Configure SSL between httpd and JBossWEB
Using SSL between httpd and JBossWEB Using https allows to encrypt communications betwen httpd and JBossWEB. But due to the ressources it needs that no advised to use it in high load configuration. (See Encrypting connection between httpd and TC for detailed instructions). httpd is configured to be a client for AS/TC so it should provide a certificate AS/TC will accept and have a private key to encrypt the data, it also needs a CA certificate to valid the certificate AS/TC will use for the connection. SSLProxyEngine On SSLProxyVerify require SSLProxyCACertificateFile conf/cacert.pem SSLProxyMachineCertificateFile conf/proxy.pem conf/proxy.pem should contain both key and certificate. The certificate must be trusted by Tomcat via the CA in truststoreFile of . conf/cacert.pem must contain the certificat of the CA that signed the AS/TC certificate. The correspond key and certificate are the pair specificed by keyAlias and truststoreFile of the . Of course the must be the https one (normally on port 8443). 11.2.1. How the diferent files were created The files were created using OpenSSL utilities see OpenSSL CA.pl (/etc/pki/tls/misc/CA for example) has been used to create the test Certificate authority, the certicate requests and private keys as well as signing the certicate requests. 11.2.1.1. Create the CA (See above) 11.2.1.2. Create the server certificate (See above) The certificate and key need to be imported into the java keystore using keytool make sure you don't use a passphare for the key (don't forget to clean the file when done) Convert the key and certificate to p12 file: openssl pkcs12 -export -inkey key.pem -in newcert.pem -out test.p12 make sure you use the keystore password as Export passphrase. Import the contents of the p12 file in the keystore: keytool -importkeystore -srckeystore test.p12 -srcstoretype PKCS12 Import the CA certificate in the java trustore: (Fedora13 example). keytool -import -trustcacerts -alias "caname" \ -file ../../CA/cacert.pem -keystore /etc/pki/java/cacerts Edit server.xml to have a similar to: Start TC/AS and use openssl s_client to test the connection: openssl s_client -CAfile /home/jfclere/CA/cacert.pem -cert newcert.pem -key newkey.pem \ -host localhost -port 8443 There shouldn't be any error and you should be able to see your CA in the "Acceptable client certificate CA names".