SSL (https) configuration on tomcat

Introduction

When setting up an SSL encryption for use with iGrafx Platform, the primary question usually is, if there is a proxy between Tomcat and the end user, or if Tomcat is directly contacted (which will usually not be possible on Port 80 or 443, which are the standard http and https ports).

If Tomcat is directly contacted and no proxy is used, the HTTPS for Tomcat without proxy setup can be used without any changes. In the case where an Apache proxy sits between iGrafx Platform's Tomcat and the end user, the customer has to make the decision if only communication between the end user and the Apache proxy is secured, or if both connections are secured. The former is the much more frequent case, as the Apache proxy will often times run on the same machine as Tomcat. See the reference section for a short guide on which proxy module to use with Apache, depending on the requirements (mod_proxy_http vs. mod_jk).

Once you've decided on a module, follow the instructions below for either mod_proxy_http or mod_jk/AJP

Details

HTTPS for Tomcat without proxy

See the following Tomcat documentation to configure HTTPS without proxy:

https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html

Here are some suggested, minimum configuration steps:

sudo apt-get install java /usr/lib/jvm/java-7-openjdk-amd64/bin/keytool -genkey -alias tomcat -keyalg RSA

Fill out the questions. For testing use igrafx as password.

vim ~/ice/apache-tomcat-7.0.42/conf/server.xml file

locate:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"/>

Add those two parameters to the block:

keystoreFile="/home/igrafx/.keystore" keystorePass="igrafx"

Comment out:

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

HTTPS for Apache proxy using mod_proxy_http and https on Tomcat (both servers communicate using SSL)

Follow the steps in Setting up SSL for Apache Tomcat before continuing to set up SSL on Apache.

openssl genrsa -out icedemo.key 1024

Option 1: Self signed

openssl req -new -key icedemo.key -out icedemo.csr openssl x509 -req -days 365 -in icedemo.csr -signkey icedemo.key -out icedemo.crt

Option 2: Build a CA

For testing we could build our own CA infrastructure, more reading:

https://codeghar.wordpress.com/2008/03/17/create-a-certificate-authority-and-certificates-with-openssl/

http://www.g-loaded.eu/2005/11/10/be-your-own-ca/

Configure Apache

sudo mkdir /etc/apache2/ssl sudo cp ~/ssl/icedemo.crt /etc/apache2/ssl/ sudo cp ~/ssl/icedemo.key /etc/apache2/ssl/ sudo a2enmod ssl sudo service apache2 restart sudo vi /etc/apache2/sites-available/igrafxproxy.conf

add:

<VirtualHost *:443> ServerName icedemo <Proxy *> Order deny,allow Allow from all </Proxy> SSLEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off SSLProxyEngine On SSLCertificateFile /etc/apache2/ssl/icedemo.crt SSLCertificateKeyFile /etc/apache2/ssl/icedemo.key ProxyRequests Off ProxyPreserveHost On ProxyPass / https://localhost:8443/ ProxyPassReverse / https://localhost:8443/ </VirtualHost>

Introduction​

Details​

HTTPS for Tomcat without proxy​

HTTPS for Apache proxy using mod_proxy_http and https on Tomcat (both servers communicate using SSL)​

Option 1: Self signed​

Option 2: Build a CA​

Configure Apache​

See Also​