Enterprise Architecture & Integration, SOA, ESB, Web Services & Cloud Integration

Enterprise Architecture & Integration, SOA, ESB, Web Services & Cloud Integration

Tuesday, 24 July 2012

Apache SSL configuration with sample


Many a times, you might want to set up an Apache httpd server as front end that talks to back end application servers such as Oracle WebLogic or Apache Tomcat. While httpd acts as a proxy, you might also want to use it as an SSL server. It will ensure that the communication between browser and apache httpd is secure. But, have you ever thought how easy it is to set up SSL using apache? Believe me, it is really easy. Apache configuration is so powerful (I agree, sometimes it is painful if you don’t know what you are usingJ) and needs very minimal configuration.

The minimum things that you would need are: -
a) Server certificate
                - Your browser user can identify which server he/she is connecting to. This is PEM encoded certificate. If you open the certificate in an editor like notepad, you can see scrambled text which starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----.

b) Private key to decrypt the encrypted data
                - Please make sure that your private key is kept secure. You can use key that use either RSA or DSA.

c) Certificate chain from your certificate authority
                - The end certificate in the chain will be a root certificate. If you don’t have the complete chain, SSL might not work.

If you have all the above, then you can easily set up 'one-way' SSL which is otherwise known as 'Server authentication'. Please see below the snippet that is the minimal configuration required:

Listen 443
<VirtualHost *:443>
     SSLEngine on
     SSLCertificateFile public.crt
     SSLCertificateKeyFile private.key
     SSLCertificateChainFile intermediate.crt      
</VirtualHost>

The mod_ssl module also allows you to access certain environment variables which you may use them for debugging purpose. Use the following line that will allow you to create a separate log file for capturing SSL related information. You may also decide to switch on logging only in development.

CustomLog logs/ssl_request_log "%t %h %l %u %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{HTTPS}x %{REFERER}i %{X-Forwarded-For}i \"%r\" %s %b"

One common issue that every one might face is with configuring 443 for SSL. you might get an error that is given below: -
(13)Permission denied: AH00072: make_sock: could not bind to address xx.xxx.xx.xx:443
no listening sockets available, shutting down
AH00015: Unable to open logs

Please make sure that you have 'root' access which is required for using standard ports 80 for http and 443 for https.

Hope this information will be useful for you. 

No comments:

Post a Comment