1. Tomcat/Apache Web Server/SSL Configuration Hints
    1. Description
      1. Note on Examples
    2. Introduction
    3. Configuration Schemes Discussed
    4. 1. Enabling Proteios to be used with SSL (Apache Tomcat configuration)
      1. a. Configure Apache Tomcat to Allow SSL requests
      2. b. Create a Certificate and Keystore if not existing
      3. c. Activate the new settings
      4. d. References
    5. 2. Enabling Proteios to be called without specifying port number (Apache …
      1. a. Make sure that the Apache Web Server binary has all needed …
      2. b. Configure Apache Web Server to Use Virtual Hosts
      3. c. Configure Apache Web Server Virtual Hosts
      4. d. Activate the new settings
      5. e. References
    6. 3. Enabling Proteios to be called using SSL without specifying port number …
      1. a. Make sure that the Apache Web Server binary has all needed …
      2. b. Configure Apache Web Server to Use Virtual Hosts and SSL
      3. c. Configure Apache Web Server SSL
      4. d. Configure Apache Web Server Virtual Hosts for SSL
      5. e. Use OpenSSL to Create a Certificate and Private Key if not existing
        1. Using an OpenSSL Certificate for Tomcat SSL
      6. f. Activate the new settings
      7. g. References

Tomcat/Apache Web Server/SSL Configuration Hints

Description

This note describes hints on some configuration schemes for Proteios, especially concerning use of different system ports.

The reason that only "hints" are supplied, instead of complete instructions, is that the desired configuration often is determined by outside requirements, like firewall settings and use of an Apache web server for web sites unrelated to Proteios.

Note on Examples

In the examples the name foo.example.com is used for the web site. Domain name example.com is reserved for documentation, and foo.example.com should be replaced by the correct web site name. Where an IP address is needed 130.235.xxx.xxx has been used, and should be replaced by the correct IP number for the web site (four numbers in range 0-255 separated by dots '.' for IPv4 IP numbers).

Introduction

Popular computer communication services often have default port numbers, that are used if no explicit port number is specified. The default port numbers for the services of interest here are listed below. SSL denotes the Secure Sockets Layer communications protocol for transmitting private data over the Internet using techniques for public key cryptography.

Service Default Port #
Http traffic to web server 80
Http traffic to Apache Tomcat servlet container 8080
Secure Http traffic over SSL to web server 443
Secure Http traffic over SSL to Apache Tomcat servlet container 8443

From the client side, using a default port number might simplify the command one needs to enter by hand, e.g. accessing a web server with url http://foo.example.com/ is equivalent to specifying port 80 explicitly, http://foo.example.com:80/, and a secure SSL connection to the same site can be requested with https://foo.example.com/ (note the use of https instead of http), which is equivalent to https://foo.example.com:443/. Since the Apache Tomcat servlet container uses the same HTTP communications protocol as a web server, you normally need to explicitly specify the port number here, e.g. http://foo.example.com:8080/proteios/app.

It is important to realize that using a port related to a default port number does not ensure that a specific communication protocol will be used, e.g. sending data over port 443 will not automatically SSL encrypt/decrypt the data, this has to be provided for by the services on both sides.

Neither can you be sure that a specific default port is always available. It may already be used, or blocked from use by firewall settings. Ways to get around these kind of obstacles are discussed below.

Configuration Schemes Discussed

  1. Enabling Proteios to be used with SSL (Apache Tomcat configuration).
  2. Enabling Proteios to be called without specifying port number (Apache Web Server configuration).
  3. Enabling Proteios to be called using SSL without specifying port number (Apache Web Server configuration).

