Friday, May 29, 2015

Configuring Apache and Tomcat with SSL/TLS, Launch HTTPS Website

With a secure web server, clients can connect to your server secure in the knowledge both that it is who it claims to be and that the transaction is well-encrypted so their data is safe.
SSL (Secure Sockets Layer) is a protocol for cryptographically securing transactions between a web browser and a web server. In most cases, only the server end is authenticated, which means that the client has a guarantee that the server is who it claims to be, but not vice versa.
This article shows you how to launch a web server with SSL. We choose Apache and Tomcat.

Creating a Certificate


The first step is certificate creation. To get a certificate signed by a CA such as Verisign, you first need to create a keypair and a certificate request:
$ openssl req -new -newkey rsa:4096 -keyout key.pem -out csr.pem
The command will therefore generate a key (private key) and certificate request (public key inside, pem format), but not a certificate.

Note

You can create your certificate either with or without a passphrase. The major disadvantage of using a passphrase is that it must be typed every time the web server starts up. So it won't start unattended or automatically on boot, for example, after a power cut. Depending on your setup, this may or may not be significant for you. To clear the passphrase, you can use this command:
openssl rsa -in key.pem -out server.key

Note

PEM is a X.509 certificate (whose structure is defined using ASN.1), encoded using the ASN.1 DER (distinguished encoding rules), then run through Base64 encoding and stuck between plain-text anchor lines (BEGIN ENCRYPTED PRIVATE KEY and END ENCRYPTED PRIVATE KEY, BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST, BEGIN CERTIFICATE and END CERTIFICATE).
The next stage, then, is to send that csr.pem file to the CA. The CA will sign your CSR and serve back the certificate. The certificate is save as file server.crt.

Configuring Apache 2 with SSL


1.       Make sure the mod_ssl is installed in Apache. Please check whether the file exists.
/etc/httpd/modules/mod_ssl.so

2.       If the OS is Centos, please run the following command to install mod_ssl.
# yum install mod_ssl

3.       Upload your private key server.key and certificate server.crt to your Linux server.
/etc/httpd/certs/server.crt
/etc/httpd/certs/server.key

4.       Edit /etc/httpd/conf.d/ssl.conf, change the path of certificate and key.
Default settings:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
Change it to:
SSLCertificateFile /etc/httpd/certs/server.crt
SSLCertificateKeyFile /etc/httpd/certs/server.key

5.       Restart the apache, and visit the site via https://www.yourdomain.com/

Note

If your apache server is not dedicated server for one domain/website, you need to configure the VirtualHost for each website. The certificate of each website should be specified in <VirtualHost>. The sample of www.gtdreport.com is listed below.
<VirtualHost 173.255.218.15:443>
    DocumentRoot /var/www/gtd
    ServerName www.gtdreport.com:443
    SSLEngine on
    SSLCertificateFile /etc/httpd/certs/server.crt
    SSLCertificateKeyFile /etc/httpd/certs/server.key
    ErrorLog logs/gtdreport-error_log
    CustomLog logs/gtdreport-access_log combined
</VirtualHost>


Configuring Tomcat with SSL


It is very easy. Please edit this file: TOMCAT_HOME/conf/server.xml. Add the content like this:
<Connector keystoreType="PKCS12"
                         port="443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
              keystoreFile="/etc/server.pkcs12" keystorePass="changeit" />
The problem is how to get the file server.pkcs12. Please run the following command:
$ openssl pkcs12 -export -in server.crt -inkey key.pem  -out server.pkcs12

You need to input password for key.pem, and input password (keystorePass) that is used to protect server.pkcs12.

Self-Signed Certificate

Perhaps you cannot get a certificate signed by CA, you can also create self-signed certificate.
Please see this page:
http://developer.kaazing.com/documentation/html5/3.5/security/p_tls_clientapp.html


Java-Rep2excel with SSL

The Java-Rep2excel v1.64 supports SSL.

Please edit the rep2excel.properities, add the ssl configuration.

# Sample for SSL
# sslPort, optional.
# keystoreFile, required, path of keystore file. for example: C:\\certificate-gtdreport\\server.jks
# keystoreType, required, options: JKS/JCEKS/PKCS12/BKS/UBER
#
#sslPort=443
#keystoreFile=server.pkcs12
#keystorePass=changeit

#keystoreType=PKCS12

About the Author


Williams Voon, experienced java programmer. Chief system analyst of the 3 software: Rep2excel, EasyHA System Monitoring Tool. GTD Excel Report Server.

Facebook: http://tinyurl.com/mqbhpct

Google Plus: http://gplus.to/williamsvoon
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)