On Fri, 2011-12-02 at 00:56 -0800, moshood oladapo wrote:
> Dear Sir/Ma,
>
> I have already deployed an application running perfectly on tomcat 6.0.20 on
> port 8080 on my Oracle EL 5 server. But now I want all request to go through
> SSL.
>
If you want to force all traffic to go through SSL, you need to do two
things.
1.) Configure an Connector with SSL.
Example using BIO connector:
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
Example using APR connector:
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
clientAuth="optional" SSLProtocol="TLSv1"/>
For details, see
https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support
2.) Define user-data-constraint in web.xml to indicate that the
application's traffic must be secured.
<security-constraint>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
See this link for details.
http://docs.oracle.com/javaee/5/tutorial/doc/bncbe.html#bncbm
>
> See below my configurations on server.xml:
>
> <!--APR library loader. Documentation at /docs/apr.html -->
> <Listener className="org.apache.catalina.core.AprLifecycleListener"
> SSLEngine="on" SSLRandomSeed="builtin" />
>
>
>
> <Connector executor="tomcatThreadPool"
> port="8080" protocol="HTTP/1.1"
> connectionTimeout="20000"
> redirectPort="443" />
> -->
> <!-- Define a SSL HTTP/1.1 Connector on port 8443
> This connector uses the JSSE configuration, when using APR, the
> connector should be using the OpenSSL style configuration
> described in the APR documentation -->
>
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"
> SSLEngine="on"
>
> SSLCerticateFile="/home/oracle/apache-tomcat-6.0.20/conf/ssl/optixserver.crt"
>
> SSLCertificateKeyFile="/home/oracle/apache-tomcat-6.0.20/conf/ssl/optixserver.p12"
> SSLPassword="optix10$"
> />
>
> After doing all this, I still couldn't access it "https://localhost:443/";. It
> display error message " internet explorer cannot display the webpage". But
> when i try http://localhost:8080/, it works fine.
>
> There is a clause I don't understand in the HowTo configure SSL with APR -
> (the
> APR library must be available). How do I know if the APR is available or not?
If you don't know if APR is installed, then it's likely that it is not
installed. The APR library is a native library that you must compile
and install manually.
https://tomcat.apache.org/tomcat-6.0-doc/apr.html
Did you or another system admin compile and install it on your server?
Dan