1. Enabling Proteios to be used with SSL (Apache Tomcat configuration)

This is relatively simple, since Apache Tomcat binaries normally are prepared for use with SSL. The description below is an extract of the one found in the Apache Tomcat SSL How-To documentation (see References).

a. Configure Apache Tomcat to Allow SSL requests

The Apache Tomcat configuration file server.xml in Tomcat installation conf directory comes prepared for use with SSL, but the relevant lines are commented out by being enclosed in a "<!--", "-->" pair: 

<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<!--
<Connector port="8443" maxHttpHeaderSize="8192"
           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" />
-->

Simply remove the enclosing "<!--", "-->" pair to enable SSL support: 

<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192"
           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" />

b. Create a Certificate and Keystore if not existing

The Java SE JDK command-line utility keytool is used to create a self-signed certificate and Keystore, if not already existing. A self-signed certificate will still trigger a "Certified by an Unknown Authority" alert when you enter the site with a web browser using https, but you will be able to inspect the certificate and accept or reject it. The first certificate entry should be your common name, but in the example we have entered the name of the web site, in order to avoid an extra "Domain Name Mismatch" alert after the certificate has been accepted when entering the web site in SSL mode. The latter use should not be regarded as recommended, and is not perfect as it will fail if you use "localhost" instead of the full web site name when connecting from the local system, although the connection is to the same site.

Below are example commands on a Unix/Linux system: 

$ keytool -genkey -alias tomcat -keyalg RSA
Enter keystore password:  changeit
What is your first and last name?
  [Unknown]:  foo.example.com
What is the name of your organizational unit?
  [Unknown]:  Department of Theoretical Physics
What is the name of your organization?
  [Unknown]:  Lund University
What is the name of your City or Locality?
  [Unknown]:  Lund
What is the name of your State or Province?
  [Unknown]:  Sweden
What is the two-letter country code for this unit?
  [Unknown]:  SE
Is CN=foo.example.com, OU=Department of Theoretical Physics, O=Lund University, L=Lund, ST=Sweden, C=SE correct?
  [no]:  yes

Enter key password for <tomcat>
        (RETURN if same as keystore password):
$

The command above creates a .keystore file in your home directory, with an entry for alias tomcat. Its contents can be inspected with the -list command, or a base64-encoded version of a selected certificate exported to a text file with the -export command (these steps are not necessary for the Keystore to be used with Apache Tomcat): 

$ keytool -list
Enter keystore password:  changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, Jul 8, 2008, keyEntry,
Certificate fingerprint (MD5): D3:C4:47:A2:36:4D:7E:78:B6:75:F9:67:D4:BD:B3:4D
$
$ keytool -export -alias tomcat -rfc -file tomcat_rfc_certfile_from_keystore.crt
Enter keystore password:  changeit
Certificate stored in file <tomcat_rfc_certfile_from_keystore.crt>
$
$ ls -l tomcat_rfc_certfile_from_keystore.crt
-rw-r--r--  1 dummy users 946 2008-07-08 08:54 tomcat_rfc_certfile_from_keystore.crt
$ cat tomcat_rfc_certfile_from_keystore.crt
-----BEGIN CERTIFICATE-----
MIICjjCCAfcCBEhzDgswDQYJKoZIhvcNAQEEBQAwgY0xCzAJBgNVBAYTAlNFMQ8wDQYDVQQIEwZT
d2VkZW4xDTALBgNVBAcTBEx1bmQxGDAWBgNVBAoTD0x1bmQgVW5pdmVyc2l0eTEqMCgGA1UECxMh
RGVwYXJ0bWVudCBvZiBUaGVvcmV0aWNhbCBQaHlzaWNzMRgwFgYDVQQDEw9mb28uZXhhbXBsZS5j
b20wHhcNMDgwNzA4MDY0OTQ3WhcNMDgxMDA2MDY0OTQ3WjCBjTELMAkGA1UEBhMCU0UxDzANBgNV
BAgTBlN3ZWRlbjENMAsGA1UEBxMETHVuZDEYMBYGA1UEChMPTHVuZCBVbml2ZXJzaXR5MSowKAYD
VQQLEyFEZXBhcnRtZW50IG9mIFRoZW9yZXRpY2FsIFBoeXNpY3MxGDAWBgNVBAMTD2Zvby5leGFt
cGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1WP3k5pvoCxTU9/b221ixE+L2OLu
QV9daWsC6biBDzKuOwm5v1g0qRXlsf6RGMHq266CGOavmvePw1vYUO4VbmQ9UiomsSLQfgsJgtj+
4TqP6sqnSLD/JCHSzD/xdFeppX0UEH2ROhARLSMM4H2UkS/rnL8v4E6wxJWRI4OJOAECAwEAATAN
BgkqhkiG9w0BAQQFAAOBgQC7aDmzYF0SCSWJMZNg9hukb064Ixf9H1AwhgLN3uy+yHkEqyY6n6Jb
5ncg85O8E03a7m4O2tna5YXVcgaw6HIzeNh0tXbQaLivZZgX7XHb9WxvETYgWRaUMIOKLTIZGlmx
2V/2H/BWOuKqUemRSgYvroL7Vx07qPK5Y2mZDhBsCw==
-----END CERTIFICATE-----
$

