Tomcat Web Hosting Blog - Java, JSP, EJB, Hibernate

Chapter 11: Tomcat and Apache HTTP Server Figure 11-7: Security dialog box when using Unknown CA on Firefox Click Close in the Certificate Display dialog box, and OK in the Unknown Authority Warning dialog box. This makes Firefox use the certificate for this session only. If you look at the lower-right corner of the Firefox window, you should see the secured connection indicator shown in Figure 11-9 . SSL -Enabled Apache-Tomcat Setup Now that your have working SSL support in Apache, the next step is to get the JSP/servlet requests sent to Apache passed on to Tomcat. This can be done via either mod_jkor mod_proxy. If you are using mod_jk, note that you need to have mod_jk compiled as a part of your Apache server along with mod_ssl. Check if you do, and then follow the steps mentioned in the section Using the mod_jk Module earlier in this chapter, such as the configuration changes for the AJP Connector in Tomcat s server.xml, and the mod_jk-related directives in Apache s httpd.conf, such as LoadModule, JkWorkersFilesetting, and so on. The only change from that configuration is that you need to use the declared in httpdssl. conffor port 443, instead of defining one in httpd.conf, and place your JkMount directives inside it. The following shows an example modification to the $APACHE_HOME/extra/httpd-ssl.conffile. … JkWorkersFile conf/workers.properties JkMount /examples/jsp/* worker1

For high quality jboss hosting services please check jboss web hosting website.

Chapter 11: Tomcat and Apache HTTP Server Figure 11-5: Internet Explorer s display of the server certificate Click OK on this certificate viewing dialog box, and then click Yes on the security warning dialog box to use this certificate for this session. At this time, you should be in an SSL session with the Apache server. Look at the lower-right corner of the Internet Explorer window. On the right side of the status bar you should see the familiar comfort-assuring yellow lock, as shown in Figure 11-6 . Figure 11-6: The Secured Connection Indicator on Internet Explorer If you are using Firefox, the warning dialog box for an unknown authority is shown in Figure 11-7 . If you click the Examine Certificate button, Firefox displays the certificate in a dialog box, as shown in Figure 11-8 .

For reliable and cheap web hosting services please check cheap web hosting website.

Chapter 11: Tomcat and Apache HTTP Server LoadModule ssl_module modules/mod_ssl.so Then, find and uncomment the following line, to include the mod_sslconfiguration file: Include conf/extra/httpd-ssl.conf Testing the SSL -Enabled Apache Setup First, test the SSL setup in Apache: Restart Apache using the apachectlcommand and view the HTTPS URL, which is https://192.168.23.168/in our example. You would need to change the IP address to match that of your server even the port, if you are running on a port other than 80. Also, note the use of https, and not http. You should now see browser warnings as described in the next section, and then finally the default Apache It works! message. Browser Security Warnings Because the server certificate is not signed by any well-known CA authority, but is self-signed, you would expect the browser to detect this and warn you when you try to access the page. Indeed, this is what happens. On Internet Explorer, the browser will pop up with a security dialog box similar to Figure 11-4 . Figure 11-4: Security alert dialog box when using unknown CA on Internet Explorer If you select View Certificate, Internet Explorer shows you the details of the certificate, as shown in Figure 11-5 .

For reliable and cheap web hosting services please check javaweb hosting website.

