning: Even if mod_jk supports both ajp12 (the old version from + Apache JServ) and ajp13, only ajp13 can forward SSL information to + tomcat.</p> + <hr> -<h2><a name=s5>SSL via apache</a></h2> -<p>mod_jk seems to support the VirtualHost directive of Apache. It's specialy - usefull when using an apache-mod_ssl with tomcat.<br> + +<h2><a name=s5>SSL via Apache</a></h2> + +<p>mod_jk seems to support the VirtualHost directive of Apache. It's especially + useful when using apache+mod_ssl with tomcat.<br> This config will easily secure your webapps via Apache SSL support. Just take - care of setting these jk vars outside VirtualHost directives :</p> -<p> <font face="Courier New, Courier, mono" size="-1">JkWorkersFile /etc/httpd/conf/workers.properties<br> - JkLogFile /var/log/httpd/mod_jk.log <br> - JkLogLevel warn</font> </p> -<p>The jk redirect stuff could be set in virtual hosts : <virtualhost _default_:443></p> -<p><font face="Courier New, Courier, mono" size="-1"><VirtualHost _default_:443><br> - SSLEngine on <br> - SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL - <br> - <br> - </font><font face="Courier New, Courier, mono" size="-1"># other SSL stuff<br> - </font><font face="Courier New, Courier, mono" size="-1"><br> - Alias /alesia "/var/tomcat/webapps/alesia" <directory "/var/tomcat/webapps/alesia"> - <br> - <Directory "/var/tomcat/webapps/alesia"></directory><br> - <directory "/var/tomcat/webapps/alesia">Options Indexes FollowSymLinks </directory> - <br> - </Directory> <br> - <br> - JkMount /alesia/servlet/* ajp13 <br> - JkMount /alesia/*.jsp ajp13 <location "/alesia/WEB-INF/"><br> - </location><br> - <Location "/alesia/WEB-INF/"><br> - AllowOverride None<br> - Deny from all<br> - </Location> </font></p> -<p><font face="Courier New, Courier, mono" size="-1"></VirtualHost></font><virtualhost _default_:443></virtualhost></p> + care of setting these JK variables outside VirtualHost directives:</p> + +<pre>JkWorkersFile /etc/httpd/conf/workers.properties +JkLogFile /var/log/httpd/mod_jk.log +JkLogLevel warn +</pre> + +<p>The JK redirect stuff could be set in virtual hosts: <virtualhost + _default_:443></p> + +<pre><VirtualHost _default_:443> +SSLEngine on +SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL +# other SSL stuff +Alias /alesia "/var/tomcat/webapps/alesia" + +<Directory "/var/tomcat/webapps/alesia"> + <Directory "/var/tomcat/webapps/alesia"></Directory> + <Directory "/var/tomcat/webapps/alesia">Options Indexes FollowSymLinks +</Directory> +</Directory> + +JkMount /alesia/servlet/* ajp13 +JkMount /alesia/*.jsp ajp13 + +<Location "/alesia/WEB-INF/"> +</Location> + +<Location "/alesia/WEB-INF/"> + AllowOverride None + Deny from all +</Location> + +</VirtualHost> +<!-- + +<virtualhost _default_:443></virtualhost> +--> +</pre> + <hr> -<h2><a name=s6>SSL direct</a></h2> -<p>If you want tomcat run HTTP/SSL, you need to create a SSL certificate. For - more informations about SSL and certificates, I suggest you could take a look - at <a href="http://www.openssl.org">OpenSSL</a> (OpenSource SSL implementation) - and <a href="http://www.modssl.org">ModSSL</a> (SSL support for Apache)</p> -<h3><a name=s61><font size="+1">Verify tomcat server.xml configuration file</font></a></h3> + +<h2><a name=s6>Direct SSL</a></h2> + +<p>If you want tomcat to serve HTTP/SSL (https) directly, you need to + create a SSL certificate. For more information about SSL and + certificates, I suggest you could take a look at <a + href="http://www.openssl.org">OpenSSL</a> (Open Source SSL + implementation) and <a href="http://www.modssl.org">mod_ssl</a> (SSL + support for Apache)</p> + +<h3><a name=s61><font