Run Apache Tomcat behind Apache HTTP proxy server with SSL and X509 client authentication enabled¶

#Create self signed local certificate for apache tomcat server

cd ~
keytool -genkey -alias tomcat -keyalg RSA

#Import the locat SSL certificate into the local tomcat truststore

echo | openssl s_client -connect localhost:8443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'  > localhost8443
keytool -delete -alias localhost8443  -keystore /home/c4m/impactportal/esg-truststore.ts -storepass changeit -noprompt
keytool -import -v -trustcacerts -alias localhost8443 -file localhost8443 -keystore /home/c4m/impactportal/esg-truststore.ts -storepass changeit -noprompt

#Create self signed external SSL certificate for Apache HTTP Server, normally this would be a certificate signed by a Certificate Authority

sudo mkdir /etc/apache2/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

#Import the external server SSL certificate into the local tomcat truststore

echo | openssl s_client -connect localhost:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'  > localhost443
keytool -delete -alias localhost443  -keystore /home/c4m/impactportal/esg-truststore.ts -storepass changeit -noprompt
keytool -import -v -trustcacerts -alias localhost443 -file localhost443 -keystore /home/c4m/impactportal/esg-truststore.ts -storepass changeit -noprompt

#Configure Apache tomcat to support SSL and AJP connector (in tomcat7/conf/server.xml)

<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443" proxyName = "localhost" proxyPort = "80"/>

<Connector SSLEnabled="true" acceptCount="100" clientAuth="want" 
    disableUploadTimeout="true" enableLookups="true" maxThreads="25" 
    port="8443" keystoreFile="/home/c4m/.keystore" keystorePass="changeit" 
    protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" 
    truststoreFile="/home/c4m/impactportal/esg-truststore.ts"  
    truststorePass="changeit"      
    ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA" 
    secure="true" sslProtocol="TLS" />

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" proxyName = "localhost" proxyPort = "443"  />

#Configure Apache HTTP server act as a proxy and forward SSL traffic to Apache Tomcat 7 server (in httpd.conf)

ServerName localhost

<VirtualHost *:80>

        ServerName localhost:80
        ProxyPass /impactportal/ http://127.0.0.1:8080/impactportal/
        ServerAdmin webmaster@localhost
        DocumentRoot /data/www/htdocs

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

<VirtualHost *:443>
  ServerName localhost:443

  SSLEngine on
  SSLCertificateFile /etc/apache2/ssl/apache.crt
  SSLCertificateKeyFile /etc/apache2/ssl/apache.key
  SSLCACertificatePath /home/c4m/.globus/certificates/

  SSLVerifyClient optional
  SSLVerifyDepth 2
  SSLOptions +ExportCertData

  <Proxy *>
    AddDefaultCharset Off
    Order deny,allow
    Allow from all
  </Proxy>

  ProxyPass /impactportal/ ajp://localhost:8009/impactportal/

  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet