HTTPS / SSL AwareIm

Jaymer

https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

a great read. won't take that long. will confirm many of the things in this post.

the "alias" is important, and I didn't realize it from just copy/pasting Himanshu's instructions. I got back 4 certs - he had 2. There is a specific order to install them, so I had a little difficulty. And I don't think Mark or Himanshu mentioned this little goody found in this doc:

If you change the port number here [in the server.xlm <connector> entry], you should also change the value specified for the redirectPort attribute on the non-SSL connector [from 8443 to 443]. This allows Tomcat to automatically redirect users who attempt to access a page with a security constraint specifying that SSL is required, as required by the Servlet Specification.

jannes

Hi,

I/m struggling (for several days now) with installing SSL on a Windows-server 2012.

I read and re-read several times :
http://softservsolutions.com/AwareIM/SSL/AwareIM_SSL.pdf

I ordered a certificate and received 3 crt-files, placed them in the folder of the keystore : AwareIM\JDK\bin\
I imported these crt-files using "keytool" and also edited server.xml

Restarting AwareIM didn't gave the result I expected.
Can anybody help me ? Maybe I just forgot a small thing...

regards
Jannes

hpl123

I have also struggled with this starting somewhere after v8 and it seems like it doesn't work like it used to, my notes for doing the process which has worked for years doesn't work any longer and my notes hasn't changed so maybe something in Aware or the certificates and process in general? I went another way and now using a reverse proxy instead so is a tip for you and/but, an updated step by step guide from someone who done this in recent versions would be nice.

himanshu

Hi Henrick,

I was using LetsEncrypt from last couple of years, and the one document which was shared is helpful in case if you use another paid way.

@Jannes - pls connect on PM to understand your issue will try to help or will refer to someone.

cishpix

jannes wrote
I ordered a certificate and received 3 crt-files, placed them in the folder of the keystore : AwareIM\JDK\bin\
I imported these crt-files using "keytool" and also edited server.xml

Hi Jannes, we usually split the certificate into 3 files with NIO protocol and do not use keytool again begin from Tomcat 8

hpl123

himanshu wrote
Hi Henrick,

I was using LetsEncrypt from last couple of years, and the one document which was shared is helpful in case if you use another paid way.

@Jannes - pls connect on PM to understand your issue will try to help or will refer to someone.

Thanks and/so you have had Tomcat set up with Letsencrypt? That is the holy grail as far as I'm concerned. It's free and autorenew (set and forget). I use it with IIS today for websites and also for Aware via a reverse proxy but it isn't as good as having it set directly for Tomcat. Is it the Tomcat document you refer to as helpful or the softserv one (link doesn't work).

hpl123

cishpix wrote
jannes wrote
I ordered a certificate and received 3 crt-files, placed them in the folder of the keystore : AwareIM\JDK\bin\
I imported these crt-files using "keytool" and also edited server.xml

Hi Jannes, we usually split the certificate into 3 files with NIO protocol and do not use keytool again begin from Tomcat 8

A bit more details about this and how to set it up would be nice?

Jaymer

here's 1 way to do it with the 3 files.
build 8.5
file: server.xml

    <Connector port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />
			   

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true">
		<SSLHostConfig ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384">
            <Certificate certificateFile="C:\AwareIM\Tomcat\conf\certificate.cer"
                         certificateChainFile="C:\AwareIM\Tomcat\conf\bundle.crt"
						 certificateKeyFile="C:\AwareIM\Tomcat\conf\certificate.key"
                         type="RSA"/>
        </SSLHostConfig>
    </Connector>

--> JaymerTip SSL Port 443 Tomcat Config Server.XML

Screen Shot 2021-02-14 at 4.58.53 PM.png

hpl123

Jaymer wrote

here's 1 way to do it with the 3 files.
build 8.5
file: server.xml

    <Connector port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />
			   

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true">
		<SSLHostConfig ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384">
            <Certificate certificateFile="C:\AwareIM\Tomcat\conf\certificate.cer"
                         certificateChainFile="C:\AwareIM\Tomcat\conf\bundle.crt"
						 certificateKeyFile="C:\AwareIM\Tomcat\conf\certificate.key"
                         type="RSA"/>
        </SSLHostConfig>
    </Connector>

--> JaymerTip SSL Port 443 Tomcat Config Server.XML

Is it really that simple, have you successfully implemented/tested this doing only these 2 things?

cishpix

hpl123 wrote
Is it really that simple, have you successfully implemented/tested this doing only these 2 things?

Yes, it's really simple, I have implemented it (exactly like Jaymer share the tomcat configuration in server.xml file) to some AwareIM servers that running in Windows, Linux and Macintosh too. If you need my hand, you can PM me directly 🙂

Jaymer wrote
here's 1 way to do it with the 3 files.

