Saturday, September 8, 2012

SSL Offloading with mod_jk part 1

Document  Version 1.0
   Copyright © 2012-2013 beijing.beijing.012@gmail.com


Keywords:
SSLOffloading SSL-Offloading, SSL Termination, Apache, Tomcat, mod_jk configuration, multiple vhosts, SSL certificate, multiple SSL certificates one ip



Table of Contents

Part 1 :  Create a simple servlet based Web Application "TestWebSec20"
              1.1  System Architect
              1.2  Technical Infrastructure
              1.3  "HalloNormal" Servlet
              1.4   web.xml

Part 2 :  Create and configure keystore for Tomcat

Part 3 :  Run "HalloNormal" and "HalloSec" Web Application

Part 4 : Fronting Tomcat with Apache and mod_jk
             4.1    Install Apache2
             4.2    Configure Apache to load / use mod_jk
             4.2.1 mod_jk.conf  file
             4.2.2 workers.properties file
             4.2.3 Create virtual hosts and configure the virtual host to use mod_jk

Part 5 : SSL port problem

Part 6 : Configure Tomcat to accept SSL handling of mod_jk
             6.1 Generate a self-signed SSL certificate
             6.2 Configure Apache virtual host for SSL
             6.3 Configure Tomcat to accept SSL handling of mod_jk



There seems alway  to be a gap between the people who write applications, and those to take care of the running applications, i.e. the operation guys. 
It was surprising to find, how things could be misunderstand, even done wrong, because lack of the whole understanding of both areas, concering topics like applicaiton load balancing,  scaling, failover, security, SSL ...

Recently I had the chance again in a project to review the system architecture and security concept, and this made me to decide to "document" some of my experinence and considerations, practices ....,  not only about this project, but also back to the years, in the hope to help those who just looking for a solution to some problmes.


Lets begin with SSL Termination /  SSL Offloading, and this is the part 1/7 


With a simple servlet based Web Applicaion, we will trying to make it run like a real world web application, which has its own domain name(s), which run behind a locad balancer, which has resources protected by SSL, and SSL handled  by SSL offloading ...


1.1 System Architect:





When we finished, we will have:

1. A simple Web application with partially ssl protected resources
2. Web Applicaiton running in Tomcat, and Tomcat fronted with Apache + mod_jk
3. Web Applicaiton  being accessed using  "virtual host",  with its own SSL certificate
4. Multiple "virtual host" addressing the same Web Application, each having it own certificate


1.2 The necessary technical infrastructure:


1. Linux (openSuse 12.1) with Apache2 installed
2. Tomcat (7.x)
3. Eclispe IDE for Java


Part 1 : Create a simple servlet based Web Application "TestWebSec20"

We will create a servlet based Web Application called "TestWebSec20" with Eclipse IDE.
TestWebSec20 Web Application has 2 servlets:
 "HalloNormal" servlet 
  "HalloSec" servlet. "HalloNormal" will be protected with SSL.


1.3 "HalloNormal" servlet:




import java.io.IOException;
import java.io.PrintWriter;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
 * Servlet implementation class HalloSec
 */
public class HalloSec extends HttpServlet {
      private static final long serialVersionUID = 1L;
      
      /**
       * @see HttpServlet#HttpServlet()
       */
       public HalloSec() {
            super();
            // TODO Auto-generated constructor stub
       }

      /**
       * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
       */
      protected void doGet(HttpServletRequest request, HttpServletResponse response) throws     ServletException, IOException {
          doPost(request, response);
      }

      /**
       * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
       */
     protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
         // TODO Auto-generated method stub
        PrintWriter writer =response.getWriter();
        writer.write("Hallo Sec");
        writer.flush();
        writer.close();
        }
   }
 


1.4 web.xml:



<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app id="WebApp_ID">
<display-name>TestWebSec20</display-name>
        <servlet>
                <servlet-name>HalloNormal</servlet-name>
                <display-name>HalloNormal</display-name>
                <description>TestWebSec20</description>
                <servlet-class>web.sec.HalloNormal</servlet-class>
        </servlet>
        <servlet>
                <servlet-name>HalloSec</servlet-name>
                <display-name>HalloSec</display-name>
                <description></description>
                <servlet-class>web.sec.HalloSec</servlet-class>
        </servlet>

        <servlet-mapping>
                <servlet-name>HalloNormal</servlet-name>
                <url-pattern>/HalloNormal</url-pattern>
        </servlet-mapping>

        <servlet-mapping>
                <servlet-name>HalloSec</servlet-name>
                <url-pattern>/secure/HalloSec</url-pattern>
        </servlet-mapping>

        <welcome-file-list>
                <welcome-file>index.html</welcome-file>
        </welcome-file-list>

        <security-constraint>
                <display-name>Example Security Constraint</display-name>
                <web-resource-collection>
                        <web-resource-name>Secure Area</web-resource-name>
                        <url-pattern>/secure/*</url-pattern>
                                <http-method>GET</http-method>
                                <http-method>POST</http-method>
               </web-resource-collection>
               
              <!-- 
             <auth-constraint>
                      <role-name>*</role-name>
            </auth-constraint>
             -->

            <user-data-constraint>
                    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
             </user-data-constraint>
        </security-constraint>
</web-app>



Explanation to web.xml

    *  "HalloSec" servlet will be accessed using url "/secure/HalloSec". 

       This RUL is protected by "security-constraint".
    *  "auth-constraint" is commented out, so that here no "login form" is required.
    *  transport-guarantee CONFIDENTIAL makes the path protected by SSL.
       A HTTP request to this path /secure/* will be redirected to HTTPS


Deploy the TestWebSec20 Web Application(TestWebSec20.war) to Tomcat (v.7.x). 

Start Tomcat. Now try accessing the HalloNormal servlet using following URL:
http://localhost:8080/TestWebSec20/HalloNormal, You willl now see text "Hallo Normal" in your browser:


SSL Offloading with mod_jk part 2
part3 part4 part5 part6




3 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. Hi,

    Can I implement this with Tomcat6?

    ReplyDelete
  3. Hi I think should be no problem with Tomcat 6. Please just follow all the steps in the post.

    ReplyDelete