c. Activate the new settings

Restart Apache Tomcat and test by using https on port 8443 instead of http on port 8080, e.g. use url https://foo.example.com:8443/proteios/app instead of http://foo.example.com:8080/proteios/app (the latter url should still work for normal non-secure connections).

d. References

  1. The Apache Tomcat SSL How-To documentation can be found at http://tomcat.apache.org/tomcat-4.0-doc/ssl-howto.html.
  2. Keytool documentation can be found at http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html.

2. Enabling Proteios to be called without specifying port number (Apache Web Server configuration)

Sometimes the Apache Tomcat default port 8080 is blocked by firewalls, so you want communication to the servlet container to go via the http default port 80, without obstructing normal web server use. It would also be simpler for users to access Proteios with a url like http://foo.example.com/proteios/app instead of http://foo.example.com:8080/proteios/app. This can be accomplished by configuring an Apache Web Server for name-based virtual hosting.

a. Make sure that the Apache Web Server binary has all needed functionality

This is most often a problem on systems where the Apache Web Server needs to be compiled from downloaded source code. Building the software is normally performed with the three steps, "configure", "make", and "make install". Although the source code may contain all needed modules, some functionality needs to be explicitly requested during the first "configure" step to be compiled into the created binary file.

For name-based virtual hosting to be used, make sure you enable the rewrite and proxy modules. An example where the web server is to be installed in directory /usr/local/apache2 is: 

$ configure --prefix=/usr/local/apache2 --enable-rewrite=shared --enable-proxy ...
$ make
$ make install

The "..." above indicates other functionality you want to enable.

b. Configure Apache Web Server to Use Virtual Hosts

The Apache Web Server configuration file httpd.conf in Apache conf directory is the main configuration file for the Apache Web Server. In later Apache versions, configuration settings for special cases have been extracted into their own configuration files located in Apache conf/extra directory. If some of the latter settings should be used, the special configuration file in question is included in the top conf/httpd.conf file by an "Include" command.

In configuration file conf/httpd.conf, make sure that Apache listens on port 80, and that configuration file httpd-vhosts.conf in conf/extra is included: 

Listen 130.235.xxx.xxx:80
Listen 127.0.0.1:80
...
Include conf/extra/httpd-vhosts.conf
...

For the Listen command we follow the recommendation to only listen to traffic to the current web site.

c. Configure Apache Web Server Virtual Hosts

In configuration file conf/extra/httpd-vhosts.conf, we configure a virtual host for port 80, that will call Proteios on proxy server Apache Tomcat on the same system, if the url contains the string "proteios": 

NameVirtualHost *:80
<VirtualHost *:80>
    ServerAdmin webmaster@example.com
    DocumentRoot "/usr/local/apache2/htdocs"
    RewriteEngine On
    RewriteRule ^/.*proteios(.*) http://localhost:8080/proteios$1 [p]
    ServerName foo.example.com
    ServerAlias www.foo.example.com
    ErrorLog "logs/foo.example.com-error_log"
    CustomLog "logs/foo.example.com-access_log" common
    RewriteLog "logs/rewrite.log"
    LogLevel warn
</VirtualHost>

