Skip to content

SSL with Tomcat 5.5 APR Connecr and OpenSSL

October 12, 2008

I had some hard hours on setting up SSL
on Tomcat 5.5 (in fact JBoss 4.2.4 GA) using APR connector and
OpenSSL. Here is the story:

First of all, our support in www.liquidweb.com sent us CSR without mentioning anything about Comodo Instant SSL and their Root/Intermediate CA. I found the required files here:
https://support.comodo.com/index.php?_m=downloads&_a=view&parentcategoryid=1&pcid=0&nav=0
and used this guide (
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=264
) to setup SSL on Apache 2.2 on our Ubuntu 8.04.

I also used this great guide (
http://articles.slicehost.com/2007/11/26/ubuntu-gutsy-apache-ssl-and-vhosts)
and this is how my default config looked like in ‘default’:

<VirtualHost http://www.sipareh.com:443&gt;
ServerName http://www.sipareh.com

SSLEngine On
SSLCertificateFile
/etc/ssl/crt/www.sipareh.com.crt

SSLCertificateKeyFile
/etc/ssl/crt/private.key

SSLCertificateChainFile
/etc/ssl/crt/sipareh.ca-bundle

….

</VirtualHost>

After SSL was working properly I switched on Tomcat APR OpenSSL hoping that it will work in a second!

First of all, I noticed that tcnative does not compile with SSL enabled by default. So you have to configure it this way:

./configure
–with-apr=/usr/bin/apr-1-config –with-ssl=/usr
–with-devrandom=/dev/urandom –disable-ipv6 (
–target=x86_64)

Ofcouse after installing ‘libapr1-dev’ and ‘libssl-dev’

and after make and make install did this:

ln -s /usr/local/apr/lib/libtcnative-1.so.0.1.14 /usr/lib/libtcnative-1.so

Now, enable SSLEngine on APR listener like this (inside server.xml):

<Listener className=”org.apache.catalina.core.AprLifecycleListener” SSLEngine=”on” />

and add following to its Connector:

<Connector port=”443″ address=”${jboss.bind.address}” maxHttpHeaderSize=”8192″
maxThreads=”150″
enableLookups=”false”
disableUploadTimeout=”true”
acceptCount=”100″
scheme=”https”
secure=”true”
SSLEnabled=”true”
SSLProtocol=”TLS”
SSLCertificateFile=”/etc/ssl/crt/www.sipareh.com.crt”
SSLCertificateKeyFile=”/etc/ssl/crt/private.key”
SSLCertificateChainFile=”/etc/ssl/crt/sipareh.ca-bundle”
SSLPassword=”*****”
/>

If you see Tomcat hangs (stops) at this line:

[AprLifecycleListener] Loaded Apache Tomcat Native library 1.1.14.
[AprLifecycleListener] APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].

That’s because of all random file issue and can be fixed this way:

/usr/bin/openssl rand -out
/home/sipareh/.rnd 2048

And add this to JBoss run.sh (or Tomcat’s catalina.sh)

export RANDFILE=/home/sipareh/.rnd

Can check SSL this way:

openssl s_client -connect http://www.sipareh.com:443 -showcerts -state -msg -tls1

Hope it helps… :)

Advertisements

From → java, linux, ubuntu

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: