[转] 2 ways to setup SSL on Tomcat 7

jilgb

　　This post will demonstrate how to setup SSL on Tomcat 7 with and without Apache2 in Debian servers using self-signed certificates. This should work with Debian Squeeze and Wheezy servers. We assume you already have existing Apache 2 and Tomcat 7 installations.


　　1. SSL through Apache and mod_jk 　　　　　　With this method Tomcat apps are accessed securely and directly without referencing a Tomcat port.





1 https://yourdomain.com
　　Let us begin by installing mod_jk and enabling SSL modules. SSL module comes bundled with Apache2.





1 # installing jk will also enable it
2 apt-get install libapache2-mod-jk
3 a2enmod ssl
　　Create worker/connector
　　This is the connector that Apache2 uses to communicate with Tomcat.





1 # Choose a name desired
2 vi /etc/apache2/workers.properties


1 # Make sure this points to the correct path of Tomcat
2 # and your Java installations
3 # This corresponds to your JAVA_HOME and CATALINA_HOME
4 workers.tomcat_home=/opt/tomcat
5 workers.java_home=/opt/java7
6
7 ps=/
8
9 worker.list=default
10 worker.default.port=8009
11 worker.default.host=localhost
12 worker.default.type=ajp13
13 worker.default.lbfactor=1
　　default in line 9 above is the name of the connector. This is the name used in our Virtual Host setup (we will come to this later).
　　Edit/Create a global Apache2 jk configuration





1 vi /etc/apache2/conf.d/jk.conf


1
2     # This is the file workers file we created earlier
3     JkWorkersFile /etc/apache2/workers.properties
4     JkLogFile /var/log/apache2/mod_jk.log
5     JkShmFile /var/log/apache2/mod_jk.shm
6     JkLogLevel error
7
　　Create a virtual Host
　　Here we will be using certificates that come with ssl-cert package from Debian. This is only for this demonstration. You can generate you own self-signed certificates by using openssl. There is quite a lot of online guides you can visit on using openssl.
　　For now, we use a certificate that comes with ssl-cert, snakeoil.
　　We create 2 virtual hosts, one for unsecure and one for the secure https access. Both of them should mount our default jk connector we created in our workers.properties file. Here below is what it should look like. If you are already using mod_jk, you must have already created an unsecure virtual host, if you are, just copy them and insert the SSL sections/lines.





1 NameVirtualHost your-server-ip-address:80
2 NameVirtualHost your-server-ip-address:443  
3
4
5     JkMount /* default
6     ServerName yourdomain.com
7     ServerAdmin admin@emil.com
8     DocumentRoot /opt/tomcat/webapps
9     ErrorLog /opt/tomcat/logs/error.log
10     CustomLog /opt/tomcat/logs/access.log common
11     
12         Options -Indexes
13      
14     # You other directives
15  
16
17
18     SSLEngine on
19     SSLCertificateFile  /etc/ssl/certs/ssl-cert-snakeoil.pem
20     SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
21     JkMount /* default
22     ServerName yourdomain.com
23     ServerAdmin admin@emil.com
24     DocumentRoot /opt/tomcat/webapps
25     ErrorLog /opt/tomcat/logs/error.log
26     CustomLog /opt/tomcat/logs/access.log common
27     
28         Options -Indexes
29         
30     # You other directives
31
　　Now edit your Tomcat server.xml and uncomment the AJP connector.






　　Please note that you use only one jk connector for both secure and unsecure connections. Connector port (8009) should match to the port defined earlier in the workers.properties file we created.
　　Restart apache2 and tomcat and test.





1 http://yourdomain.com
2 https://yourdomain.com
　　Please be aware though that you will get a warning, from your browser, that you are using an untrusted certificate provider. Just ignore them.


　　2. SSL over Tomcat direct 　　　　　　In this setup you will have to specify the port to access Tomcat securely, like below. This bypasses Apache completely.





1 https://yourdomain:8443
　　We begin by generating a keystore using Java's keytool.





1 JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/tomcat7/keystore
　　The above command asks a few questions. When prompted for "first and last name", enter your domain name. Passwords will also be asked for the keystore and the certificate. The actual keystore is created in /opt/tomcat7/keystore with 1 certificate.

　　Verify your keystore.






1 JAVA_HOME/bin/keytool -list -keystore  /opt/tomcat7/keystore
　　Change ownership and access permission to the file.





1 chown tomcat:tomcat /opt/tomcat7/keystore
2 chmod 755 /opt/tomcat7/keystore
　　We are assuming from the commands above that you have a user tomcat and group tomcat that owns the Tomcat process in your system.
　　Edit you Tomcat server.xml and uncomment the 8443 connector and then add our keystore details. See below.





1
　　The above connector uses a blocking HTTP/1.1 protocol. Use NIO or APR as may be desired. Replace "password" with the actual password of your keystore.
　　Save and restart Tomcat.
　　Like method #1, your browser will warn you of the untrusted certificate. Just ignore them.