The important lines here for Proteios functionality are the "RewriteEngine On" and "RewriteRule" lines. A url not containing the string "proteios", will be handled by Apache Web Server in the normal way. However, if the url contains the string "proteios", the proxy Apache Tomcat will be called with the same attributes as in the original url (signified by the "$1" at the end of the rewrite url). The "[p]" at the far end of the rewrite command signifies that a proxy server is used for the call (here it is located on the same system as the Apache Web Server, but that is not necessary). If Proteios is installed under another name than "proteios", corresponding changes should naturally be made in the virtual host configuration. Even though the url for accessing Proteios ends in "proteios/app", we only use the string "proteios" in the rewrite rule, as we want all Proteios-related communication to be sent to the server (images, forms, etc.).

The lines specifying log files are optional, but if you need to debug the configuration of several virtual hosts, it may be a good idea to use different log files for each host. An entry in a log file then shows that the corresponding virtual host managed the call. To get more output during debugging, change setting "LogLevel warn" to "LogLevel debug".

d. Activate the new settings

Restart Apache Web Server and make sure that Apache Tomcat is running. Test accessing Proteios using url http://foo.example.com/proteios/app, i.e. without specifying Apache Tomcat default port 8080.

e. References

  1. Documentation on Apache mass virtual hosting can be found at http://httpd.apache.org/docs/2.2/vhosts/mass.html.
  2. Virtual host examples can be found at http://httpd.apache.org/docs/2.2/vhosts/examples.html.

3. Enabling Proteios to be called using SSL without specifying port number (Apache Web Server configuration)

Sometimes the Apache Tomcat default port 8443 for SSL connections is blocked by firewalls, so you want communication to the servlet container to go via the https default port 443, without obstructing normal web server use. It would also be simpler for users to access Proteios using a secure connection with a url like https://foo.example.com/proteios/app instead of https://foo.example.com:8443/proteios/app. This can be accomplished by extending the virtual hosting configuration discussed in section 2, "Enabling Proteios to be called without specifying port number (Apache Web Server configuration)".

a. Make sure that the Apache Web Server binary has all needed functionality

This is most often a problem on systems where the Apache Web Server needs to be compiled from downloaded source code. Building the software is normally performed with the three steps, "configure", "make", and "make install". Although the source code may contain all needed modules, some functionality needs to be explicitly requested during the first "configure" step to be compiled into the created binary file.

For virtual hosting and SSL to be used, make sure you enable the rewrite, proxy, and ssl modules. The SSL functionality can either be compiled as a module which is part of the Apache Web Server code, or included from a separately installed openssl package. In the example we use the latter option for an openssl package installed in directory /usr/local/openssl, as we want to use openssl to create a self-signed certificate. An example where the web server is to be installed in directory /usr/local/apache2 is: 

$ configure --prefix=/usr/local/apache2 ... --enable-rewrite=shared --enable-proxy  --enable-ssl --with-ssl=/usr/local/openssl LD_OPTIONS='-L/usr/local/openssl/lib'
$ make
$ make install

The "..." above indicates other functionality you want to enable.

b. Configure Apache Web Server to Use Virtual Hosts and SSL

The Apache Web Server configuration file httpd.conf in Apache conf directory is the main configuration file for the Apache Web Server. In later Apache versions, configuration settings for special cases have been extracted into their own configuration files located in Apache conf/extra directory. If some of the latter settings should be used, the special configuration file in question is included in the top conf/httpd.conf file by an "Include" command.

In configuration file conf/httpd.conf, make sure that Apache listens on port 80, and that configuration files httpd-vhosts.conf and httpd-ssl.conf in conf/extra are included: 

Listen 130.235.xxx.xxx:80
Listen 127.0.0.1:80
...
Include conf/extra/httpd-vhosts.conf
...
Include conf/extra/httpd-ssl.conf
...