Thank you Jaymer that help me to answer Henrik question, I appreciate you 😉

Jaymer

well, there's not 2 things here - its the same thing.

1 is the code so its easy to copy/paste into server.xml
the other is an image of the server.xml file that everyone has. usually the lower section (connector for 443) is not active.

this is from a live system.

if you monkey with the keystore, its a lot more difficult (the older way)

ACDC

if you monkey with the keystore, its a lot more difficult (the older way)

I am lost here, so you not using keystore, how do you start the cert process 😮
I thought you had to use the Keytool

ACDC

If you working with a keystore file this setting will also do.

I used this setup in the server.xml file for my own self-signed certificate called tomcat.keystore. This file was placed into a keystore folder: AwareIM/Tomcat/keystore/tomcat.keystore

1Basic Server.xml Setup.jpg

ACDC

I also had to make an extra change further down the file by adding this :
(I should find out more about how to set the password rather than just making it false, not sure what this is for, maybe someone can help)

2Basic Server.xml Setup.jpg

hpl123

Sounds very simple, the keystore way was a mess and a whole other way of integrating the certificate so just adding some lines of code and be done seems unbelievable but thanks for the tips and I will test it out and also look to see if it actually works.

PointsWell

hpl123 wrote
I use it with IIS today for websites and also for Aware via a reverse proxy but it isn't as good as having it set directly for Tomcat.

Henrick

I've been following this for a bit and I am a bit confused, so forgive me if this is a dud question. If you've already set up a reverse proxy to isolate your Tomcat server behind a web server what are the benefits are you seeking from exposing the Tomcat server directly? Surely you are losing the security of shielding it behind a server that will only process port 443 calls? Or are you trying to put SSL certificate between your reverse proxy and the Tomcat server?

hpl123

PointsWell wrote
hpl123 wrote
I use it with IIS today for websites and also for Aware via a reverse proxy but it isn't as good as having it set directly for Tomcat.

Henrick

I've been following this for a bit and I am a bit confused, so forgive me if this is a dud question. If you've already set up a reverse proxy to isolate your Tomcat server behind a web server what are the benefits are you seeking from exposing the Tomcat server directly? Surely you are losing the security of shielding it behind a server that will only process port 443 calls? Or are you trying to put SSL certificate between your reverse proxy and the Tomcat server?

I don´t intend to use both if that was your question? For me the preference of having it implemented directly in Tomcat is mostly a security thing. I have used the "regular" way SSL with Tomcat for most of my Aware time and is what it is designed to do i.e it´s a webserver with a SSL function or whatever you want to call it so implementing it the "regular" way seems best. When using a reverse proxy you introduce another factor into the mix and sure, this is what reverse proxies do bla bla bla but it still seems right to do it the "regular" way and is most likely superstition and not knowing that much about these things. Another thing is, when using a reverse proxy, you also have to meddle with various rewrite rules, inbound/outbound rules and can have various resource access complexities. Why make it more complex than necessary.

PointsWell

hpl123 wrote
I don´t intend to use both if that was your question?

That's what I was wondering

hpl123 wrote
For me the preference of having it implemented directly in Tomcat is mostly a security thing.

I am not a security consultant, but, my memories from my consulting days is that the app server is more secure behind the proxy acting as a firewall, as there is only the route defined in the web proxy to the server, i.e. explicit routes that you define for example shutdown port calls can't be activated maliciously

I'm interested to understand why you consider it more secure to access Tomcat directly? That is a genuine question as I don't profess to be a Tomcat expert

The penetration test talk that Rod gave at conference in the before times raised some points that I am probably only half remembering.

hpl123

PointsWell wrote
hpl123 wrote
I don´t intend to use both if that was your question?

That's what I was wondering

hpl123 wrote
For me the preference of having it implemented directly in Tomcat is mostly a security thing.

I am not a security consultant, but, my memories from my consulting days is that the app server is more secure behind the proxy acting as a firewall, as there is only the route defined in the web proxy to the server, i.e. explicit routes that you define for example shutdown port calls can't be activated maliciously

I'm interested to understand why you consider it more secure to access Tomcat directly? That is a genuine question as I don't profess to be a Tomcat expert

The penetration test talk that Rod gave at conference in the before times raised some points that I am probably only half remembering.

As I wrote above, for me it just seems like the most secure and easy/practical way, is to do it directly in Tomcat but I don´t know this to be true. I am sure both ways has it´s advantages and drawbacks. If we have any security consultants or Tomcat / proxy server experts, what are the pros and cons, which is more secure, better etc. (and why)?

PointsWell

hpl123 wrote
If we have any security consultants or Tomcat / proxy server experts, what are the pros and cons, which is more secure, better etc. (and why)?

I created a separate thread Tomcat v Reverse Proxy pros and cons rather than clog this one up with pros and cons

« Previous Page Next Page »