size="+1">Verify tomcat server.xml configuration + file</font></a></h3> + <blockquote> <p> To use the HTTP with SSL connector in tomcat, verify that it is activated in server.xml</p> - <p><font face="Courier New, Courier, mono" size="-1"><Connector className="org.apache.tomcat.service.PoolTcpConnector"><br> - <Parameter name="handler" value="org.apache.tomcat.service.http.HttpConnectionHandler"/><br> - <Parameter name="port" value="8443"/><br> - <Parameter name="socketFactory" value="org.apache.tomcat.net.SSLSocketFactory" - /><br> - <Parameter name="keystore" value="/var/tomcat/conf/keystore" /></font><font face="Courier New, Courier, mono" size="-1"> - <br> - <Parameter name="keypass" value="changeit"/><br> - <Parameter name="clientAuth" value="true"/> <br> - </Connector> </font></p> - <p>In this example we indicate the keystore is file <b>/var/tomcat/conf/keystore</b>. - The keystore password is <b>changeit</b> and we want client to authentificate.</p> - <blockquote> </blockquote> + +<pre><Connector className="org.apache.tomcat.service.PoolTcpConnector"> +<Parameter name="handler" +value="org.apache.tomcat.service.http.HttpConnectionHandler"/> +<Parameter name="port" value="8443"/> +<Parameter name="socketFactory" value="org.apache.tomcat.net.SSLSocketFactory"/> +<Parameter name="keystore" value="/var/tomcat/conf/keystore" /> +<Parameter name="keypass" value="changeit"/> +<Parameter name="clientAuth" value="true"/> +</Connector> +</pre> + +<p>In this example we indicate the keystore is file + <strong>/var/tomcat/conf/keystore</strong>. + The keystore password is <strong>changeit</strong> and we want + clients to authentificate.</p> </blockquote> + <h3><a name=s62>Generate a SSL certificate (RSA) for tomcat</a></h3> + <blockquote> - <p>I succeed (at least) with my IBM JDK 1.3 after : </p> + <p>I succeed (at least) with my IBM JDK 1.3 after:</p> </blockquote> + <ul> - <li> jsse jars <b>MUST BE IN BOTH CLASSPATH</b> and <b>$JAVA_HOME/jre/lib/ext - (JAVA > 1.2)<br> - </b><br> + <li>jsse jars <strong>MUST BE IN BOTH CLASSPATH</strong> and + <strong>$JAVA_HOME/jre/lib/ext + (JAVA > 1.2)</strong> </li> - <li> from server.xml doc.You _need_ to set up a server certificate if you want - this to work, and you need JSSE. <br> - <br> + <li>from server.xml doc.You _need_ to set up a server certificate if you want + this to work, and you need JSSE. <ul> - <li> Add JSSE jars to CLASSPATH </li> - <li> Edit $JAVA_HOME/jre/lib/security/java.security Add: security.provider.2=com.sun.net.ssl.internal.ssl.Provider</li> - <li> Do: <font face="Courier New, Courier, mono" size="-1">keytool -genkey - -alias tomcat -keyalg RSA</font> RSA is essential to work with Netscape - and IIS. Use "changeit" as password. ( or add keypass attribute ) You + <li>Add JSSE jars to CLASSPATH</li> + <li>Edit $JAVA_HOME/jre/lib/security/java.security<br> + Add: security.provider.2=com.sun.net.ssl.internal.ssl.Provider</li> + <li>Do: <code>keytool -genkey -alias tomcat -keyalg RSA</code><br> + RSA is essential to work with Netscape + and IIS. Use "changeit" as password (or add keypass attribute). You don't need to sign the certificate. You can set parameter keystore and - keypass if you want to change the default ( user.home/.keystore with changeit - )<br> - <br> - </li> + keypass if you want to change the default + ($HOME/.keystore with changeit)</li> </ul> </li> - <li> I suggest you install jcert.jar, jnet.jar and jsse.jar in $JAVA_HOME/jre/lib/ext - and then add them to CLASSPATH export <br> - <br> - <font size="-1" face="Courier New, Courier, mono">CLASSPATH=$JAVA_HOME/jre/lib/ext/jcert.jar:$CLASSPATH - export CLASSPATH=$JAVA_HOME/jre/lib/ext/jnet.jar:$CLASSPATH export CLASSPATH=$JAVA_HOME/jre/lib/ext/jsse.jar:$CLASSPATH</font><br> + <li>I suggest you install jcert.jar, jnet.jar and jsse.jar in + $JAVA_HOME/jre/lib/ext + and then add them to your CLASSPATH export <br> <br> - You could also copy the 3 jars in $TOMCAT_HOME/lib/ so there are automatically - added to CLASSPATH at tomcat startup (tomcat.sh).