Skip to main content
Skip table of contents

SSL (https) configuration on tomcat


Introduction

When setting up an SSL encryption for use with iGrafx Platform, the primary question usually is, if there is a proxy between Tomcat and the end user, or if Tomcat is directly contacted (which will usually not be possible on Port 80 or 443, which are the standard http and https ports).

If Tomcat is directly contacted and no proxy is used, the HTTPS for Tomcat without proxy setup can be used without any changes. In the case where an Apache proxy sits between iGrafx Platform's Tomcat and the  end user, the customer has to make the decision if only communication between the end user and the Apache proxy is secured, or if both connections are secured. The former is the much more frequent case, as the Apache proxy will often times run on the same machine as Tomcat. See the reference section for a short guide on which proxy module to use with Apache, depending on the requirements (mod_proxy_http vs. mod_jk).

Once you've decided on a module, follow the instructions below for either mod_proxy_http or mod_jk/AJP

Details

HTTPS for Tomcat without proxy

See the following Tomcat documentation to configure HTTPS without proxy:

http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Configuration

 

Here are some suggested, minimum configuration steps:

CODE 
sudo apt-get install java
/usr/lib/jvm/java-7-openjdk-amd64/bin/keytool -genkey -alias tomcat -keyalg RSA

Fill out the questions. For testing use igrafx as password.

 

CODE 
vim ~/ice/apache-tomcat-7.0.42/conf/server.xml file

locate:

CODE 
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"/>

Add those two parameters to the block:

CODE 
keystoreFile="/home/igrafx/.keystore"
keystorePass="igrafx"

Comment out:

CODE 
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

HTTPS for Apache proxy using mod_proxy_http and https on Tomcat (both servers communicate using SSL)

Follow the steps in Setting up SSL for Apache Tomcat before continuing to set up SSL on Apache.

CODE 
openssl genrsa -out icedemo.key 1024

Option 1: Self signed

CODE 
openssl req -new -key icedemo.key -out icedemo.csr
openssl x509 -req -days 365 -in icedemo.csr -signkey icedemo.key -out icedemo.crt

Option 2: Build a CA

For testing we could build our own CA infrastructure, more reading:

https://codeghar.wordpress.com/2008/03/17/create-a-certificate-authority-and-certificates-with-openssl/

http://www.g-loaded.eu/2005/11/10/be-your-own-ca/

Configure Apache

CODE 
sudo mkdir /etc/apache2/ssl
sudo cp ~/ssl/icedemo.crt /etc/apache2/ssl/
sudo cp ~/ssl/icedemo.key /etc/apache2/ssl/
sudo a2enmod ssl
sudo service apache2 restart
sudo vi /etc/apache2/sites-available/igrafxproxy.conf

add:

CODE 
<VirtualHost *:443>
    ServerName icedemo
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
    SSLEngine on
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    SSLProxyEngine On
    SSLCertificateFile /etc/apache2/ssl/icedemo.crt
    SSLCertificateKeyFile /etc/apache2/ssl/icedemo.key
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass / https://localhost:8443/
    ProxyPassReverse / https://localhost:8443/
</VirtualHost>

References

When deciding what module to use for proxying between Apache and Tomcat, this document might help

http://www.tomcatexpert.com/blog/2010/06/16/deciding-between-modjk-modproxyhttp-and-modproxyajp

 

 


This article contains

See Also

WinHttp Error 12175

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close