By Gomez Henri <hgomez@slib.fr>
Tomcat could use SSL directly (via an HTTP connector supporting SSL) or via an Apache SSLified (Apache-SSL or apache-mod_ssl) with the mod_jk connector.
If you want to rebuild the tomcat with SSL, be carefull of your CLASSPATH. I used to clear the CLASSPATH env var to avoid conflict in jar. A common case of conflict is for XML parsers (xerces & jaxp). tomcat need a recent XML parser like Apache Group xerces 1.1.2 or Sun's jaxp 1.0.1.
At build time, (via ant), tomcat will check for some libs and will then included more or less options. It's the case of SSL support. If you have the JSSE 1.0.2 jars in your CLASSPATH, tomcat will be built with SSL (SSLSocketFactory). tomcat will use the JSSE jars (jcert.jar, jsse.jar, jnet.jar).This software COULDN'T BE INCLUDED in tomcat. You'll have to go to jsse home page and download from there the domestic (US/Canada) or global archive. Then copy the 3 jars in tomcat runtime classpath lib ($TOMCAT_HOME/lib).
If you use Apache with SSL (apache-ssl or apache-mod_ssl), the apache connector mod_jk will be able to forward to tomcat some SSL informations if JkExtractSSL directive is present in your httpd.conf.
Informations are :
HTTPS | apache redirect to tomcat from an SSL area |
SSL_SESSION_ID | SSL session ID |
SSL_CIPHER | SSL CIPHER used |
SSL_CLIENT_CERT | SSL Certificate of client |
Since apache-ssl and apache-mod_ssl use differents env vars, you could adapt SSL vars via the following JK vars
here is an example of directive to include in httpd.conf for use with mod_ssl
# Should mod_jk send SSL
information to Tomact (default is On)
JkExtractSSL On
# What is the indicator for SSL (default is HTTPS)
JkHTTPSIndicator HTTPS
# What is the indicator for SSL session (default is SSL_SESSION_ID)
JkSESSIONIndicator SSL_SESSION_ID
# What is the indicator for client SSL cipher suit (default is SSL_CIPHER)
JkCIPHERIndicator SSL_CIPHER
# What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT)
JkCERTSIndicator SSL_CLIENT_CERT
When using mod_jk with Apache & mod_ssl it is essential to specify "SSLOptions
+StdEnvVars +ExportCertData" in the httpd.conf file.
Otherwise mod_ssl will not produce the neccessary environment variables for
mod_jk. (Tilo Christ <tilo.christ@med.siemens.de>)
Warning, even if mod_jk support both ajp12 (old version from ApacheJServ) and ajp13, only ajp13 could forward SSL informations to tomcat.
mod_jk seems to support the VirtualHost directive of Apache. It's specialy
usefull when using an apache-mod_ssl with tomcat.
This config will easily secure your webapps via Apache SSL support. Just take
care of setting these jk vars outside VirtualHost directives :
JkWorkersFile /etc/httpd/conf/workers.properties
JkLogFile /var/log/httpd/mod_jk.log
JkLogLevel warn
The jk redirect stuff could be set in virtual hosts :
<VirtualHost _default_:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# other SSL stuff
Alias /alesia "/var/tomcat/webapps/alesia"
<Directory "/var/tomcat/webapps/alesia">
</Directory>
JkMount /alesia/servlet/* ajp13
JkMount /alesia/*.jsp ajp13
<Location "/alesia/WEB-INF/">
AllowOverride None
Deny from all
</Location>
</VirtualHost>
If you want tomcat run HTTP/SSL, you need to create a SSL certificate. For more informations about SSL and certificates, I suggest you could take a look at OpenSSL (OpenSource SSL implementation) and ModSSL (SSL support for Apache)
To use the HTTP with SSL connector in tomcat, verify that it is activated in server.xml
<Connector className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter name="handler" value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
<Parameter name="port" value="8443"/>
<Parameter name="socketFactory" value="org.apache.tomcat.net.SSLSocketFactory" />
<Parameter name="keystore" value="/var/tomcat/conf/keystore" />
<Parameter name="keypass" value="changeit"/>
<Parameter name="clientAuth" value="true"/>
</Connector>In this example we indicate the keystore is file /var/tomcat/conf/keystore. The keystore password is changeit and we want client to authentificate.
I succeed (at least) with my IBM JDK 1.3 after :
It's possible to import certificates generated with OpenSSL. Here are the steps needed to generate such certs with OpenSSL :
openssl req -new -out REQ.pem -keyout KEY.pem
openssl req -x509 -in REQ.pem -key KEY.pem -out CERT.pem
openssl req -verify -in REQ.pem
openssl req -verify -in REQ.pem -key KEY.pem
openssl req -text -in REQ.pem
keytool -import -v -trustcacerts -alias tomcat -file CERT.pem
This document was created by Gomez Henri. Thanks to hgopal@cmcltd.com for import info. Feel free to contact me for more updates.
Copyright ©1999-2000 The Apache Software Foundation |