By Gomez Henri <firstname.lastname@example.org>
Tomcat can use SSL directly (via an HTTP connector supporting SSL) or via an SSL-capable Apache (Apache-SSL or apache+mod_ssl) with the mod_jk connector.
If you want to rebuild tomcat with SSL, be careful of your CLASSPATH. I used to clear the CLASSPATH environment variable to avoid conflict in jar. A common cause of conflict is XML parsers (xerces & jaxp). Tomcat needs a recent XML parser like the Apache Group's xerces 1.1.2 or Sun's jaxp 1.0.1.
At build time, (via ant), tomcat will check for some libs and will then include various options, possibly including SSL support. If you have the JSSE 1.0.2 jars in your CLASSPATH, tomcat will be built with SSL (SSLSocketFactory). Tomcat will use the JSSE jars (jcert.jar, jsse.jar, jnet.jar). This software COULDN'T BE INCLUDED in tomcat. You'll have to go to the jsse home page and download the domestic (US/Canada) or global archive from there. Then copy the 3 jars into tomcat's runtime classpath lib ($TOMCAT_HOME/lib).
If you use Apache with SSL (Apache-SSL or apache+mod_ssl) and the JkExtractSSL directive in httpd.conf, the apache connector mod_jk will be able to pass some SSL information to tomcat.
This information is:
|HTTPS||apache redirect to tomcat from an SSL area|
|SSL_SESSION_ID||SSL session ID|
|SSL_CIPHER||SSL CIPHER used|
|SSL_CLIENT_CERT||SSL Certificate of client|
Since Apache-SSL and apache+mod_ssl use different environment variables, you can set SSL variables from the following JK variables
here is an example of directives to include in httpd.conf for use with mod_ssl:
# Should mod_jk send SSL information to Tomcat (default is On) JkExtractSSL On # What is the indicator for SSL (default is HTTPS) JkHTTPSIndicator HTTPS # What is the indicator for SSL session (default is SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) JkCIPHERIndicator SSL_CIPHER # What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT) JkCERTSIndicator SSL_CLIENT_CERT
When using mod_jk with Apache & mod_ssl it is essential to specify
"SSLOptions +StdEnvVars +ExportCertData" in the httpd.conf file.
Otherwise mod_ssl will not produce the necessary environment variables for mod_jk. (Tilo Christ <email@example.com>)
Warning: Even if mod_jk supports both ajp12 (the old version from Apache JServ) and ajp13, only ajp13 can forward SSL information to tomcat.
mod_jk seems to support the VirtualHost directive of Apache. It's especially
useful when using apache+mod_ssl with tomcat.
This config will easily secure your webapps via Apache SSL support. Just take care of setting these JK variables outside VirtualHost directives:
JkWorkersFile /etc/httpd/conf/workers.properties JkLogFile /var/log/httpd/mod_jk.log JkLogLevel warn
The JK redirect stuff could be set in virtual hosts: <virtualhost _default_:443>
<VirtualHost _default_:443> SSLEngine on SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # other SSL stuff Alias /alesia "/var/tomcat/webapps/alesia" <Directory "/var/tomcat/webapps/alesia"> <Directory "/var/tomcat/webapps/alesia"></Directory> <Directory "/var/tomcat/webapps/alesia">Options Indexes FollowSymLinks </Directory> </Directory> JkMount /alesia/servlet/* ajp13 JkMount /alesia/*.jsp ajp13 <Location "/alesia/WEB-INF/"> </Location> <Location "/alesia/WEB-INF/"> AllowOverride None Deny from all </Location> </VirtualHost>
If you want tomcat to serve HTTP/SSL (https) directly, you need to create a SSL certificate. For more information about SSL and certificates, I suggest you could take a look at OpenSSL (Open Source SSL implementation) and mod_ssl (SSL support for Apache)
To use the HTTP with SSL connector in tomcat, verify that it is activated in server.xml<Connector className="org.apache.tomcat.service.PoolTcpConnector"> <Parameter name="handler" value="org.apache.tomcat.service.http.HttpConnectionHandler"/> <Parameter name="port" value="8443"/> <Parameter name="socketFactory" value="org.apache.tomcat.net.SSLSocketFactory"/> <Parameter name="keystore" value="/var/tomcat/conf/keystore" /> <Parameter name="keypass" value="changeit"/> <Parameter name="clientAuth" value="true"/> </Connector>
In this example we indicate the keystore is file /var/tomcat/conf/keystore. The keystore password is changeit and we want clients to authentificate.
I succeed (at least) with my IBM JDK 1.3 after:
keytool -genkey -alias tomcat -keyalg RSA
CLASSPATH=$JAVA_HOME/jre/lib/ext/jcert.jar:$CLASSPATH export CLASSPATH=$JAVA_HOME/jre/lib/ext/jnet.jar:$CLASSPATH export CLASSPATH=$JAVA_HOME/jre/lib/ext/jsse.jar:$CLASSPATHYou could also copy the 3 jars into $TOMCAT_HOME/lib/ so they are under the existing CLASSPATH at tomcat startup (tomcat.sh).
It's possible to import certificates generated with OpenSSL. Here are the steps needed to generate such certs with OpenSSL:
openssl req -new -out REQ.pem -keyout KEY.pem
openssl req -x509 -in REQ.pem -key KEY.pem -out CERT.pem
openssl req -verify -in REQ.pem
openssl req -verify -in REQ.pem -key KEY.pem
openssl req -text -in REQ.pem
keytool -import -v -trustcacerts -alias tomcat -file CERT.pem
This document was created by Gomez Henri. Thanks to firstname.lastname@example.org for import info. Feel free to contact me for more updates.