Run Apache Tomcat behind Apache HTTP proxy server with SSL and X509 client authentication enabled¶
#Create self signed local certificate for apache tomcat server
cd ~ keytool -genkey -alias tomcat -keyalg RSA
#Import the locat SSL certificate into the local tomcat truststore
echo | openssl s_client -connect localhost:8443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > localhost8443 keytool -delete -alias localhost8443 -keystore /home/c4m/impactportal/esg-truststore.ts -storepass changeit -noprompt keytool -import -v -trustcacerts -alias localhost8443 -file localhost8443 -keystore /home/c4m/impactportal/esg-truststore.ts -storepass changeit -noprompt
#Create self signed external SSL certificate for Apache HTTP Server, normally this would be a certificate signed by a Certificate Authority
sudo mkdir /etc/apache2/ssl sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
#Import the external server SSL certificate into the local tomcat truststore
echo | openssl s_client -connect localhost:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > localhost443 keytool -delete -alias localhost443 -keystore /home/c4m/impactportal/esg-truststore.ts -storepass changeit -noprompt keytool -import -v -trustcacerts -alias localhost443 -file localhost443 -keystore /home/c4m/impactportal/esg-truststore.ts -storepass changeit -noprompt
#Configure Apache tomcat to support SSL and AJP connector (in tomcat7/conf/server.xml)
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443" proxyName = "localhost" proxyPort = "80"/> <Connector SSLEnabled="true" acceptCount="100" clientAuth="want" disableUploadTimeout="true" enableLookups="true" maxThreads="25" port="8443" keystoreFile="/home/c4m/.keystore" keystorePass="changeit" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" truststoreFile="/home/c4m/impactportal/esg-truststore.ts" truststorePass="changeit" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA" secure="true" sslProtocol="TLS" /> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" proxyName = "localhost" proxyPort = "443" />
#Configure Apache HTTP server act as a proxy and forward SSL traffic to Apache Tomcat 7 server (in httpd.conf)
ServerName localhost <VirtualHost *:80> ServerName localhost:80 ProxyPass /impactportal/ http://127.0.0.1:8080/impactportal/ ServerAdmin webmaster@localhost DocumentRoot /data/www/htdocs ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> <VirtualHost *:443> ServerName localhost:443 SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key SSLCACertificatePath /home/c4m/.globus/certificates/ SSLVerifyClient optional SSLVerifyDepth 2 SSLOptions +ExportCertData <Proxy *> AddDefaultCharset Off Order deny,allow Allow from all </Proxy> ProxyPass /impactportal/ ajp://localhost:8009/impactportal/ ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet