![Page 1: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/1.jpg)
A NEW PLATFORM FOR A NEW ERA
![Page 2: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/2.jpg)
2 © Copyright 2014 Pivotal. All rights reserved. 2 © Copyright 2014 Pivotal. All rights reserved.
Apache Tomcat and SSL
Mark Thomas, Staff Engineer, Pivotal
9 April 2014
![Page 3: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/3.jpg)
3 © Copyright 2014 Pivotal. All rights reserved.
Agenda
Introductions
Cryptography Basics
SSL
Configuring Tomcat for SSL – Java connectors (BIO, NIO)
– APR/native connector
– Reverse proxy
Questions
![Page 4: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/4.jpg)
4 © Copyright 2014 Pivotal. All rights reserved.
Introductions
![Page 5: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/5.jpg)
5 © Copyright 2014 Pivotal. All rights reserved.
Introductions
[email protected] – Apache Tomcat committer since December 2003
– Apache Tomcat PMC member from the beginning
Tomcat 8 release manager
Member of the Apache Tomcat security team
Apache Commons PMC member
Member of the Apache Infrastructure team
![Page 6: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/6.jpg)
6 © Copyright 2014 Pivotal. All rights reserved.
Introductions
Staff Engineer at Pivotal
Primary role is to work on Apache Tomcat
Pivotal tc Server – Based on Tomcat
– Keep tc Server updated as new Tomcat versions are released
3rd line support for Tomcat and tc Server – [email protected]
Lead the Pivotal security team
![Page 7: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/7.jpg)
7 © Copyright 2014 Pivotal. All rights reserved.
Why This Presentation?
Lots of questions about SSL on the Tomcat mailing lists
It is clear from the questions many folks don’t understand
how SSL works
Debugging something you don’t understand is much harder
than debugging something you do understand
![Page 8: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/8.jpg)
8 © Copyright 2014 Pivotal. All rights reserved.
Cryptography Basics
![Page 9: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/9.jpg)
9 © Copyright 2014 Pivotal. All rights reserved.
Cryptography Basics: Symmetric Encryption
Use the same key to encrypt and decrypt
Cipher
Text
Plain
Text
Cipher
Text
Plain
Text
![Page 10: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/10.jpg)
10 © Copyright 2014 Pivotal. All rights reserved.
Cryptography Basics: Hash Functions
Generate a fingerprint (hash) for the given input
A small change in the input results in a large change in the
hash
Very difficult to generate an input for a given hash
Plain
Text
Hash
![Page 11: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/11.jpg)
11 © Copyright 2014 Pivotal. All rights reserved.
Cryptography Basics: Asymmetric Encryption
Pair of keys, A and B – If key A is used to encrypt, key B must be used to decrypt
– If key B is used to encrypt, key A must be used to decrypt
Very difficult to determine one key from the other
One key is used as the “Public Key” – This key is made widely available to the general public
One key is used as the “Private Key” – This key must be protected
![Page 12: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/12.jpg)
12 © Copyright 2014 Pivotal. All rights reserved.
Cryptography Basics: Asymmetric Encryption
Use different keys to encrypt and decrypt
Cipher
Text
Plain
Text
Cipher
Text
Plain
Text
Public Key
Private Key
![Page 13: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/13.jpg)
13 © Copyright 2014 Pivotal. All rights reserved.
Cryptography Basics: Digital Signatures
Proves that a document was sent by a particular entity
Plain
Text Hash
Digitally
Signed
Private Key
![Page 14: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/14.jpg)
14 © Copyright 2014 Pivotal. All rights reserved.
Cryptography Basics: Digital Signatures
Validating a digital signature
Digitally
Signed Hash
Public Key
Plain
Text Hash
![Page 15: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/15.jpg)
15 © Copyright 2014 Pivotal. All rights reserved.
Cryptography Basics: Digital Signatures
If the hashes match then: – The public key decrypted the digital signature
– Therefore, the associated private key must have created the digital
signature
– Therefore, the recipient can be certain that the owner of the
public/private key pair sent the document
Determining who is the owner of the public/private key pair
is the next problem
![Page 16: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/16.jpg)
16 © Copyright 2014 Pivotal. All rights reserved.
Cryptography Basics: Certificates
Certificates link a public key with an identity
Certificates are issued by certificate authorities
Public
Key +
ID
Hash Digitally
Signed
CA Private Key
Public
Key +
ID
Digitally
Signed
Cert-
ificate
![Page 17: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/17.jpg)
17 © Copyright 2014 Pivotal. All rights reserved.
