tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Mikusa <dmik...@vmware.com>
Subject Re: Configuring SSL on TOMCAT6 Using APR connector - Oracle EL 5
Date Fri, 02 Dec 2011 14:24:03 GMT
On Fri, 2011-12-02 at 00:56 -0800, moshood oladapo wrote:
> Dear Sir/Ma,
> 
> I have already deployed an application running perfectly on tomcat 6.0.20 on port 8080
on my Oracle EL 5 server. But now I want all request to go through SSL. 
> 

If you want to force all traffic to go through SSL, you need to do two
things.

1.) Configure an Connector with SSL.

Example using BIO connector:

<Connector 
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="${user.home}/.keystore" keystorePass="changeit"
           clientAuth="false" sslProtocol="TLS"/>

Example using APR connector:

<Connector 
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           SSLCertificateFile="/usr/local/ssl/server.crt" 
           SSLCertificateKeyFile="/usr/local/ssl/server.pem"
           clientAuth="optional" SSLProtocol="TLSv1"/>

For details, see

  https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
  https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support


2.) Define user-data-constraint in web.xml to indicate that the
application's traffic must be secured.

<security-constraint>
...
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

See this link for details.

  http://docs.oracle.com/javaee/5/tutorial/doc/bncbe.html#bncbm


> 
> See below my configurations on server.xml:
> 
>   <!--APR library loader. Documentation at /docs/apr.html -->
>   <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"
SSLRandomSeed="builtin" />
> 
> 
> 
>     <Connector executor="tomcatThreadPool"
>                port="8080" protocol="HTTP/1.1"
>                connectionTimeout="20000"
>                redirectPort="443" />
>     -->
>     <!-- Define a SSL HTTP/1.1 Connector on port 8443
>          This connector uses the JSSE configuration, when using APR, the
>          connector should be using the OpenSSL style configuration
>          described in the APR documentation -->
> 
>     <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>                maxThreads="150" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>                SSLEngine="on"
>                SSLCerticateFile="/home/oracle/apache-tomcat-6.0.20/conf/ssl/optixserver.crt"
>                SSLCertificateKeyFile="/home/oracle/apache-tomcat-6.0.20/conf/ssl/optixserver.p12"
>                SSLPassword="optix10$"
>      />
> 
> After doing all this, I still couldn't access it "https://localhost:443/". It display
error message " internet explorer cannot display the webpage". But when i try http://localhost:8080/,
it works fine.
> 
> There is a clause I don't understand in the HowTo configure SSL with APR - (the
> APR library must be available). How do I know if the APR is available or not?

If you don't know if APR is installed, then it's likely that it is not
installed.  The APR library is a native library that you must compile
and install manually.

https://tomcat.apache.org/tomcat-6.0-doc/apr.html

Did you or another system admin compile and install it on your server?


Dan
Mime
View raw message