Tomcat behind Apache httpd with SSL and client-certificates
Captain Obvious here. You did give the my-computer-name exactly as it is, including the domain name? If not, re-create the key one more time.
Related videos on Youtube
45 : 27
13 : 07
14 : 02
13 : 12
02 : 22
codedevour
Updated on September 17, 2022Comments
-
codedevour over 1 year
I try to evaluate a infrastructure for a customer on my local win32 machine. The infrastructure should be based on a j2ee webapp running on a tomcat (6.0.20+), behind a secur apache httpd (httpd-2.2.16/openssl-0.9.8) which only forwards those requests which are authorized (with a client certificate).
My approach was to solve the connection between tomcat and apache with the
mod_jkand the correspondingajp13protocol. The tomcat (ajp13) is running on port8099, i configured theworkers.propertiesand mymod_jk.conf(and included it inhttpd.conf). The connection works successful. The httpd is running on port80the tomcat runs his http port under8084. When sending a http request tohttp://localhost/my-webapp-context. The tomcats answers and showing up my webapp.So far there are the following configuration files:
mod_jk.conf
LoadModule jk_module modules/mod_jk.so #LoadModule ssl_module modules/mod_ssl.so JkWorkersFile conf/workers.properties JkShmFile logs/httpd/mod_jk.shm JkLogLevel info JkLogStampFormat "[%a %b %d %H:%M:%S %Y] " JkMount /* balancerworkers.properties
worker.list=jk-status worker.jk-status.type=status worker.jk-status.read_only=true worker.list=jk-manager worker.jk-manager.type=status worker.list=balancer worker.balancer.type=lb worker.balancer.error_escalation_time=0 worker.balancer.max_reply_timeouts=10 worker.balancer.balance_workers=node1 worker.node1.reference=worker.template worker.node1.host=localhost worker.node1.port=8109 worker.node1.activation=A worker.balancer.balance_workers=node2 worker.node2.reference=worker.template worker.node2.host=localhost worker.node2.port=8099 worker.node2.activation=A worker.template.type=ajp13 worker.template.socket_connect_timeout=5000 worker.template.socket_keepalive=true worker.template.ping_mode=A worker.template.ping_timeout=10000 worker.template.connection_pool_minsize=0 worker.template.connection_pool_timeout=600 worker.template.reply_timeout=300000 worker.template.recovery_options=3As described this works like a charm, now i read to several ssl tutorials. I already created a
server.key(without private key because this seems to fail at win32 platform) and aserver.cerwhich is certified by our local certification authority.When it comes to the point of enabling
mod_ssli get several errors. I tried the following configuration:<VirtualHost *:443> SSLEngine On SSLCertificateFile conf/server.cer SSLCertificateKeyFile conf/server.key </VirtualHost>With this configuration I produce the upcoming error (where the CN is my computer name in the lan), this is also the value i provided while generating the certification. The apache refuses to startup with this configuration and shows me the listed error.
Update
Now I finally get the apache with ssl and client certificates running:
mod_jk_ssl.conf
LoadModule jk_module modules/mod_jk.so LoadModule ssl_module modules/mod_ssl.so JkWorkersFile conf/workers.properties JkShmFile logs/httpd/mod_jk.shm JkLogLevel info JkLogStampFormat "[%a %b %d %H:%M:%S %Y] " Listen 443 <VirtualHost *:443> JkMount /* balancer SSLEngine On SSLCertificateFile conf/web.crt SSLCertificateKeyFile conf/web.key SSLCACertificateFile conf/exampleCA.crt SSLVerifyClient require SSLVerifyDepth 2 <IfDefine SSL> SSLRequireSSL SSLRequire %{SSL_CLIENT_S_DN_O} eq "certification-authority" and %{SSL_CLIENT_S_DN_OU} in {"BALVI"} </IfDefine> </VirtualHost>-
user157726 over 4 yearsDid you try to pass the client SSL info to the server? stackoverflow.com/questions/58240796/…
-
-
codedevour over 13 yearsThis finally lead me to rethink the certification, i missed several points which are very well explained here: garex.net/apache/#CACreate Thank you anyway.
