Home » Groups » Software and Computing

notes on https access to ESL

Updated on Wed, 2017-10-11 10:22. Originally created by wbetts on 2015-04-09 18:36.

HTTPS access to Tomcat, with or without Apache as an intermediary. 


Leve and I did some experimenting on dean3, which has a working ESL deployment (rsync from dean keeps it up).  Here are the salient findings and the configuration snippets that had desired effects (desired for testing purposes, not necessarily production).  The first is of most interest, allowing Apache to handle the SSL connection from clients, but still getting content from Tomcat.


ssl.conf (the one to try on dean at a convenient time):


Https connections handled by Apache, but response generated by Tomcat through AJP protocol.  Within the default VirtualHost container
(<VirtualHost _default_:443>):
JkMount /apps/* ajp13w
JkMount /*.jsp ajp13w
JkMount /*.jspx ajp13w
JkMount /*/servlet/* ajp13w



web.xml

To require a secure (SSL) connection when communicating *directly*with Tomcat (no Apache intermediary for instance):
  <security-constraint>
    <web-resource-collection>
        <web-resource-name>secured page</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
 </security-constraint>


server.xml

For Tomcat to listen on port 8443 for SSL connections (but of course we do not want to expose Tomcat to Nessus scans and the like, so not something we are likely to use):

   <Connector port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/opt/tomcat/conf/certs/BNLcert.p12"
           keystorePass="changeit" keystoreType="PKCS12"
           ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
           clientAuth="false" sslProtocol="SSLv3"/>

(Note that sslProtocol="SSLv3" is not a good idea and would almost certainly get flagged by Nessus - would try "TLS" instead.)

 

Notes to self:


typical port usage:

port 8005: Tomcat shutdown port (why does this exist?)

port 8009: Tomcat AJP port (what Apache talks to)

port 8080: Tomcat HTTP port (what http clients talk to, if talking directly to Tomcat without Apache) - we could probably disable this - it is not accessible except from localhost

port 8443: Tomcat HTTPS port (what https clients talk to, if talking directly to Tomcat without Apache) - this one is not turned on in STAR's configuration to date

Groups: