JBoss Apache ssl, securize communication channel between JBoss and Apache with SSL

Recently a client has requested a securized installation around the information circuit, that is:

todo sslApache is usually configured with SSL and internal communication between Apache and JBoss is done with the AJP protocol, as follows:

no todo sslThe AJP protocol has the advantage over http, which is a binary instead of text communication, this reduces the bandwidth needed to transmit the same information (it is estimated that the bandwidth required is reduced by 25%).

What happens is that AJP can not be encrypted, possibly in the future but at the moment no. Therefore we have no choice but to connect more with JBoss Apache HTTP + SSL (https)

Securize for the channel will use the certificates is already used Apache for SSL entries in httpd.conf:

SSLCertificateKeyFile => Private key
SSLCertificateFile => Certificate

Let the matter, we must have openssl installed and java (for the keytool utility). We started with the JBOSS configuration:

1-Create version p12 certificate to import the private key in a keystore (it has to put a password, such as “key” to carried the private key):

openssl pkcs12 -export -in certificate.crt -inkey private_key.key -out cert_web.p12 -name "key_webserver"

2-Import the private key (the *.p12) in a keystore (if there is no keystore creates and request a key to protect, for example “key”):

keytool -importkeystore -srckeystore cert_web.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks

3-Copy keystore.jks file (on all nodes JBOSS) to:

4-Set connector (with the server), add in domain.xml (within the appropriate profile) or standalone.xml just after :

<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>

As follows:

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="https" key-alias="key_webserver" password="key" certificate-key-file="${jboss.domain.config.dir}/keystore.jks"/>

5-Restart all JBoss and verify that SSL ports are raised up (eg port 8443):

netstat -anop | grep LISTEN | grep 8443

Be careful with the parameters to point to the keystore, the password the same and the key alias.

Apache configuration:

1-If we are working with a cluster we must have activated mod_proxy_balancer module and add (for example):

SSLProxyEngine On
<Proxy balancer://mycluster>
BalancerMember https://nodo1:8443 route=1
BalancerMember https://nodo2:8443 route=2
ProxySet stickysession=ROUTEID
ProxyPass /helloworld balancer://mycluster/helloworld
ProxyPass /ClusterWebApp balancer://mycluster/ClusterWebApp

2-If our system is a little easier it would be something like:

#versión no cluster
SSLProxyEngine On
ProxyPass /helloworld https://nodo1:8443/helloworld
ProxyPass /ClusterWebApp https://nodo1:8443/ClusterWebApp

3-Make a reload of apache.

If we use the mod_proxy_balancer module is not necessary to configure the jvmRoute value (JBoss servers), as in the case of using AJP (which is optimal for being a binary communication)

Some recipes to explore manipulating the certificates installed in the keystore:
1-List certificates:

keytool -list -keystore ${jboss.domain.config.dir}/keystore.jks

2-Deleting certificates (identified by the alias):

keytool -delete -alias cert_webserver -keystore ${jboss.domain.config.dir}/keystore.jks

Leave a Reply