Chapter 11: Tomcat and Apache HTTP Server Create a Self-Signed Certificate In a production environment, the certificate signing request file generated ( server.csr) is sent to a Certificate Authority and a certificate purchased. For test deployments, you can generate a self-signed certificate. The following command shows this being done: openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365 The -days option specifies the number of days after which the certificate will expire. The following is a sample output from this step: Signature ok subject=/C=US/ST=NJ/L=Hoboken/O=Wiley/OU=Wrox Press/CN=192.168.23.168/emailAddre ss=mail@myserver.com Getting Private key The self-signed certificate is generated in the server.crtfile. Install the Certificate Copy the private server key file (server.key) and server certificate file (server.crt) to the $APACHE_ HOME/conf directory. Make sure that the server.keyand server.crt can be read by the user running the Apache Web server. Set the file permission of the files in the certworks directory to protect them from unwanted access (depending on your local policy). You don t need this directory or its files any more because all that Apache requires is the server.crtand server.crt files. However, it is useful to keep around perhaps backed up elsewhere if you ever need to generate your certificate again. Setting Up mod_ssl in Apache The default SSL configuration file can be found in the $APACHE_HOME/conf/extra directory and is called httpd-ssl.conf. This file would then need to be included from httpd.conf. Edit this file following the extensive comments if you need to customize the configuration. Some directives you might need to tweak include the following: . SSLCertificateKeyFile: Path to the server private key file (i.e., the server.keyfile) . SSLCertificateFile: Path to the server certificate file (i.e., the server.crtfile) . VirtualHost: The SSL virtual host context. If you are setting up virtual hosts, or even redirecting to a Tomcat worker, this is the place where you should make your configuration changes. The DocumentRootin the default VirtualHost points to Apache s DocumentRoot let this remain unchanged for now. Finally, you need to make a few edits in the $APACHE_HOME/conf/httpd.conf so that Apache can use the mod_sslextension. First, uncomment or add this line (if not already existing) to load the mod_ssllibrary:

For high quality java hosting services please check tomcat web hosting website.

Chapter 11: Tomcat and Apache HTTP Server attributes = req_attributes distinguished_name = Wiley prompt = no output_password = mypassword [Wiley] C = US ST = NJ L = Hoboken O = Wiley OU = Wrox Press CN = 192.168.23.168 emailAddress = mail@myserver.com [req_attributes] challengePassword = mypassword If you are testing on your own local LAN, you should change the CN (Common Name) entry to the fully qualified hostname or IP of your host. In the example above, the CN is set to 192.168.23.168. If you are actually setting this up for a registered fully qualified domain name, this entry must match exactly the domain that you are requesting the certificate for. If your users are not using this exact name to access your site, they get a security warning from the browser. The key generator needs a file containing a random number to add entropy to the algorithm. Create a file called random.txt and put a large random number in it. Create a Certificate Signing Request The command for creating a certificate signing request is as follows: openssl req -new -out server.csr -config myconfig.file If you use the configuration from the myconfig.file, this step creates a certificate signing request (server.csr) and a private key (keyfile.pem). The following is a sample output from this command: Generating a 1024 bit RSA private key …………..++++++ ……………..++++++ writing new private key to keyfile.pem Remove the Passphrase from the Private Key This is an optional step that should be performed for security reasons. To remove the passphrase from the private key, run the command as shown: openssl rsa -in keyfile.pem -out server.key This command prompts for the password. Use the same password specified in the myconfig.file (mypasswordin this case). The server.key should be readable only by the Apache server and the administrator. We highly recommend that you delete the random.txt file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.

For high quality jboss hosting services please check jboss web hosting website.

Chapter 11: Tomcat and Apache HTTP Server This make target installs the application to the default /usr/local/apache2 directory. This directory location is referred to as $APACHE_HOME later in this section. If you have specified an alternative directory using the –prefixoption during configuration, this installation copies the files to your specified directory instead. You can now start the server by going to $APACHE_HOME/binand executing the following command: $ ./apachectl start You can stop the server at any time by going to $APACHE_HOME/binand executing the following command: $ ./apachectl stop See the Apache 2 documentation for more information on other commands and options available. The main Apache configuration file, httpd.conf, is located in the $APACHE_HOME/confdirectory, and you need to edit it to configure SSL. Generating a Test Certificate with OpenSSL This section describes the steps required to generate a test certificate for your Apache Web server. Typically, in a production environment, a commercial-grade certificate from a Certificate Authority (CA) is used. To keep things flowing in this example, you act as your own Certificate Authority by signing the certificate yourself. This, of course, is acceptable only during testing. Following are the main steps involved: 1. Create a configuration file for generating the certificate. 2. Create a certificate signing request; this is what you submit to a CA if you are buying a certificate. 3. Purchase a certificate from a CA or create a self signed certificate. 4. Remove the passphrase from the private key. 5. Install the key and certificate to the server. Configuration File for Generating a Certificate Create a working directory called certworks. You can generate all the required requests, keys, configuration, and certificates here. A configuration file is required for generating the server certificate. A sample configuration file is presented in the following listing. Save the following contents in a file named myconfig.filein the certworksdirectory. RANDFILE = ./random.txt [req] default_bits = 1024 default_keyfile = keyfile.pem

For reliable and cheap web hosting services please check cheap web hosting website.

