Apache+ssl webserver, and Tomcat6 with Client Authentication
1. Download and install Apache http server 2.2 with openssl from here.
3. Download and install Open SSL from the following link for Windows.
Add C:\OpenSSL-Win32\bin (the folder you have installed openssl) directory to the path variable under environmental variables.
Create a folder “CA” under “C:” Create a folder “certificates” under “c:\ca”
Create a “servercerts” and “clientcerts” folders under “c:\ca\certificates”
Read this article Client Certificate Authentication With Apache
Open command prompt and cd to “C:\CA\”
Create the Certificate Authority (CA)
· Generate a private key
· Create a certificate request
· Self-sign the certificate.
Generate a private keyC:\CA>openssl genrsa -out ca.key 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
.......++++++
....++++++
e is 65537 (0x10001)
Create a certificate requestC:\CA>openssl req -new -key ca.key -out ca.csr
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:VA
Locality Name (eg, city) []:sterling
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ptcube
Organizational Unit Name (eg, section) []:it
Common Name (eg, YOUR name) []:ptcube
Email Address []:admin@ptcube.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:ptcube
Self-sign the certificate.C:\CA>openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Loading 'screen' into random state - done
Signature ok
subject=/C=US/ST=VA/L=sterling/O=ptcube/OU=it/CN=ptcube/emailAddress=admin@ptcub
e.com
Getting Private key
Setup the Web Server Certificate
On the web server, create a self-signed certificate for SSL requests
· C:\CA>cd certificates
· C:\CA\certificates>cd servercerts
· Generate a private key
· Create a certificate request
· Sign the certificate
Generate a private keyC:\CA\certificates\servercerts>openssl genrsa -out server.key 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
.......................................................................++++++
.........................++++++
e is 65537 (0x10001)
Create a certificate requestC:\CA\certificates\servercerts>openssl req -new -key server.key -out server.csr
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:VA
Locality Name (eg, city) []:sterling
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ptcube
Organizational Unit Name (eg, section) []:it
Common Name (eg, YOUR name) []:ptcube-iam.ptcube.com
Email Address []:admin@ptcube.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:ptcube
Sign the certificateC:\CA\certificates\servercerts>openssl x509 -req -days 365 -in server.csr -signk
ey server.key -out server.crt
Loading 'screen' into random state - done
Signature ok
subject=/C=US/ST=VA/L=sterling/O=ptcube/OU=it/CN=ptcube-iam.ptcube.com/emailAddr
ess=admin@ptcube.com
Getting Private key
Install the CA Certificate on the Web Server
Tell the web server (Apache) where it can find the CA certificate, in httpd-ssl.conf. This file is located as shown below( on my machine)Modify SSLCACertificateFile to point to the ca.crt you have created as shown below.
Modify SSLCertificateFile and SSLCertificateKeyFile to point to respective locations as shown below.
SSLCACertificateFile "C:/Apache2.2/conf/ca/ca.crt"
Restart your Apache server and check whether you can access using https protocol.
Setup Apache webserver to enforce Client Certificate for Access
Modify SSLVerifyClient attribute in httpd-ssl.conf file and set to “require”
SSLVerifyClient require
Request a Client Certificate
· Generate a private key
· Create a certificate request
· Sign the certificate with your CA you created before
Generate a private keyC:\CA\certificates\clientcerts>openssl genrsa -out client.key 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
..............................++++++
..............++++++
e is 65537 (0x10001)
Create a certificate requestC:\CA\certificates\clientcerts>openssl req -new -key client.key -out client.csr
-config c:\Apache2.2\conf\openssl.cnf
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:VA
Locality Name (eg, city) []:sterling
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ptcube
Organizational Unit Name (eg, section) []:it
Common Name (eg, YOUR name) []:venkat kakanaboyina
Email Address []:venkat3012gs@yahoo.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:password
Sign the certificate with your CA you created beforeC:\CA\certificates\clientcerts>
C:\CA\certificates\clientcerts>openssl x509 -req -days 365 -CA c:\ca\ca.crt -CAk
ey c:\ca\ca.key -CAcreateserial -in client.csr -out client.crt
Loading 'screen' into random state - done
Signature ok
subject=/C=US/ST=VA/L=sterling/O=ptcube/OU=it/CN=venkat kakanaboyina/emailAddres
s=venkat3012gs@yahoo.com
Getting CA Private Key
Import the Client Certificate
Create a PKCS#12 document from the client private key and the signed certificate:
C:\CA\certificates\clientcerts>openssl pkcs12 -export -clcerts -in client.crt -i
nkey client.key -out client.p12
Loading 'screen' into random state - done
Enter Export Password:
Verifying - Enter Export Password:
Now try accessing a same url as before. You should be challenged to pick the cert.