Cryptography Basics: Certificates
To validate the certificate authority’s signature, you need to
be able to link their public key to their identity
You do this with a certificate
This builds a trust chain
At the top of the chain is the root certificate from the root
certificate authority
There are multiple root certificate authorities
![Page 18: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/18.jpg)
18 © Copyright 2014 Pivotal. All rights reserved.
Cryptography Basics: Root Certificates
Root certificates are self-signed
Some other mechanism is required to trust root certificates – Usually installed by the operating system
– You can manually validate them by checking them against the
published versions on the CA’s web site
My
Cert.
CA
Cert. CA
Cert.
Root
CA
Cert. Signed by Signed by Signed by
Self
Signed
![Page 19: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/19.jpg)
19 © Copyright 2014 Pivotal. All rights reserved.
SSL
![Page 20: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/20.jpg)
20 © Copyright 2014 Pivotal. All rights reserved.
SSL
SSL connections are initiated by a handshake
Handshake – Mandatory steps
– Optional steps
This presentation considers the common case
![Page 21: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/21.jpg)
21 © Copyright 2014 Pivotal. All rights reserved.
SSL: Handshake Starting Point
Server – Private key
– Certificate ▪ Public key
▪ Identity (domain name)
– List of supported algorithms
Client – List of trusted (Root) Certificate Authorities
– List of supported algorithms
fs(x) S fc(x) CA
![Page 22: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/22.jpg)
22 © Copyright 2014 Pivotal. All rights reserved.
SSL: Handshake Step 1: ClientHello
Client generates a random number
Client sends message to server – Client’s random number
– List of supported algorithms
fs(x) S fc(x) CA
Rc
![Page 23: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/23.jpg)
23 © Copyright 2014 Pivotal. All rights reserved.
SSL: Handshake Step 2: ServerHello
Server generates a random number
Server compares algorithms – Selects appropriate algorithms
Server sends message to client – Server’s random number
– Selected algorithms
fs(x) S fc(x) CA
Rc
fc(x)
Rc RS fA(x)
![Page 24: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/24.jpg)
24 © Copyright 2014 Pivotal. All rights reserved.
SSL: Handshake Step 3: Certificate
Server sends message to client – Server’s certificate
Client validates server certificate
fs(x) S fc(x) CA
Rc
fc(x)
Rc RS fA(x)
RS fA(x)
![Page 25: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/25.jpg)
25 © Copyright 2014 Pivotal. All rights reserved.
SSL: Handshake Step 6: ServerHelloDone
Server sends message to client – No content fs(x) S fc(x) CA
Rc
fc(x)
Rc RS fA(x)
RS fA(x)
S
![Page 26: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/26.jpg)
26 © Copyright 2014 Pivotal. All rights reserved.
SSL: Handshake Step 8: Client Key Exchange
Client generates pre-master secret
Client encrypts PMS with server’s
public key
Client sends message to server – Encrypted PMS
fs(x) S fc(x) CA
Rc
fc(x)
Rc RS fA(x)
RS fA(x)
S
PMS
enc
PMS
![Page 27: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/27.jpg)
27 © Copyright 2014 Pivotal. All rights reserved.
SSL: Handshake Step 10: ChangeCipherSpec
Client creates master secret – Rc + Rs + PMS
Client switches to encrypted mode – Algorithm agreed in step 2
– Symmetric encryption with MS
Client sends message to server – No content
fs(x) S fc(x) CA
Rc
fc(x)
Rc RS fA(x)
RS fA(x)
S
PMS
enc
PMS
enc
PMS
MS
![Page 28: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/28.jpg)
28 © Copyright 2014 Pivotal. All rights reserved.
SSL: Handshake Step 11: Finished
Client has completed SSL
handshake
Client sends message to server – No content
fs(x) S fc(x) CA
Rc
fc(x)
Rc RS fA(x)
RS fA(x)
S
PMS
enc
PMS
enc
PMS
MS
![Page 29: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/29.jpg)
29 © Copyright 2014 Pivotal. All rights reserved.
