Personal tools
You are here: Home GRIA Documentation Documentation 5.1 Reference Manuals Service Installation Manual (all services) Configuring Transport Layer Security
 

Configuring Transport Layer Security

Note: Return to reference manual view.

This guide contains the core installation instructions that are common to all GRIA services. Topics covered include installing Java and Tomcat, war file deployment and firewall configuration.

1. Introduction

What is transport layer security and how to configure it

Transport layer security (TLS) is the term used for encrypting the packets of information sent between the server and the client (and client and server).  It is also used to allow one side to verify the identity of the other party.  In a normal installation it is only the client who verifies the server's identity so that the client is sure that they are communicating with the service they intended to.

In a simple installation, a GRIA service is installed in Tomcat and Tomcat is configured to use TLS.  For extra flexibility and robustness many people want to use the Apache web server as a front end and pass requests on to Tomcat behind.  In this scenario Apache handles the encryption at the transport layer, but will pass requests on to Tomcat for processing.

2. Tomcat

General instructions for configuring HTTPS in Tomcat

For full details, see http://tomcat.apache.org/tomcat-5.0-doc/ssl-howto.html.

Edit your Tomcat's conf/server.xml and add the following section (or uncomment and edit the existing one):

<Connector port="8443"
		keystoreFile="/your/location/here/service-keystore.ks"
		keystorePass="your_keystore_password"
		keystoreType="JKS"
		minProcessors="5" maxProcessors="75"
		enableLookups="true" disableUploadTimeout="true"
		acceptCount="100" debug="0" scheme="https" secure="true"
		clientAuth="false" sslProtocol="TLS"/>

Then restart Tomcat.

3. Apache

How to configure Apache to use HTTPS

3.1. Exporting Certificates From Tomcat

How to export the certificates from Tomcat's keystore for use in securing Apache

Java stores keys and certificates in a keystore file, whose format is Java-specific. Apache also needs access to the same items, but cannot read the Java keystore format. Therefore, the key and the certificates must be exported to separate files. It is simplest to store the exported files in the configuration directory along with the keystore.

You should have already created a keystore during the configuration of your service. Begin by opening service-keystore.ks in KeyToolGUI (available for download here).

Exporting certificates

To export the server's certificate:

  1. Right click on the server's key (NOT the Certificate Authority's certificate!).
  2. Choose Export from the menu.
  3. Select Head Certificate and PEM Encoded when exporting.
  4. Save with a .crt extension (eg, as server.crt in your configuration directory).

To export the Certificate Authority's own certificate:

  1. Right click on the Certificate Authority's certificate.
  2. Choose Export from the menu.
  3. Select Head Certificate and PEM Encoded when exporting.
  4. Save with a .crt extension (eg: CA.crt).

Exporting the private key

  1. Right click on the server's key.
  2. Choose Export from the menu.
  3. Select Private Key and Certificates and PKCS #12 and click OK.
  4. Enter the keystore password when prompted (use the same password for the exported key).
  5. Save with a .p12 extension (eg: private-key.p12).
  6. Convert from PKCS#12 format to PEM: 
    $ openssl pkcs12 -in private-key.p12 -out private-key.pem -nodes

Once you have the three files (server.crt, CA.crt and private-key.pem) and the crl.pem file (which should be obtained from your Certificate Authority), you are ready to continue with the instructions specifi to your Apache version and operating system.

3.2. Firewalls

How to configure firewalls for Apache

Ensure that your GRIA server firewall allows access to Apache HTTPS port, for more information see the section "Configure the Firewall" in the GRIA installation documentation relevant to your package and operating system.

Tomcat's own port (8080) should not be accessible from anywhere except for the machine running Apache. Make sure that it is firewalled by attempting to connect to it from another machine.


3.3. Apache 2

How to configure Apache 2 to use HTTPS

3.3.1. Debian 3.x and Ubuntu 6.xx

This section describes how to configure Apache 2.0 for Debian and Ubuntu systems to provide transport layer security for GRIA services.

Firstly install the necessary apache2 packages, e.g. $ sudo apt-get install apache2 libapache2-mod-jk.

Prepare certificate entries for Apache:

Download the sample gria-services.conf file and edit it accordingly, e.g. provide valid entries for the following file which you should have prepared in the previous page:

  • SSLCertificateFile
  • SSLCertificateKeyFile
  • SSLCACerticateFile
  • SSLCARevocationFile

Note: do not uncomment any of the ProxyPass lines!

Copy gria-services.conf into /etc/apache2/sites-available.

Edit /etc/apache2/ports.conf, and add the line:

Listen 443

Now you need to enable the new 'site' with the Apache2 enable-site utility, and the SSL and JK2 modules:

  • a2ensite gria-services.conf
  • a2enmod ssl
  • a2enmod jk

NOTE: you may prompted to reload apache for each of these steps e.g.

/etc/init.d/apache2 reload.

Configure apache to forward all HTTPS requests to tomcat:

configuring Apache to use mod_jk you need to edit /etc/apache2/mods-available/jk.load to include the following:

LoadModule jk_module /usr/lib/apache2/modules/mod_jk.so
# Where to find workers.properties
JkWorkersFile /etc/apache2/workers.properties
# Where to put jk logs
JkLogFile     /var/log/apache2/mod_jk.log
# Set the jk log level [debug/error/info]
JkLogLevel    info
# Select the log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
# JkOptions indicate to send SSL KEY SIZE,
JkOptions     +ForwardKeySize +ForwardURICompat -ForwardDirectories
# JkRequestLogFormat set the request format
JkRequestLogFormat     "%w %V %T"
# Send everything for context /examples to worker named worker1 (ajp13)
JkMount /gria-basic-app-services worker1
JkMount /gria-basic-app-services/* worker1
JkMount /gria-client-mgt worker1
JkMount /gria-client-mgt/* worker1
JkMount /gria-service-provider-mgt worker1
JkMount /gria-service-provider-mgt/* worker1

To complete the configuration you need to create a workers.properties file in /etc/apache2 with the following contents:

# Define 1 real worker using ajp13
worker.list=worker1
# Set properties for worker1 (ajp13)
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009
worker.worker1.lbfactor=50
worker.worker1.cachesize=10
worker.worker1.cache_timeout=600
worker.worker1.socket_keepalive=1
worker.worker1.reclycle_timeout=300

Restart Apache

You can now access the GRIA admin pages through HTTPS, e.g. https://localhost/gria-basic-app-services

3.3.2. Fedora

How to configure Apache on Fedora to use HTTPS

3.3.2.1. Fedora Core 3 and 4

How to configure Apache to use HTTPS on Fedora Core 3 and 4

Apache2 RPM Packages

Make sure the following packages are installed:

  • httpd-manual-2.0.52-3
  • httpd-suexec-2.0.52-3
  • system-config-httpd-1.3.1-1
  • httpd-2.0.52-3
  • mod_ssl-2.0.52-3

e.g. check installed packages using:

# rpm -qa | grep "httpd\|mod_ssl"

Connecting Tomcat with Apache

Install the Apache mod_jk Module

The mod_jk package comes with the Fedora Core 4 operating system. To install it, log in as root and execute this command:

# yum install mod_jk

For Fedora Core 3, the mod_jk module may be obtained from the jpackage site. The required package is called "mod_jk-ap20". The easiest way to download and install the package is to execute the following commands as root:

# cd /tmp
# wget http://mirrors.dotsrc.org/jpackage/1.6/fedora-3/RPMS.free/mod_jk-ap20-1.2.8-1jpp.i386.rpm
# rpm --import http://www.jpackage.org/jpackage.asc
# yum localinstall mod_jk-ap20-1.2.8-1jpp.i386.rpm

wget downloads the file from the primary jpackage mirror site. The rpm command installs the jpackage public key for package verification, and the yum command performs the installation.

Configuring Apache to use mod_jk

To cause Apache to load and use mod_jk, you must create a file in /etc/httpd/conf.d. The file should be called jk.conf and should be similar (if not the same) to this:

# Load mod_jk module
LoadModule    jk_module  /etc/httpd/modules/mod_jk.so
# Where to find workers.properties
JkWorkersFile /etc/httpd/conf/workers.properties
# Where to put jk logs
JkLogFile     /var/log/httpd/mod_jk.log
# Set the jk log level [debug/error/info]
JkLogLevel    info
# Select the log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
# JkOptions indicate to send SSL KEY SIZE, 
JkOptions     +ForwardKeySize +ForwardURICompat -ForwardDirectories
# JkRequestLogFormat set the request format 
JkRequestLogFormat     "%w %V %T"
# Send everything for context /examples to worker named worker1 (ajp13)
JkMount /gria-basic-app-services worker1 
JkMount /gria-basic-app-services/* worker1
JkMount /gria-client-mgt worker1 
JkMount /gria-client-mgt/* worker1
JkMount /gria-service-provider-mgt worker1
JkMount /gria-service-provider-mgt/* worker1

As well as configuring the mod_jk module, this also instructs Apache to pass on requests for GRIA to "worker1".

Configuring the Tomcat Worker

To complete the configuration, another file must be created. This is the workers.properties file referenced in the last section. Create the file /etc/httpd/conf/workers.properties with the following contents:

# Define 1 real worker using ajp13
worker.list=worker1
# Set properties for worker1 (ajp13)
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009
worker.worker1.lbfactor=50
worker.worker1.cachesize=10
worker.worker1.cache_timeout=600
worker.worker1.socket_keepalive=1
worker.worker1.reclycle_timeout=300

This configuration instructs "worker1" to pass on requests to port 8009 using the ajp13 protocol. The default Tomcat installation will already be listening for this sort of communication and as a result, request for the GRIA web application will be passed on to Tomcat.

Securing Apache

Add gria-services.conf File in conf.d

Download the gria-services.conf sample file and place it in /etc/httpd/conf.d.

Edit gria-services.conf so that the file locations of the following settings give the locations of the files you exported from your keystore in the previous page.

  • SSLCertificateFile
  • SSLCertificateKeyFile
  • SSLCACertificateFile
  • SSLCARevocationFile

In addition, replace apache2 by httpd in the ErrorLog and TransferLog lines, i.e.

     ...
     ErrorLog /var/log/httpd/grid-error.log
     ...
     TransferLog /var/log/httpd/grid-access.log
     ...

Edit /etc/httpd/conf.d/ssl.conf

Edit /etc/httpd/conf.d/ssl.conf to contain the following directives only

LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

Start Apache

Start Apache using the command below. Entering this command may also prompt you for the private key password if it was encrypted:

# service httpd restart

You may also want to configure your system to start Apache if it is rebooted:

# chkconfig httpd on

N.B. Apache will not be able to start automatically if your server's private key is encrypted, as it cannot start without the password being entered.

You can now access the GRIA admin pages through HTTPS, e.g. https://localhost/GRIA.

3.3.2.2. Fedora Core 5

How to configure Apache to use HTTPS on Fedora Core 5

Apache2.2 RPM Packages

Make sure the following packages are installed:

  • system-config-httpd-1.3.3-1
  • httpd-2.2.0-5.1.2
  • mod_ssl-2.2.0-5.1.2

e.g. check installed packages using:

# rpm -qa | grep "httpd\|mod_ssl"

Connecting and Securing Tomcat with Apache

There is no need to install extra Apache modules since Apache 2.2 in Fedora Core 5 includes module mod_proxy_ajp.

<VirtualHost *.:443> section

Edit the <VirtualHost *.:443> section of /etc/httpd/conf.d/ssl.conf so that you can specify the locations of the files you exported from your keystore in the previous section.

  • SSLCertificateFile
  • SSLCertificateKeyFile
  • SSLCACertificateFile
  • SSLCARevocationFile (if you have one)
For example: 
SSLCertificateFile /etc/gria/server.crt
SSLCertificateKeyFile  /etc/gria/private-key.pem
SSLCACertificateFile /etc/gria/CA.crt
SSLCARevocationFile /etc/gria/crl.pem

Also uncomment and set the SSLVerifyDepth to 1: 

SSLVerifyDepth 1

According to the GRIA package(s) you are installing, also add the appropriate line(s) below

ProxyPass /gria-basic-app-services ajp://localhost:8009/gria-basic-app-services
ProxyPass /gria-client-mgt ajp://localhost:8009/gria-client-mgt
ProxyPass /gria-service-provider-mgt ajp://localhost:8009/gria-service-provider-mgt

Start Apache

Start Apache using the command below. Entering this command may also prompt you for the private key password if it was encrypted:

# service httpd restart

You may also want to configure your system to start Apache if it is rebooted:

# chkconfig httpd on

N.B. Apache will not be able to start automatically if your server's private key is encrypted, as it cannot start without the password being entered.

You can now access the GRIA admin pages through HTTPS, e.g. https://localhost/GRIA.

3.3.3. SUSE 9.2-10

Configuring Apache2 for HTTPS in SUSE versions 9.2-10

The goal here is to successfully secure Tomcat with Apache by integrating Tomcat's abilities into an existing Apache installation using the mod_jk and Ajp13Connector.

