Secure Tomcat Servlets Behind Apache httpd

OVERVIEW

We take the tomcat/httpd configuration we created in THIS POST, and we secure those applications using HTTPS. We will be using a self-signed certificate in this example, but the process is essentially the same for trusted certs, providing they come as .key, and .cert files. Again, I assume you are familiar with the command line in Linux, and all work will be performed as root.

Below is a simple diagram that illustrates our application architecture.

A secured application

We'll be working strictly between the two blocks on the far right of the diagram. We will secure the connection between the client browser and the Apache httpd server. Virtually everything I've read to this point indicates that the connection from the httpd server on to the actual applications do not require the same level of security. Consider that Tomcat may reside on the same physical host as the httpd server, or that the httpd server is a perimeter device, thus connections behind it are internal, and thus considered secure (at least, reasonably).

SECURE THE HTTPD TRAFFIC

This is a short, 5-step process. We will be securing traffic using openssl/mod_ssl.

Install mod_ssl

If you followed the process of placing tomcat behind httpd in my previous post, you know that we're using CentOS 6, and we installed the version of httpd server compiled for RHEL/CentOS that is available via the default yum repository. We'll be using the same for mod_ssl, which makes installation as easy as:

# yum install mod_ssl

Create a Directory to House the Certificate and Key Files

# mkdir /etc/httpd/ssl

Create the Self-Signed Certificate

# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/apache.key -out /etc/httpd/ssl/apache.crt

You will be prompted for a number of pieces of information. Provide answers to each, paying close attention to the Common Name field. This will be the DNS name or IP address of your httpd server. Once created, the certificate and key files are valid for one year, and will be dropped into our custom directory created above.

Configure the httpd Server to Use the Certificate

Edit the /etc/httpd/conf/ssl.conf file:

# vim /etc/httpd/conf/ssl.conf

Locate the <VirtualHost _default_:443> section. We will be working inside that block. Uncomment the DocumentRoot and ServerName lines, and replace the example.com with your server name.
Next, locate the following three keys, and set to the values indicated below:

SSLEngine on
SSLCertificateFile /etc/httpd/ssl/apache.crt
SSLCertificateKeyFile /etc/httpd/ssl/apache.key

Save the file, and exit back to the command prompt.
Test the Apache httpd config, and Restart httpd:

# apachectl -t (should come back with "Syntax OK")
# service restart httpd

Now, if you browse to the document root of the server, you should see the Apache httpd test page that comes with CentOS, and you should see in the address bar that you are using HTTPS (though there will likely be a warning symbol of some sort, as the certificate is self-signed).

Enable Secure Access to Tomcat Servlets

Try to browse to the tomcat examples directory, and you will notice a "Not Found" error. This is because while we configured httpd for HTTPS, we're not passing that back to tomcat yet. As it turns out, this is very simple. Edit the ssl.conf file, and go back into the <VirtualHost _default_:443> section.

# vim /etc/httpd/conf/ssl.conf

Add the following two lines:

JkMountCopy On
JkMount /* ajp13

Save and close the file.

Now when you browse to the examples directory using https (https://<server-name-or-ip>/examples/) you should see the examples directory. Clicking on the Servlet examples link will show the page of example servlets provided by tomcat.

Accessing Tomcat servlets over https