File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes Using SSL/Https with Apache & Tomcat - where do I start? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Using SSL/Https with Apache & Tomcat - where do I start?" Watch "Using SSL/Https with Apache & Tomcat - where do I start?" New topic

Using SSL/Https with Apache & Tomcat - where do I start?

Bridget Carlson

Joined: Oct 08, 2009
Posts: 15
I've never used SSL/Https before, and I just recently signed up for a host service provider. My site is uploaded but I'm still in testing phase. What I would like to do is use ssl on a login page, as well as pages where an email (form) is submitted. I want to protect personal data.

I have Apache web server 2.2, Tomcat 5.5.27, Java (SE 5), and Mod_jk 1.2.28 installed on my server.
I'm not using Tomcat in standalone mode.

I'm not sure where to start. This is all so new to me, so I have quite a few questions. Forgive me if I'm not using proper terms in the questions below.

1) where should I go to purchase a certificate?

2) do I need any additional modules or applications on my server to use ssl?

3) since I'm not planning to use ssl/https sitewide, but only on a few select pages, what sort of configurations are necessary in apache or in tomcat to specify such?

John Melton
Ranch Hand

Joined: Aug 17, 2004
Posts: 49
1. The standard is probably verisign if it's a real site. You can do what is called a self-signed cert if it's for development.

2. You should already have them. Here's some docs based on your version numbers

3. This should work fine. You just need to point to the correct url within your application, whether http or https. One point to note is that that apache must be configured for http and https and have those listeners both enabled. The doc above should help with that. You'll likely use the apache-tomcat connector, so tomcat probably will be listening on some non-standard port for communication with apache. You should disable it's other listeners if you don't want people to go directly to tomcat. Finally, just one last point that I don't have time to elaborate on here, but there are several types of attacks (like session hijacking) that are possible when both http and https are used. In my opinion, once a user is logged in, it should all be ssl. It's not that much of a performance impact, unless you're doing HUGE amounts of requests, and if that's true, you probably have enough hardware to handle it.

Hope this helps.

I agree. Here's the link:
subject: Using SSL/Https with Apache & Tomcat - where do I start?
jQuery in Action, 3rd edition