I try to evaluate a infrastructure for a customer on my local win32 machine. The infrastructure should be based on a j2ee webapp running on a tomcat (6.0.20+), behind a secur apache httpd (httpd-2.2.16/openssl-0.9.8) which only forwards those requests which are authorized (with a client certificate).
My approach was to solve the connection between tomcat and apache with the mod_jk
and the corresponding ajp13
protocol. The tomcat (ajp13) is running on port 8099
, i configured the workers.properties
and my mod_jk.conf
(and included it in httpd.conf
). The connection works successful. The httpd is running on port 80
the tomcat runs his http port under 8084
. When sending a http request to http://localhost/my-webapp-context
. The tomcats answers and showing up my webapp.
So far there are the following configuration files:
mod_jk.conf
LoadModule jk_module modules/mod_jk.so
#LoadModule ssl_module modules/mod_ssl.so
JkWorkersFile conf/workers.properties
JkShmFile logs/httpd/mod_jk.shm
JkLogLevel info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
JkMount /* balancer
workers.properties
worker.list=jk-status
worker.jk-status.type=status
worker.jk-status.read_only=true
worker.list=jk-manager
worker.jk-manager.type=status
worker.list=balancer
worker.balancer.type=lb
worker.balancer.error_escalation_time=0
worker.balancer.max_reply_timeouts=10
worker.balancer.balance_workers=node1
worker.node1.reference=worker.template
worker.node1.host=localhost
worker.node1.port=8109
worker.node1.activation=A
worker.balancer.balance_workers=node2
worker.node2.reference=worker.template
worker.node2.host=localhost
worker.node2.port=8099
worker.node2.activation=A
worker.template.type=ajp13
worker.template.socket_connect_timeout=5000
worker.template.socket_keepalive=true
worker.template.ping_mode=A
worker.template.ping_timeout=10000
worker.template.connection_pool_minsize=0
worker.template.connection_pool_timeout=600
worker.template.reply_timeout=300000
worker.template.recovery_options=3
As described this works like a charm, now i read to several ssl tutorials. I already created a server.key
(without private key because this seems to fail at win32 platform) and a server.cer
which is certified by our local certification authority.
When it comes to the point of enabling mod_ssl
i get several errors. I tried the following configuration:
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile conf/server.cer
SSLCertificateKeyFile conf/server.key
</VirtualHost>
With this configuration I produce the upcoming error (where the CN is my computer name in the lan), this is also the value i provided while generating the certification. The apache refuses to startup with this configuration and shows me the listed error.
Update
Now I finally get the apache with ssl and client certificates running:
mod_jk_ssl.conf
LoadModule jk_module modules/mod_jk.so
LoadModule ssl_module modules/mod_ssl.so
JkWorkersFile conf/workers.properties
JkShmFile logs/httpd/mod_jk.shm
JkLogLevel info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
Listen 443
<VirtualHost *:443>
JkMount /* balancer
SSLEngine On
SSLCertificateFile conf/web.crt
SSLCertificateKeyFile conf/web.key
SSLCACertificateFile conf/exampleCA.crt
SSLVerifyClient require
SSLVerifyDepth 2
<IfDefine SSL>
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "certification-authority" and
%{SSL_CLIENT_S_DN_OU} in {"BALVI"}
</IfDefine>
</VirtualHost>
Best Answer
Captain Obvious here. You did give the my-computer-name exactly as it is, including the domain name? If not, re-create the key one more time.