- Secure Tomcat directly
- Secure an Apache web server front-end that controls access to tomcat
Secure Tomcat directly
Securing tomcat directly is fairly straight-forward and is the easiest. But it does have some drawbacks. The major drawback for me was restricting access to other webapps running within the tomcat container. I had about 5 different webapps running, but I only wanted one to be publicly available. Now some will argue that you can restrict access by enforcing rules within the firewall, but I found that to be clunky. If you're interested in going this route, here is a link describing how to enable security for tomcat directly:
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
Secure an Apache web server front-end
I prefer using Apache web server as the front-end for many reasons which has been discussed to death. I'll note some of the more important reasons:
- Apache can server static content much faster
- Apache can run as a load balancer in front of a cluster of tomcat instances
- Apache can handle SSL encryption for a cluster of tomcat instances
- Apache has several modules that can easily be plugged in
In this instance I will be using Apache's mod_proxy module to redirect traffic to the tomcat server and use Apache to provide the SSL encryption.
To get an idea of how it works see the diagram below:
When a user visits our website using the default web port of 80, Apache will redirect the traffic to Tomcat on port 8080. Similarly, when browser is communicating on port 443 (https), apache will enable encryption and redirect traffic to tomcat on port 8443.
In my setup of Apache, I have 2 main configuration files:
- httpd.conf
- ssl.conf
Listen 80
ProxyRequests Off
ProxyPreserveHost on
<VirtualHost _default_:80>
ServerName your_company_domain_name
ProxyPass /app http://localhost:8080/app
ProxyPassReverse /app http://localhost:8080/app
RewriteEngine On
RewriteRule ^(.*)/login$ https://%{SERVER_NAME}$1/login [L,R]
</VirtualHost>
The ProxyPass and ProxyPassReverse is responsible for the redirection.
The RewriteEngine and RewriteRule is responsible for redirecting any requrests for the login page on port 80 to the secure channel running on port 443.
ssl.conf contains the configuration for handling traffic running on port 443:
Listen 443
<VirtualHost _default_:443>
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/pki/tls/certs/your_company_certificate.pem
SSLCertificateKeyFile /etc/pki/tls/certs/your_company_private_key.pem
ServerName your_company_domain_name
ProxyPass /app http://localhost:8443/app
ProxyPassReverse /app http://localhost:8443/app
</VirtualHost>
The SSLCertificateFile and SSLCertificateKeyFile are responsible for enabling encryption and requires the private key as well as the certificate file provided by your certificate authority.
Just as before, the lines ProxyPass and ProxyPassReverse are responsible for the redirection of traffic from port 443 to tomcat on port 8443.
server.xml contains the tomcat configuration details
Server.xml
<Connector port="8080" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="true" redirectPort="443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true"/>
<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="true" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true"
scheme="https"
secure="false"
SSLEnabled="false"
proxyPort="443"
proxyName="your_company_domain_name"
/>
Importing certficates into keystore
keytool -import -alias auscert -keystore
Extracting existing certificates and private keys from a keystore to be used in Apache in PEM format
Originally, I had setup encryption witin Tomcat rather than apache. When I wanted to migrate the control of security from Tomcat to Apache, I was faced with the issue that each Tomcat and Apache expected the certificates in different formats. After much researching I found a tool that was helpful in extracting the private key and the certificate out of the keystore into the PEM format expected by Apache. The opensource tool can be downloaded here: http://sourceforge.net/projects/portecle
To extract the private key from JKS keystore, use this:
http://www.softpedia.com/get/Security/Security-Related/KeyTool-IUI.shtml
Select Export -> Keystore's entry -> Private key
When identifying the Target files, remember to choose 'Private key and certificates' and 'PEM Encoded'
And the rest is self explantory
Remove passphrase from key
openssl rsa -in private_key.pem -out private_key_no_passphrase.pem
Here are some articles describing the problem in more detail:
http://techsk.blogspot.com/2009/01/exporting-tomcat-keys-to-apache-httpd.html
http://pnkumaresh.wordpress.com/2010/11/12/exporting-tomcat-ssl-keys-to-apache-httpd/
Verification
To verify that the certificates are properly installed use the following command:keytool -printcert -sslserver servername
References:
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
http://thejavamonkey.blogspot.com/2008/07/using-apache-httpd-server-as-secure.html
http://www.mooreds.com/wordpress/archives/223
http://www.customware.net/repository/display/GREENHOUSE/2009/06/13/Reverse+Proxy+with+Apache+mod_proxy
https://confluence.sakaiproject.org/display/DOC/Sakai+Admin+Guide+-+Advanced+Tomcat++%28and+Apache%29+Configuration