Chapter 11: Tomcat and Apache HTTP Server Here, $APACHE_HOME is the install location of your Apache2 distribution, and this is the /usr/local/ apache2 directory by default on most Linux distributions. Executing this command prints all modules included with your Apache binary; check if this includes mod_ssl. In the unlikely event that you don t already have mod_sslsupport, you can download and build the binaries yourself. Download the Apache Web server source code from one of the mirrors at the URL: http://httpd.apache.org/download.cgi As mentioned earlier, this example uses Apache 2.2.4, and the download file is httpd-2.2.4.tar.gz. Note that your Linux installation must also have the development packages installed because the compilation depends on the gcccompiler. Next, unarchive the Apache server distribution into a working directory: $ tar zxvf httpd-2.2.4.tar.gz Now, change the directory to the source directory and configure the mod_sslmodule, together with any other modules that you need, using the commands. $ cd httpd-2.2.4$ ./configure –enable-ssl=shared –enable-proxy=shared –enable-proxy-ajp=shared –enable-proxy-balancer=shared The shared value in the command indicates that the module should be built as a DSO loadable library, instead of statically compiled. This command enables the following modules: . mod_ssl . mod_proxy . mod_proxy_ajp . mod_proxy_balancer In general, to enable any Apache module, use an –enable- option. If there are any underscores in the module name, replace them with hyphens. By default, the compilation assumes that Apache Web server is installed in /usr/ local/apache2. If you wish to change this, use –prefix=/path-to-yourinstallation- directory. This configuration takes a little while to complete as it checks for dependencies and generates a make file. After this configuration, you are ready to compile the source code. Use the command: $ ./make This compilation and linking takes a few minutes on most machines. Finally, you can install the compiled Apache server using the following command: $ ./make install

For high quality jboss hosting services please check jboss web hosting website.

Chapter 11: Tomcat and Apache HTTP Server The steps involved to configure SSL support in Apache are listed here: 1. Install OpenSSL on your server, if it is not already installed. Most Linux systems should have OpenSSL installed. 2. Check whether your Apache installation has mod_sslsupport. If not, you would need to build Apache from source with the mod_sslsupport. 3. Get or generate an SSL certificate, and install it in Apache. 4. Make configuration changes in Apache for mod_ssl. 5. Test the SSL-enabled Apache-Tomcat setup. These steps are explained in greater detail in the following sections. The versions used in this chapter are Apache 2.2.4 server, with OpenSSL0.9.8d, running on a Linux operating system. Configuration for other versions should be similar; however, you should consult the associated documentation if you need to configure SSL for other version(s) of Apache server, SSL implementation, or operating systems. Also, the location of some of the configuration files may be different if you are using another Linux distribution. Configuring mod_ssl for Apache Apache can be enabled with SSL using the mod_sslApache module. This section provides an overview of the major steps involved in configuring Apache 2.2.4 with SSL on Linux. A similar setup will work on Windows by changing the appropriate system-specific paths. As mentioned in the introduction of this chapter, it is assumed that Apache is configured and running on the server. Verifying OpenSSL Installation All the popular Linux distributions usually include OpenSSL. You can verify that OpenSSL is installed by typing the following command in a console. openssl version If OpenSSL is installed, you should see a report of the version number, similar to the following. OpenSSL 0.9.8d 28 Sep 2006 If you get a command not found error, check the package installation instructions of your Linux distribution and install OpenSSL and the associated development packages, or get it from www.openssl.org. Building Apache with mod_ssl Support from Source Mod_ssl is a standard module that is included with the latest versions of Apache Web servers, and if you have it, you can skip this step. To determine whether mod_ssl is included, change directory to $APACHE_HOME/bin and run the following command: $ ./ httpd -D DUMP_MODULES

If you looking for unlimited one inclusive web hosting plan please check unlimited web hosting website.

