• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Using SSL/Https with Apache & Tomcat - where do I start?

 
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I've never used SSL/Https before, and I just recently signed up for a host service provider. My site is uploaded but I'm still in testing phase. What I would like to do is use ssl on a login page, as well as pages where an email (form) is submitted. I want to protect personal data.

I have Apache web server 2.2, Tomcat 5.5.27, Java 1.5.0.19 (SE 5), and Mod_jk 1.2.28 installed on my server.
I'm not using Tomcat in standalone mode.

I'm not sure where to start. This is all so new to me, so I have quite a few questions. Forgive me if I'm not using proper terms in the questions below.

1) where should I go to purchase a certificate?

2) do I need any additional modules or applications on my server to use ssl?

3) since I'm not planning to use ssl/https sitewide, but only on a few select pages, what sort of configurations are necessary in apache or in tomcat to specify such?




 
Ranch Hand
Posts: 49
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
1. The standard is probably verisign if it's a real site. You can do what is called a self-signed cert if it's for development.

2. You should already have them. Here's some docs based on your version numbers

http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

3. This should work fine. You just need to point to the correct url within your application, whether http or https. One point to note is that that apache must be configured for http and https and have those listeners both enabled. The doc above should help with that. You'll likely use the apache-tomcat connector, so tomcat probably will be listening on some non-standard port for communication with apache. You should disable it's other listeners if you don't want people to go directly to tomcat. Finally, just one last point that I don't have time to elaborate on here, but there are several types of attacks (like session hijacking) that are possible when both http and https are used. In my opinion, once a user is logged in, it should all be ssl. It's not that much of a performance impact, unless you're doing HUGE amounts of requests, and if that's true, you probably have enough hardware to handle it.

Hope this helps.
--jtm
reply
    Bookmark Topic Watch Topic
  • New Topic