Monday, 21 March 2016

How to migrate from HTTP to HTTPS using Apache + Tomcat ?



1. Generate the certificate

Step 1. Generate a Private Key
Install OpenSSH.
Create your RSA Private Key which is 2048 bits long, encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.
# openssl genrsa -des3 -out /etc/pki/tls/private/mytool.key 2048
It will generate a file with .key extension.

Step 2. Remove passphrase from the key

One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started.

# cp /etc/pki/tls/private/mytool.key  /etc/pki/tls/private/mytool.key.org
# openssl rsa -in /etc/pki/tls/private/mytool.key.org -out /etc/pki/tls/private/mytool.key



Step 3. Generate a CSR (Certificate Signing Request)
Once the private key is generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways.
Ideally, the CSR file will be sent to a Certificate Authority (such as Thawte or Verisign) who will verify the identity of the requestor and issue a signed certificate.
The second option is to self-sign the CSR.

# openssl req -new -key /etc/pki/tls/private/mytool.key -out /etc/pki/tls/private/mytool.csr
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Haryana
Locality Name (eg, city) [Newbury]: Gurgaon
Organization Name (eg, company) [My Company Ltd]: Org
Organizational Unit Name (eg, section) []: Dev
Common Name (eg, your name or your server's hostname) []: dev1
Email Address []: shaanmail@gmail.com
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []: password
An optional company name []:

The output of above command would be a file with .csr extension.
Note : For getting a signed certificate (issued by CA), the certificate request (mytool.csr) must be sent to CA.


Additional steps to get self-signed certificate
Step 4. Generate a self-signed certificate
At this point you will need to generate a self-signed certificate because you either don't plan on having your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing your certificate.
This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.
# openssl x509 -req -days 365 -in /etc/pki/tls/private/mytool.csr -signkey /etc/pki/tls/private/mytool.key -out /etc/pki/tls/certs/mytool.crt

To Check/Locate your certificate (.crt) file and key file (.key) file go to these locations :
For key : # ls /etc/pki/tls/private/mytool.key
For certificate : # ls /etc/pki/tls/certs/mytool.crt


Step 5. Certificate conversion
When you receive the certificate (*pem.cer) and certificate chain (*pem_chain.cer) , rename them to mytool.cer and mytool_chain.cer.


2. Configuration of Apache
Step 1. Stop the Apache Server, if it is running
# /opt/operating/bin/OperateApacheAll.ksh -stop mytool
    OR
# killall httpd

Step 2. Check if the ssl.conf is included in the http.conf file
# vim /opt/application/mytool/current/apache2215/conf/httpd.conf
Include conf.d/*.conf


Step 3. Edit SSL configuration
3.1. Check the existence of certificate, chain and private key
# ls /etc/pki/tls/certs/mytool.cer
# ls /etc/pki/tls/private/mytool.key
# ls /etc/pki/tls/private/mytool_chain.cer
If above files do not exist, please put the files.


3.2. Make sure the module mod_ssl is loaded into the ssl.conf file.
# vim /opt/application/mytool/current/apache2215/conf.d/ssl.conf
LoadModule ssl_module modules/mod_ssl.so

3.3. Add certificate and private key in the ssl.conf
  1. Comment the default certificate and key
  2. Add Certificate with the location where certificate stored
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/pki/tls/certs/mytool.cer

#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/pki/tls/private/mytool.key
SSLCertificateChainFile  /etc/pki/tls/private/mytool_chain.cer

3.4. Add new entry of worker name in Virtual host (with port = 443) configuration :
<VirtualHost _default_:443>
  JkMount /* myworker1
   …
  …
</VirtualHost>


Step 4. Check entry of worker (myworker1) in workers.properties
# vim /opt/application/mytool/current/apache2215/conf.d/workers.properties
# Ajp13 Worker
ps= /
worker.list= myworker1
#worker.myworker.lbfactor=1
#Tuning
socket_timeout=30
socket_keepalive=1
recycle_timeout=30
retries= 3
worker.myworker1.port=8009
worker.myworker1.host=localhost
worker.myworker1.type=ajp13


Step 5. Start the Apache Server
# /opt/operating/bin/OperateApacheAll.ksh -start mytool
 

3. Configuration of Tomcat

Change in Tomcat configuration



# vim /opt/application/mytool/current/jonas5226/00/conf/tomcat6-server.xml



Change the AJP Connector :

  • Remove the proxyPort and proxyName
  • Change the redirectPort = 9000, so that it can redirect to its HTTP connector.

<Connector port="8009" redirectPort="9000" protocol="AJP/1.3" maxThreads="512" minSpareThreads="25" maxSpareThreads="75"  connectionTimeout="20000" />


<Connector port="8009" protocol="HTTP" .... />


 Restart Tomcat and test the application on HTTPs


https://host/mytool/

https://host:443/mytool/


Posted by at
Labels: ,

No comments:

Post a Comment

Note: only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)