SSL: Handshake Step 12: ChangeCipherSpec
Server decrypts PMS
Server creates master secret – Rc + Rs + PMS
– Server switches to encrypted mode
– Algorithm agreed in step 2
– Symmetric encryption with MS
Server sends message to client – No content
fs(x) S fc(x) CA
Rc
fc(x)
Rc RS fA(x)
RS fA(x)
S
PMS
enc
PMS
enc
PMS
PMS
MS
MS
![Page 30: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/30.jpg)
30 © Copyright 2014 Pivotal. All rights reserved.
SSL: Handshake Step 13: Finished
Server has completed SSL
handshake
Server sends message to client – No content
fs(x) S fc(x) CA
Rc
fc(x)
Rc RS fA(x)
RS fA(x)
S
PMS
enc
PMS
enc
PMS
PMS
MS
MS
![Page 31: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/31.jpg)
31 © Copyright 2014 Pivotal. All rights reserved.
SSL: Encrypted communication
Algorithm agreed in step 2
Symmetric
Use Master Secret as key
fs(x) S fc(x) CA
Rc
fc(x)
Rc RS fA(x)
RS fA(x)
S
PMS
enc
PMS
enc
PMS
PMS
MS
MS
![Page 32: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/32.jpg)
32 © Copyright 2014 Pivotal. All rights reserved.
SSL: Extensions
Client certificate authentication – Client authenticates to server with
certificate
Server Name Indication – Client tells server which host it wants
to connect to and server sends
appropriate certificate (virtual hosting)
Renegotiation
fs(x) S fc(x) CA
Rc
fc(x)
Rc RS fA(x)
RS fA(x)
S
PMS
enc
PMS
enc
PMS
PMS
MS
MS
![Page 33: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/33.jpg)
33 © Copyright 2014 Pivotal. All rights reserved.
SSL Config for Tomcat
![Page 34: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/34.jpg)
34 © Copyright 2014 Pivotal. All rights reserved.
Requirements
A public/private key-pair
A certificate – Public key
– Identity (domain name e.g. www.apache.org)
A Certificate Authority (CA) to generate the certificate
The certificates for each CA in the trust chain – Root CA plus any intermediate CAs
![Page 35: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/35.jpg)
35 © Copyright 2014 Pivotal. All rights reserved.
Formats
Java keystore – Keys and certificates
– Only used by Java
– Generally easier insert than extract information
– OpenSSL does not understand this format
PKCS #12 – Keys and certificates
– OpenSSL does understand this format
![Page 36: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/36.jpg)
36 © Copyright 2014 Pivotal. All rights reserved.
Formats
DER – Certificates
– Binary encoding
– OpenSSL does understand this format
PEM – Certificates
– ASCII encoding
– OpenSSL does understand this format
![Page 37: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/37.jpg)
37 © Copyright 2014 Pivotal. All rights reserved.
Tools
Apache Tomcat 8.0.x – Latest source as at time of presentation
– Works equally well with any 6.0.x, 7.0.x or 8.0.x release
OpenSSL 1.0.1f – OSX
– Works on other platforms – adjust paths as necessary
![Page 38: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/38.jpg)
38 © Copyright 2014 Pivotal. All rights reserved.
Configuration
Initial set up
$ cd $ mkdir demo
$ cd demo
$ mkdir certs newcerts private requests
$ echo 1000 > serial
$ touch index.txt
$ cp /opt/local/etc/openssl/openssl.cnf .
![Page 39: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/39.jpg)
39 © Copyright 2014 Pivotal. All rights reserved.
Configuration
Modify copy of openssl.cnf
$ vi openssl.cnf
dir = .
default_bits = 2048
countryName_default = US
![Page 40: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/40.jpg)
40 © Copyright 2014 Pivotal. All rights reserved.
Configuration
Create your own root certificate authority
$ openssl req -new -x509 -days 3650 -extensions v3_ca \ -keyout private/cakey.pem -out cacert.pem \
-config ./openssl.cnf
![Page 41: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/41.jpg)
41 © Copyright 2014 Pivotal. All rights reserved.
Configuration
Create and sign host certificate request
$ openssl req -new -nodes \ -out requests/localhost-req.pem \
-keyout private/localhost-key.pem \
-config ./openssl.cnf
$ openssl ca -days 730 -config ./openssl.cnf \
-out certs/localhost-cert.pem \
-infiles requests/localhost-req.pem
![Page 42: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/42.jpg)
42 © Copyright 2014 Pivotal. All rights reserved.