  1. Download the gria-services.conf sample file and place it in /etc/apache2/vhosts.d
  2. Edit gria-services.conf so that the file locations of the following settings give the locations of the files you exported from your keystore on the previous page.
    • SSLCertificateFile
    • SSLCertificateKeyFile
    • SSLCACertificateFile
    • SSLCARevocationFile
  3. Edit the /etc/sysconfig/apache2 file and do the following:
    • Add "-D SSL" to the APACHE_SERVER_FLAGS variable to allow SSL to be enabled when the Apache Sever is started: 
      APACHE_SERVER_FLAGS="-D SSL"
    • Set a reasonable value for the time required to enter the password when starting apache: 
      APACHE_START_TIMEOUT="30"
    • Include the module "jk" to the list of apache2 modules within the APACHE_MODULES variable, e.g.: 
      APACHE_MODULES="access actions alias auth auth_dbm dir env expires include log_config mime negotiation setenvif ssl jk"
  4. Copy the file /usr/share/doc/packages/mod_jk-ap20/jk.conf to /etc/apache2/conf.d: 
    # cp /usr/share/doc/packages/mod_jk-ap20/jk.conf /etc/apache2/conf.d
  5. Copy the file /usr/share/doc/packages/mod_jk-ap20/workers.properties to /etc/tomcat5/base: 
    # cp /usr/share/doc/packages/mod_jk-ap20/workers.properties /etc/tomcat5/base
  6. The apache2 configuration must then be updated using the following command: 
    # SuSEconfig --module apache2
  7. Stop the Tomcat server with the following command: 
    # rctomcat5 stop
  8. Edit the file /etc/apache2/conf.d/jk.conf and add the following pieces of code to the file within the <IfModule> tag:
    • For GRIA Basic App Services add the following section: 
      # The following line mounts /GRIA basic app services/ uri (and all files) to tomcat
      JkMount /gria-basic-app-services/* ajp13
	
      Alias /gria-basic-app-services "/srv/www/tomcat5/base/webapps/gria-basic-app-services"
      <Directory "/srv/www/tomcat5/base/webapps/gria-basic-app-services">
       Options Indexes FollowSymLinks
       allow from all
      </Directory>
      #To prevent users from listing contents
      <Location "/gria-basic-app-services/WEB-INF/">
       AllowOverride None
       deny from all
      </Location>
    • For GRIA Service Provider Management add the following section: 
      # The following line mounts /GRIA service provider management / uri (and all files) to tomcat
      JkMount /gria-service-provider-mgt/* ajp13
	
      Alias /gria-service-provider-mgt "/srv/www/tomcat5/base/webapps/gria-service-provider-mgt"
      <Directory "/srv/www/tomcat5/base/webapps/gria-service-provider-mgt">
       Options Indexes FollowSymLinks
       allow from all
      </Directory>
      #To prevent users from listing contents
      <Location "/gria-service-provider-mgt/WEB-INF/">
       AllowOverride None
       deny from all
      </Location>
    • For GRIA Client Management add the following section: 
      # The following line mounts /GRIA client management / uri (and all files) to tomcat
      JkMount /gria-client-mgt/* ajp13
	
      Alias /gria-client-mgt "/srv/www/tomcat5/base/webapps/gria-client-mgt"
      <Directory "/srv/www/tomcat5/base/webapps/gria-client-mgt">
       Options Indexes FollowSymLinks
       allow from all
      </Directory>
      #To prevent users from listing contents
      <Location "/gria-client-mgt/WEB-INF/">
       AllowOverride None
       deny from all
      </Location>
  10. Start the Tomcat server with the command: 
    # rctomcat5 start
  11. Restart the apache2 server with the following command: 
    # rcapache2 restart
  12. Access the GRIA admin pages through HTTPS, eg using https://localhost/gria-basic-app-services.

3.4. Apache 2.2

Configuring HTTPS for Apache 2.2

3.4.1. Debian 4.x and Ubuntu 7.xx

This section describes how to configure Apache 2.2 for Debian/Ubuntu systems to provide transport layer security for GRIA services.

Install Apache 2.2

Install apache2.2 running the command: sudo apt-get install apache2. This command will try to install additionally the following packages:

  • apache2-mpm-worker
  • apache2-utils
  • apache2.2-common

Apache2.2 Configuration

Edit the default apache configuration as follows:

  1. Enable ssl and proxy_ajp modules by running 
    $ sudo a2enmod ssl
$ sudo a2enmod proxy_ajp.

  2. Copy the sample gria-services.conf file into /etc/apache2/sites-available, and edit it accordingly, i.e. provide the locations of the certificate files previously created using the following parameters:

    • SSLCertificateFile
    • SSLCertificateKeyFile
    • SSLCACertificateFile
    • SSLCARevocationFile (if you have one)

    In addition, according to the GRIA packages you are installing uncomment one or more of the following lines:

    #ProxyPass /gria-basic-app-services ajp://localhost:8009/gria-basic-app-services
    #ProxyPass /gria-client-mgt ajp://localhost:8009/gria-client-mgt
    #ProxyPass /gria-service-provider-mgt ajp://localhost:8009/gria-service-provider-mgt

    Save the changes.

  3. Enable the gria-services.conf virtual host: 
    $ sudo a2ensite gria-services.conf
  4. Edit /etc/apache2/ports.conf file to include the following line: 
    Listen 443
  5. Edit /etc/apache2/mods-enabled/proxy.conf file and comment out the line: 
    Deny from all
  6. Restart apache 
    $ sudo /etc/init.d/apache2 force-reload