For the Listen command we follow the recommendation to only listen to traffic to the current web site.

c. Configure Apache Web Server SSL

In configuration file conf/extra/httpd-ssl.conf, we configure what Pseudo Random Number Generator to use with SSL, and makes sure that Apache listens on port 443: 

SSLRandomSeed startup file:/dev/urandom 512
...
SSLRandomSeed connect file:/dev/urandom 512
...
Listen 130.235.xxx.xxx:443
Listen 127.0.0.1:443
...

For the Listen command we follow the recommendation to only listen to traffic to the current web site.

d. Configure Apache Web Server Virtual Hosts for SSL

In configuration file conf/extra/httpd-vhosts.conf, in addition to the virtual host for port 80 that was described in section 2, "Enabling Proteios to be called without specifying port number (Apache Web Server configuration)", we configure a virtual host for SSL secure connections using port 443, that will call Proteios on proxy server Apache Tomcat on the same system, if the url contains the string "proteios": 

NameVirtualHost *:80
<VirtualHost *:80>
    ServerAdmin webmaster@example.com
    DocumentRoot "/usr/local/apache2/htdocs"
    RewriteEngine On
    RewriteRule ^/.*proteios(.*) http://localhost:8080/proteios$1 [p]
    ServerName foo.example.com
    ServerAlias www.foo.example.com
    ErrorLog "logs/foo.example.com-error_log"
    CustomLog "logs/foo.example.com-access_log" common
    RewriteLog "logs/rewrite.log"
    LogLevel warn
</VirtualHost>
...
NameVirtualHost *:443
<VirtualHost *:443>
    ServerAdmin webmaster@example.com
    DocumentRoot "/usr/local/apache2/htdocs"
    SSLEngine on
    SSLProxyEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile "/usr/local/apache2/conf/server.crt"
    SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/usr/local/apache2/cgi-bin/">
        SSLOptions +StdEnvVars
    </Directory>
    BrowserMatch ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    RewriteEngine On
    RewriteRule ^/.*proteios(.*) http://localhost:8080/proteios$1 [p]
    ServerName foo.example.com
    ServerAlias www.foo.example.com
    ErrorLog "logs/foo.example.com-error_log2"
    CustomLog "logs/foo.example.com-access_log2" common
    RewriteLog "logs/rewrite.log2"
    LogLevel warn
</VirtualHost>

The important lines for SSL functionality are the ones starting with "SSLEngine on" and ending with "BrowserMatch". The important lines here for Proteios functionality are the "RewriteEngine On" and "RewriteRule" lines. A url not containing the string "proteios", will be handled by Apache Web Server in the normal way. However, if the url contains the string "proteios", the proxy Apache Tomcat will be called with the same attributes as in the original url (signified by the "$1" at the end of the rewrite url). The "[p]" at the far end of the rewrite command signifies that a proxy server is used for the call (here it is located on the same system as the Apache Web Server, but that is not necessary). If Proteios is installed under another name than "proteios", corresponding changes should naturally be made in the virtual host configuration. Even though the url for accessing Proteios ends in "proteios/app", we only use the string "proteios" in the rewrite rule, as we want all Proteios-related communication to be sent to the server (images, forms, etc.).

If Proteios is accessed using https, an SSL secure connection will be used to and from the Apache Web Server, otherwise a normal HTTP connection will be used. The SSL virtual host in the example is configured to use a normal http connection over port 8080 to connect to the Apache Tomcat servlet container, since the latter is located on the same system as the Apache Web Server. If this is not the case, and Tomcat is located on a separate server foo2.example.com, the rewrite rule could be changed to use a secure SSL connection also for the last step: 

NameVirtualHost *:443
<VirtualHost *:443>
    ...
    RewriteEngine On
    RewriteRule ^/.*proteios(.*) https://foo2.example.com:8443/proteios$1 [p]
    ...
</VirtualHost>

The lines specifying log files are optional, but if you need to debug the configuration of several virtual hosts, it may be a good idea to use different log files for each host. An entry in a log file then shows that the corresponding virtual host managed the call. To get more output during debugging, change setting "LogLevel warn" to "LogLevel debug".

e. Use OpenSSL to Create a Certificate and Private Key if not existing

The package openssl is used to create a self-signed certificate and private key, if not already existing. A self-signed certificate will still trigger a "Certified by an Unknown Authority" alert when you enter the site with a web browser using https, but you will be able to inspect the certificate and accept or reject it. In the example we have entered the name of the web site as the common name, in order to avoid an extra "Domain Name Mismatch" alert after the certificate has been accepted when entering the web site in SSL mode. The latter use should not be regarded as recommended, and is not perfect as it will fail if you use "localhost" instead of the full web site name when connecting from the local system, although the connection is to the same site.

Below are example commands on a Unix/Linux system: 