Chapter 11: Tomcat and Apache HTTP Server ProxyPass /examples/jsp ajp://192.168.23.228:8009/examples/jsp ProxyPassReverse /examples/jsp ajp://192.168.23.228:8009/examples/jsp Order allow,deny Allow from all The host must be changed to the IP address of your own Tomcat worker server; in this case, it is the IP address of the local machine. On the Tomcat host, make sure you have an AJP connector at the default 8003 port. The default server .xml already contains this: Before testing this setup, restart Tomcat and then restart Apache. This ensures that the configuration changes made for Tomcat and Apache have been processed. To test the setup, point your browser to the following URL and browse to sample JSPs bundled with Tomcat: http://localhost/examples/jsp/ This assumes that you are running Apache server on the localhost. Note that you are browsing to http://localhost/ (the host/port on which Apache is listening) and not http://localhost:8080/ (Tomcat s host/port). If everything was configured properly, the Web page shown in Figure 11-2 should be displayed. Now try executing one of the JSPs. Click the Date example; this points the browser to http://localhost/jsp-examples/jsp/dates/date.jsp. This should display the Web page shown in Figure 11-3 . This test confirms that requests for JSPs are being redirected by Apache to Tomcat correctly. After testing the deployment from a local machine, you can test the installation from any other machine across the network. Configuring SSL for Apache Web Server SSL provides a secure communication channel between the browser and the Web server. When Apache is used with Tomcat, you can use SSL at either the Apache end or the Tomcat end or both. The preferred option is to enable SSL at the Apache end because of the better SSL support in Apache. Chapter 14 explores how SSL is set up for the HTTP Connector when Tomcat is used in the standalone mode of operation. This section shows you how to configure SSL for the Apache Web server Tomcat setup. The secured SSL connection can be enjoyed by any Tomcat applications running behind the Apache server, as well as any other non Tomcat-based application or modules hosted on the same server.

If you looking for unlimited one inclusive web hosting plan please check unlimited web hosting website.

Chapter 11: Tomcat and Apache HTTP Server ProxyPass /examples/jsp ajp://192.168.23.228:8009/examples/jsp ProxyPassReverse /examples/jsp ajp://192.168.23.228:8009/examples/jsp Order allow,deny Allow from all The first directive, ProxyRequestsOff, turns off forward proxying. This is essentially turning off the forwarding capabilities of mod_proxy, except for the specific mappings that you will be specifying with ProxyPassand ProxyPassReversedirectives. The ProxyPreserveHost directive tells mod_proxy to pass the requested host information from the original request to the AJP connection. This is useful for applications that have a dependency on the requested host. This directive is not available for the 1.3. x series of Apache Web servers. The section specifies the access rules using standard Apache configuration syntax. In this case, all incoming hosts can access the proxy. In production, you may want to restrict the set of allowed hosts that can access the proxy. See Apache Web server documentation on the syntax. The ProxyPass directive specifies that requests for the /examples/jspURI should be sent to localhost:8009/examples/jsp, and requests should be sent using AJP protocol. Of course, the Tomcat server instance is already set to listen at this port via the Tomcat AJP Connector. The ProxyPassReverse directive is an essential accompanying directive when configuring AJP proxy to Tomcat. This directive specifies that headers of reverse proxy requests should be rewritten appropriately. This ensures that any redirections from the Tomcat server are handled correctly. The section is a standard Apache Web server section for specifying URI access permissions. In this case, the section ensures that the proxied URI /examples/jspis accessible to all. Testing the mod_proxy Setup This section tests a working Apache server to Tomcat server setup, connected via AJP 1.3 and mod_ proxy. Confirm that you are using Apache 2.2. x and that the binary mod_proxy.sois located under the modulesdirectory. You need to make sure the following lines are uncommented in your httpd.conf. LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so Also in the httpd.conffile, add the following to the main configuration section (see comments in the Apache Web server s httpd.conffile to locate the main section). ProxyRequests Off ProxyPreserveHost On Order deny,allow Allow from all

For reliable and cheap web hosting services please check javaweb hosting website.