I've never used SSL/Https before, and I just recently signed up for a host service provider. My site is uploaded but I'm still in testing phase. What I would like to do is use ssl on a login page, as well as pages where an email (form) is submitted. I want to protect personal data.
I have Apache web server 2.2, Tomcat 5.5.27, Java 22.214.171.124 (SE 5), and Mod_jk 1.2.28 installed on my server.
I'm not using Tomcat in standalone mode.
I'm not sure where to start. This is all so new to me, so I have quite a few questions. Forgive me if I'm not using proper terms in the questions below.
1) where should I go to purchase a certificate?
2) do I need any additional modules or applications on my server to use ssl?
3) since I'm not planning to use ssl/https sitewide, but only on a few select pages, what sort of configurations are necessary in apache or in tomcat to specify such?
3. This should work fine. You just need to point to the correct url within your application, whether http or https. One point to note is that that apache must be configured for http and https and have those listeners both enabled. The doc above should help with that. You'll likely use the apache-tomcat connector, so tomcat probably will be listening on some non-standard port for communication with apache. You should disable it's other listeners if you don't want people to go directly to tomcat. Finally, just one last point that I don't have time to elaborate on here, but there are several types of attacks (like session hijacking) that are possible when both http and https are used. In my opinion, once a user is logged in, it should all be ssl. It's not that much of a performance impact, unless you're doing HUGE amounts of requests, and if that's true, you probably have enough hardware to handle it.