$ cd /usr/local/openssl/bin
$ ls -l
-rwxr-xr-x  1 dummy users   3668 2008-07-01 08:25 c_rehash
-rwxr-xr-x  1 dummy users 696715 2008-07-01 08:25 openssl
$
$ ./openssl req -new -x509 -nodes -out server.crt -keyout server.key
Generating a 1024 bit RSA private key
..................................................................++++++
.................................................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SE
State or Province Name (full name) [Some-State]:Sweden
Locality Name (eg, city) []:Lund
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Lund University
Organizational Unit Name (eg, section) []:Department of Theoretical Physics
Common Name (eg, YOUR name) []:foo.example.com
Email Address []:webmaster@example.com
$
$ ls -l
-rwxr-xr-x  1 dummy users   3668 2008-07-01 08:25 c_rehash
-rwxr-xr-x  1 dummy users 696715 2008-07-01 08:25 openssl
-rw-r--r--  1 dummy users   1452 2008-07-08 11:37 server.crt
-rw-r--r--  1 dummy users    887 2008-07-08 11:37 server.key
$
$ cat server.crt
-----BEGIN CERTIFICATE-----
MIIEBDCCA22gAwIBAgIJAKRHiJbSSrRMMA0GCSqGSIb3DQEBBQUAMIGzMQswCQYD
VQQGEwJTRTEPMA0GA1UECBMGU3dlZGVuMQ0wCwYDVQQHEwRMdW5kMRgwFgYDVQQK
Ew9MdW5kIFVuaXZlcnNpdHkxKjAoBgNVBAsTIURlcGFydG1lbnQgb2YgVGhlb3Jl
dGljYWwgUGh5c2ljczEYMBYGA1UEAxMPZm9vLmV4YW1wbGUuY29tMSQwIgYJKoZI
hvcNAQkBFhV3ZWJtYXN0ZXJAZXhhbXBsZS5jb20wHhcNMDgwNzA4MDkzNzU5WhcN
MDgwODA3MDkzNzU5WjCBszELMAkGA1UEBhMCU0UxDzANBgNVBAgTBlN3ZWRlbjEN
MAsGA1UEBxMETHVuZDEYMBYGA1UEChMPTHVuZCBVbml2ZXJzaXR5MSowKAYDVQQL
EyFEZXBhcnRtZW50IG9mIFRoZW9yZXRpY2FsIFBoeXNpY3MxGDAWBgNVBAMTD2Zv
by5leGFtcGxlLmNvbTEkMCIGCSqGSIb3DQEJARYVd2VibWFzdGVyQGV4YW1wbGUu
Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJzkl5uc6sPVSpCuePhF2b
JK02u+1C5Q1Ixc6TLtBccN7D8Yom2z6lV5coM/kcGmg/1kUvWGmvsS5LcQXgJMdb
+6ui7QBnA9w/TujmlDHnycjpc0byKuNnuGv+T0vjf5JDbEPgDAHWXeVSxeEOo6UE
AMMa/gB8AM+l2ZzdD3c20wIDAQABo4IBHDCCARgwHQYDVR0OBBYEFDieTreofqa7
PH2IBnUt2vNb1ZRdMIHoBgNVHSMEgeAwgd2AFDieTreofqa7PH2IBnUt2vNb1ZRd
oYG5pIG2MIGzMQswCQYDVQQGEwJTRTEPMA0GA1UECBMGU3dlZGVuMQ0wCwYDVQQH
EwRMdW5kMRgwFgYDVQQKEw9MdW5kIFVuaXZlcnNpdHkxKjAoBgNVBAsTIURlcGFy
dG1lbnQgb2YgVGhlb3JldGljYWwgUGh5c2ljczEYMBYGA1UEAxMPZm9vLmV4YW1w
bGUuY29tMSQwIgYJKoZIhvcNAQkBFhV3ZWJtYXN0ZXJAZXhhbXBsZS5jb22CCQCk
R4iW0kq0TDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAI4+9P+iN7NK
iGWkIdbdj1CsLolfnEIOBGYXzfShS3Wpai3DV+zST/Eyv4/W2eFQo/kadvRxXa9E
EhSfFL8Qjy1XE7wTZDX8rozfoIrXECp8l2baAW22fB+qdyjRMxXvbI8nlg1g1RYR
Q1slUVdlA8PPy0YF6al4Tswnk2v1Ovky
-----END CERTIFICATE-----
$
$ cat server.key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDJzkl5uc6sPVSpCuePhF2bJK02u+1C5Q1Ixc6TLtBccN7D8Yom
2z6lV5coM/kcGmg/1kUvWGmvsS5LcQXgJMdb+6ui7QBnA9w/TujmlDHnycjpc0by
KuNnuGv+T0vjf5JDbEPgDAHWXeVSxeEOo6UEAMMa/gB8AM+l2ZzdD3c20wIDAQAB
AoGBAL12BlVZtEbQbaMmsa9zvc3h6Rzx4hZjpM0lqINV+BhRf1LGecVxIKdqTGda
JA3WXPlR2TJR9ycTWTtKqRF+dgqiqBKqnLpQzPNnxOFUNcq027vRpF2NQEbCdEXj
ZTUd7RTudZWSRdd8h6Z53myEHC5Wh5mS5TCGg8C50oHItgBBAkEA56ROqLXsgrdC
ZfUNJF6rMKDLINk3Br5ABt4C6IHABePgD0sEiEfzGl2okjNVbID0L8nQxH4Jxi/h
XqR6kPp/lwJBAN8Gzse0iheqUBI5vqMnwOXR8GYRACK5D1EuFapQNgkiHEiXP0Wz
Y8UU0RtChGFpJxJa+6B3nTf6CpcMxhrMKiUCQFeJMehzh0MGeeMJrcO2ur6PpPNu
4mp77ropn7O5hJU1PfDJipbtiaLHDfLhz0BHov+EJo56irsIUQRw55ht8VUCQAUS
EI11y1XyZ1OiwHTRKI+REFghttETSAfedlui6zeV8PKtjaC2DWSjroViI8RbMao3
K1VgotBs/OSmQ7LERYkCQQDImHu21lzkzgx78K8NSKfGE+6HHGDMGicAQdBhm/DN
56I/QVFfN8SzP/yjEXFWhfg9A0rkkGr0ttzrBENoiZ7D
-----END RSA PRIVATE KEY-----
$

The command above creates a server.crt certificate file and a server.key private key file in the current directory. Since this is just an example using dummy data, the contents of the private key file is shown. Under normal conditions, this file should be kept secret at all times for outside inspection to be useful!

