SSL configuration , Tomcat with Apache and mod_jk

I am looking to configure SSL with tomcat 6 and apache web server, using the tomcat connector mod_jk. I am pretty new to this, so please bear with me.

I have SSL certificate purchased and configured in tomcat using keystore file. It is perfectly working if access tomcat directly via https. Now i need apache in front of tomcat, my question is, do i need to provide certificate both in tomcat and apache or just the tomcat? Isn't apache supposed to just pass on the request to tomcat (using JkExtractSSL) and let it handle ssl authentication (verification of certificate)?

If certificate paths need to be configured in both apache and tomcat, then i have cert.p7b and certreq.csr files, which are surely not apache compatible, can you please tell how can i do that?

I have the following configuration so far:

httpd.conf:

    LoadModule ssl_module modules/mod_ssl.so
    LoadModule jk_module modules/mod_jk.so
    JkWorkersFile /usr/local/apache2/conf/workers.properties
    JkShmFile     logs/mod_jk.shm
    JkLogFile logs/mod_jk.log
    JkLogLevel info
    JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
    JkMount  /mywebapp/* worker1
    JkExtractSSL On
    JkHTTPSIndicator HTTPS
    JkSESSIONIndicator SSL_SESSION_ID
    JkCIPHERIndicator SSL_CIPHER
    JkCERTSIndicator SSL_CLIENT_CERT

    <VirtualHost _default_:80>

       DocumentRoot "/var/lib/tomcat6/webapps/mywebapp"

       Alias /mywebap "/var/lib/tomcat6/webapps/mywebapp"
       <Directory "/var/lib/tomcat6/webapps/mywebapp">
         Options Indexes FollowSymLinks
         AllowOverride NONE
         Order allow,deny
         Allow from all
       </Directory>

      <Location "/mywebapp/WEB-INF/">
         AllowOverride None
         Deny from all
      </Location>

    </VirtualHost>
    Include conf/extra/httpd-ssl.conf

httpd-ssl-conf:

    <VirtualHost _default_:443>

       DocumentRoot "/var/lib/tomcat6/webapps/mywebapp"

        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLOptions +StdEnvVars +ExportCertData

        Alias /mywebapp "/var/lib/tomcat6/webapps/mywebapp"
        <Directory "/var/lib/tomcat6/webapps/mywebapp">
           Options Indexes FollowSymLinks
           AllowOverride None
           Order allow,deny
           Allow from all
        </Directory>

        JkMount /mywebapp/* worker1

        <Location "/mywebapp/WEB-INF/">
           AllowOverride None
           Deny from all
        </Location>
     </VirtualHost>

Important to mention here is there is no SSLCertificateFile and SSLCertificateKeyFile configured in httpd-ssl.conf, as i am not sure, if it is needed in both tomcat and apache web server. I have it already configured in tomcat using keystore file.

Best Answer

SSL is used to encrypted communications between a client and your web service. If you are putting Apache in front of Tomcat, then you need to configure Apache with the SSL certificate...and you don't need it at all for Tomcat, because Apache is handling all of the client communication.

The .csr file is your certificate request and is not important.

This question has links that will help you convert your .p7b file into a PEM-encoded certificate for use with Apache.

You can also export the PEM-encoded certificate from your keystore using the -exportcert command:

keytool -exportcert -alias <alias> | openssl x509 -inform der

The JkExtractSSL directive tells Apache to pass some SSL related information to Tomcat. According to this document, that includes the following environment variables:

SSL_CIPHER
SSL_CIPHER_USEKEYSIZE
SSL_SESSION_ID
SSL_CLIENT_CERT_CHAIN_n

Best Answer

Related Solutions

Linux – Apache Virtual Hosts Not Working

Windows – Apache httpd with LDAP error in CentOS

Related Topic