</li> + +<pre>CLASSPATH=$JAVA_HOME/jre/lib/ext/jcert.jar:$CLASSPATH +export CLASSPATH=$JAVA_HOME/jre/lib/ext/jnet.jar:$CLASSPATH +export CLASSPATH=$JAVA_HOME/jre/lib/ext/jsse.jar:$CLASSPATH +</pre> + + You could also copy the 3 jars into $TOMCAT_HOME/lib/ so they are + under the existing CLASSPATH at tomcat startup (tomcat.sh).</li> </ul> -<p> </p> + <h3><a name=s63>Importing SSL certificates</a></h3> -<p>It's possible to import certificates generated with <a href="http://www.openssl.org">OpenSSL</a>. - Here are the steps needed to generate such certs with OpenSSL : </p> + +<p>It's possible to import certificates generated with <a + href="http://www.openssl.org">OpenSSL</a>. Here are the steps needed + to generate such certs with OpenSSL:</p> + <ul> - <li>To generate a new request and a new key <br> - <pre><font face="Courier New, Courier, mono">openssl req -new -out REQ.pem -keyout KEY.pem</font> </pre> - </li> + <li>To generate a new request and a new key<br> + <code>openssl req -new -out REQ.pem -keyout KEY.pem</code></li> <li>To generate a self signed x509 certificate from a certificate request using - a supplied key, and we want to see the text form of the output certificate - (which we will put in the file selfSign.pem - <p><font face="Courier New, Courier, mono" size="-1">openssl req -x509 -in - REQ.pem -key KEY.pem -out CERT.pem</font> </p> - </li> - <li>Verify that the signature is correct on a certificate request. - <p><font face="Courier New, Courier, mono" size="-1">openssl req -verify -in - REQ.pem</font> </p> - </li> - <li>Verify that the signature was made using a specified public key - <p><font face="Courier New, Courier, mono" size="-1">openssl req -verify -in - REQ.pem -key KEY.pem</font> </p> - </li> - <li>Print the contents of a certificate request - <p><font face="Courier New, Courier, mono" size="-1">openssl req -text -in - REQ.pem</font> </p> - </li> - <li>To import the CERT in keystore, you just do next : - <p><font face="Courier New, Courier, mono" size="-1">keytool -import -v -trustcacerts - -alias tomcat -file</font> <font size="-1" face="Courier New, Courier, mono">CERT.pem</font> - </p> - </li> + a supplied key, and see the text form of the output certificate + (which we will put into the file selfSign.pem<br> + <code>openssl req -x509 -in REQ.pem -key KEY.pem -out + CERT.pem</code></li> + <li>Verify that the signature is correct on a certificate request.<br> + <code>openssl req -verify -in REQ.pem</code></li> + <li>Verify that the signature was made using a specified public key<br> + <code>openssl req -verify -in REQ.pem -key KEY.pem</code></li> + <li>Print the contents of a certificate request<br> + <code>openssl req -text -in REQ.pem</code></li> + <li>To import the CERT in keystore, just:<br> + <code>keytool -import -v -trustcacerts -alias tomcat -file + CERT.pem</code></li> </ul> + <hr> + <h2><a name=s7>Credits</a></h2> + <p>This document was created by <a href="mailto:[EMAIL PROTECTED]">Gomez Henri</a>. Thanks to [EMAIL PROTECTED] for import info. Feel free to contact me for more updates.</p> + <table width="100%" border="0" cellpadding="10" cellspacing="0"> <tr> <td> @@ -265,6 +317,7 @@ </td> </tr> </table> + </body> </html> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]