The contents of the certificate file can be inspected with keytool using the -printcert command (this step is not necessary for the certificate to be used with Apache Web Server): 

$ keytool -printcert -file server.crt
Owner: EMAILADDRESS=webmaster@example.com, CN=foo.example.com, OU=Department of Theoretical Physics, O=Lund University, L=Lund, ST=Sweden, C=SE
Issuer: EMAILADDRESS=webmaster@example.com, CN=foo.example.com, OU=Department of Theoretical Physics, O=Lund University, L=Lund, ST=Sweden, C=SE
Serial number: a4478896d24ab44c
Valid from: Tue Jul 08 11:37:59 CEST 2008 until: Thu Aug 07 11:37:59 CEST 2008
Certificate fingerprints:
         MD5:  CC:37:AC:13:96:C8:F1:62:BD:68:2D:4B:65:ED:F8:E2
         SHA1: 7F:30:B7:D1:A9:0B:60:4C:4B:5B:1B:0E:54:99:BF:C6:F1:D8:43:91
$

Move the certificate and private key files to the Apache Web Server conf directory: 

$ mv /usr/local/openssl/bin/server.crt /usr/local/apache2/conf/
$ mv /usr/local/openssl/bin/server.key /usr/local/apache2/conf/

Using an OpenSSL Certificate for Tomcat SSL

It is possible to import a certificate created by OpenSSL into a Keystore using the keytool import command -import. However, for this to succeed, the Keystore may not already contain a certificate for the alias in question. It is however possible to use the keytool delete command -delete to remove a previous certificate from the Keystore: 

$ keytool -list
Enter keystore password:  changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, Jul 8, 2008, keyEntry,
Certificate fingerprint (MD5): D3:C4:47:A2:36:4D:7E:78:B6:75:F9:67:D4:BD:B3:4D
$
$ keytool -delete -alias tomcat
Enter keystore password:  changeit
$
$ keytool -list
Enter keystore password:  changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 0 entries

$
$ keytool -import -v -alias tomcat -file /usr/local/apache2/conf/server.crt
Enter keystore password:  changeit
Owner: EMAILADDRESS=webmaster@example.com, CN=foo.example.com, OU=Department of Theoretical Physics, O=Lund University, L=Lund, ST=Sweden, C=SE
Issuer: EMAILADDRESS=webmaster@example.com, CN=foo.example.com, OU=Department of Theoretical Physics, O=Lund University, L=Lund, ST=Sweden, C=SE
Serial number: a4478896d24ab44c
Valid from: Tue Jul 08 11:37:59 CEST 2008 until: Thu Aug 07 11:37:59 CEST 2008
Certificate fingerprints:
         MD5:  CC:37:AC:13:96:C8:F1:62:BD:68:2D:4B:65:ED:F8:E2
         SHA1: 7F:30:B7:D1:A9:0B:60:4C:4B:5B:1B:0E:54:99:BF:C6:F1:D8:43:91
Trust this certificate? [no]:  yes
Certificate was added to keystore
[Storing /home/foo/dummy/.keystore]
$
$ keytool -list
Enter keystore password:  changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, Jul 8, 2008, trustedCertEntry,
Certificate fingerprint (MD5): CC:37:AC:13:96:C8:F1:62:BD:68:2D:4B:65:ED:F8:E2
$

f. Activate the new settings

Restart Apache Web Server and make sure that Apache Tomcat is running. Test accessing Proteios over SSL using url https://foo.example.com/proteios/app, i.e. without specifying Apache Tomcat default SSL port 8443. It should still be possible to access Proteios over a standard HTTP connection with url http://foo.example.com/proteios/app.

g. References

  1. Documentation on Apache mass virtual hosting can be found at http://httpd.apache.org/docs/2.2/vhosts/mass.html.
  2. Virtual host examples can be found at http://httpd.apache.org/docs/2.2/vhosts/examples.html.
  3. The Apache Tomcat SSL How-To documentation can be found at http://tomcat.apache.org/tomcat-4.0-doc/ssl-howto.html.
  4. Keytool documentation can be found at http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html.