Configuration
Convert the host key and certificate to PKCS #12
$ openssl pkcs12 -export -out private/localhost.p12 \ -inkey private/localhost-key.pem \
-in certs/localhost-cert.pem \
-certfile cacert.pem
![Page 43: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/43.jpg)
43 © Copyright 2014 Pivotal. All rights reserved.
Configuration
Configure Tomcat for SSL using the PKCS #12 file
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreType="pkcs12"
keystoreFile="${catalina.base}/conf/localhost.p12"
keyPass="changeit"
/>
![Page 44: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/44.jpg)
44 © Copyright 2014 Pivotal. All rights reserved.
Configuration
Similarly using BIO
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150“
SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreType="pkcs12"
keystoreFile="${catalina.base}/conf/localhost.p12"
keyPass="changeit"
/>
![Page 45: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/45.jpg)
45 © Copyright 2014 Pivotal. All rights reserved.
Configuration
Configuration for APR/native is significantly different
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150"
SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
SSLCertificateFile="${catalina.base}/conf/localhost-cert.pem"
SSLCertificateKeyFile="${catalina.base}/conf/localhost-key.pem"
SSLCertificateChainFile="${catalina.base}/conf/cacert.pem"
/>
![Page 46: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/46.jpg)
46 © Copyright 2014 Pivotal. All rights reserved.
Configuration
There are other options
Convert *.pem files to Java KeyStore – Historically painful
– Better now but still requires you to create the *.p12 file
– Since Tomcat can use the *.p12 file why bother with a keystore?
Easy to move between separate *.pem files and a single
.p12 file
![Page 47: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/47.jpg)
47 © Copyright 2014 Pivotal. All rights reserved.
SSL & Reverse Proxies
![Page 48: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/48.jpg)
48 © Copyright 2014 Pivotal. All rights reserved.
What Is A Reverse Proxy?
H/W Load
Balancer
httpd
instances Tomcat
instances
![Page 49: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/49.jpg)
49 © Copyright 2014 Pivotal. All rights reserved.
Design Considerations
How will Tomcat differentiate between clients using http and
https?
Does the proxy <-> Tomcat traffic need to be encrypted?
![Page 50: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/50.jpg)
50 © Copyright 2014 Pivotal. All rights reserved.
Why Does Tomcat Need SSL Information?
To enforce transport guarantees specified in web.xml
To determine if session was created over a secure
connection – In which case session cookie needs to be marked as secure
To correctly construct links, redirects etc. with http or https
To obtain the identity of the authenticated user – When user client certificate authentication
![Page 51: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/51.jpg)
51 © Copyright 2014 Pivotal. All rights reserved.
Protocol Choices
AJP – Proxy implementations includes client <-> proxy SSL information
automatically
– Does not support encryption
HTTP – Proxy implementations do not include client <-> proxy SSL
information automatically
– Supports encryption (proxy using https)
![Page 52: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/52.jpg)
52 © Copyright 2014 Pivotal. All rights reserved.
Recommended Protocol
If you do not need to encrypt proxy <-> Tomcat traffic – AJP
If you do need to encrypt proxy <-> Tomcat traffic – HTTPS
But if you use HTTPS, how do you get the SSL information?
![Page 53: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/53.jpg)
53 © Copyright 2014 Pivotal. All rights reserved.
SSLValve
In httpd:
In Tomcat:
<IfModule ssl_module>
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s"
RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s"
RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s"
</IfModule>
<Host … >
<Valve className="org.apache.catalina.valves.SSLValve"
…
</Host>
![Page 54: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/54.jpg)
54 © Copyright 2014 Pivotal. All rights reserved.
An Alternative Solution
Create two HTTP connectors in Tomcat
Configure the first with – SSLEnabled="false" scheme="http" secure="false" proxyPort="80"
Configure the second with – SSLEnabled="false" scheme="https" secure="true“ proxyPort="443"
Proxy HTTP traffic to the first connector over HTTP
Proxy HTTPS traffic to the second connector over HTTP
![Page 55: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/55.jpg)
55 © Copyright 2014 Pivotal. All rights reserved.
Questions
![Page 56: A NEW PLATFORM FOR A NEW ERA - home.apache.orgmarkt/presentations/2014-04-09-Tomcat-SSL.pdf · 09-04-2014 · Primary role is to work on Apache Tomcat Pivotal tc Server –Based](https://reader030.vdocument.in/reader030/viewer/2022041015/5ec5f4b9eaf435597959f30c/html5/thumbnails/56.jpg)
A NEW PLATFORM FOR A NEW ERA