Now integrate Apache with Tomcat using mod_jk
Copy the mod_jk-1.2.31-httpd-2.2.3.so in the directory “c:/apache2.2/modules/” directory.
Add the following line in your server.xml file in tomcat/conf directory..
<Listener className="org.apache.jk.config.ApacheConfig" modJk="C:/Apache2.2/modules/mod_jk-1.2.31-httpd-2.2.3.so" />
Restart your tomcat. You should see a folder “auto” created under “conf” and a mod_jk.conf file.
Create folder “jk” under “conf” as shown above and copy the ”mod_jk.conf” file from “auto” directory to here. The mod_jk.conf file under “auto” directory will be generated every time you restart the tomcat. To avoid overwriting our custom changes to this file we move it to “jk” folder.
Delete the following in mod_jk.conf file
<VirtualHost localhost>
ServerName localhost
JkMount /examples ajp13
JkMount /examples/* ajp13
JkMount /host-manager ajp13
JkMount /host-manager/* ajp13
JkMount /docs ajp13
JkMount /docs/* ajp13
JkMount /manager ajp13
JkMount /manager/* ajp13
</VirtualHost>
Add the following to this file..
# Select the log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
# JkOptions indicate to send SSL KEY SIZE,
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories +ForwardSSLCertChain
# JkRequestLogFormat set the request format
JkRequestLogFormat "%w %V %T"
# JkMount points
JkMount /example/* worker1
JkMount /*/* worker1
# Should mod_jk send SSL information to Tomcat (default is On)
JkExtractSSL On
# What is the indicator for SSL (default is HTTPS)
JkHTTPSIndicator HTTPS
# What is the indicator for SSL session (default is SSL_SESSION_ID)
JkSESSIONIndicator SSL_SESSION_ID
# What is the indicator for client SSL cipher suit (default is SSL_CIPHER)
JkCIPHERIndicator SSL_CIPHER
# What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT)
JkCERTSIndicator SSL_CLIENT_CERT
Create wokers.properties file under in “jk” folder with following content.
workers.tomcat_home=C:/apache-tomcat-6.0.18
workers.java_home=C:/Program Files/Java/jdk1.5.0_22
ps=\
# Define 3 workers, 2 real workers using ajp12, ajp13, the last one being a loadbalancing worker
# worker.list=worker1, worker2, worker3
worker.list=worker1
# Set properties for worker2 (ajp13)
worker.worker1.type=ajp13
worker.worker1.host=ptcube-iam.ptcube.com
worker.worker1.port=8009
worker.worker1.lbfactor=1
worker.worker1.connection_pool_timeout=600
worker.worker1.socket_keepalive=1
worker.worker1.socket_timeout=60
worker.worker1.cachesize=10
Include “mod_jk.conf” file in httpd-ssl.conf file
Include C:/apache-tomcat-6.0.18/conf/jk/mod_jk.conf
Restart both tomcat and apache. Now you can access the tomcat files using apache webserver using ssl with client authentication.
No comments:
Post a Comment