Sunday, September 9, 2012

SSL Offloading with mod_jk part 2


Document  Version 1.0
Copyright © 2012-2013 beijing.beijing.012@gmail.com

Keywords:
SSLOffloading SSL-Offloading, SSL Termination, Apache, Tomcat, mod_jk configuration, multiple vhosts, multiple SSL certificates one ip
In part1, we have created a sample web application TestWebSec20, and could successfully access the servlet "HalloNormal".
Now we will try to access the "HalloSec" servlet. Since the "HalloSec" servlet is declared to be accessd via URL pattern "/secure/HalloSec". So we put following URL in brower input:

http://localhost:8080/TestWebSec20/HalloSec
We get error like "..can not connect to localhost...".  And when we have a look  at Tomcat's log, we will see that Tomcat has logged a fatal error at start (and we ignored it in part1):

java.io.FileNotFoundException: /home/xx/.keystore (No such file or directory)
This is because, Tomcat detected that a resource is protected with HTTPS, so it tries to locad the SSL keystore (keystore is needed by JAAS) in the users home location (Linux). But for the default Tomcat instllation there is no keystore file available yet.

 Create and configure keystore for Tomcat

Creating keystore

In standard JDK package there is "keytool" under JAVA_HOME/bin/. This keytool could be used to create a keystore for Tomcat/JAAS. Run following conmand:

keytool -genkey -alias localhost -keyalg RSA -keystore /opt/local_keystore/localhost_keystore
  

 Now a keystore file named "localhost_keystore" is created. (with  password "test1234", we will need the password to configure Tomcat SSL)
Here instead of using default  ".keystore" location, we used customer keystore location and keystore name. Now we need to configure Tomcat's ssl connector in server.xml:


...
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150"
               clientAuth="false" sslProtocol="TLS"
      keystoreFile="/opt/local_keystore/localhost_keystore" keystorePass="test1234"/>
...


Start Tomcat and try accessing the secured servlet again:

Browser is redirected to HTTPS, and we need to confirm the SSL certificate:

 Click the left side area of browser input to show the certificate.  It is the certificate we just created! Successful!!
SSL Offloading with mod_jk part 3
part1 part4 part5 part6
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)