Generate server certificate

Note: If you already have certificate created then this section can be ignored.

Generate Private Key on the Server Running Apache + mod_ssl First, generate a private key on the Linux server that runs Apache webserver using openssl command as shown below.

[root@s4-app-dev jbossuser]# mkdir /etc/httpd/conf/certs

[root@s4-app-dev jbossuser]# openssl genrsa -des3 -out www.xyz.com.key 1024

Generate a Certificate Signing Request (CSR) Using the key generate above, you should generate a certificate request file (csr) using openssl as shown below.

[root@s4-app-dev jbossuser]# openssl req -new -key www.xyz.com.key -out www.xyz.com.csr

Generate a Self-Signed SSL Certificate For testing purpose, you can generate a self-signed SSL certificate that is valid for 1 year using openssl command as shown below.

[root@s4-app-dev jbossuser]# openssl x509 -req -days 365 -in www.xyz.com.csr -signkey www.xyz.com.key -out www.xyz.com.crt

代替获取crt的方式(生成pem文件),不需要private key:
openssl req -new -x509 -days 999 -nodes -out apache.pem -keyout apache.pem

Apache SSL configuration

If you already have mod_cluster configured to listen to port 80 then remove that virtual host entry and make following configuration. Create ssl.conf as following.

[root@s4-app-dev jbossuser]# vi /etc/httpd/conf.d/ssl.conf

This is the Apache server configuration file providing SSL support.

# It contains the configuration directives to instruct the server how to

# serve pages over an https connection. For detailing information about these

# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>

#

# Do NOT simply read the instructions in here without understanding

# what they do.  They're here only as hints or reminders.  If you are unsure

# consult the online docs. You have been warned.

#

LoadModule ssl_module modules/mod_ssl.so

#

# When we also provide SSL we have to listen to the

# the HTTPS port in addition.

#

Listen 1.1.1.1:443

##

##  SSL Global Context

##

##  All SSL configuration in this context applies both to

##  the main server and all SSL-enabled virtual hosts.

##

#   Pass Phrase Dialog:

#   Configure the pass phrase gathering process.

#   The filtering dialog program (`builtin' is a internal

#   terminal dialog) has to provide the pass phrase on stdout.

SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:

#   Configure the SSL Session Cache: First the mechanism

#   to use and second the expiring timeout (in seconds).

SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)

SSLSessionCacheTimeout  300

#   Semaphore:

#   Configure the path to the mutual exclusion semaphore the

#   SSL engine uses internally for inter-process synchronization.

SSLMutex default

#   Pseudo Random Number Generator (PRNG):

#   Configure one or more sources to seed the PRNG of the

#   SSL library. The seed data should be of good random quality.

#   WARNING! On some platforms /dev/random blocks if not enough entropy

#   is available. This means you then cannot use the /dev/random device

#   because it would lead to very long connection times (as long as

#   it requires to make more entropy available). But usually those

#   platforms additionally provide a /dev/urandom device which doesn't

#   block. So, if available, use this one instead. Read the mod_ssl User

#   Manual for more details.

SSLRandomSeed startup file:/dev/urandom  256

SSLRandomSeed connect builtin

#SSLRandomSeed startup file:/dev/random  512

#SSLRandomSeed connect file:/dev/random  512

#SSLRandomSeed connect file:/dev/urandom 512

#

# Use "SSLCryptoDevice" to enable any supported hardware

# accelerators. Use "openssl engine -v" to list supported

# engine names.  NOTE: If you enable an accelerator and the

# server does not start, consult the error logs and ensure

# your accelerator is functioning properly.

#

SSLCryptoDevice builtin

#SSLCryptoDevice ubsec

##

## SSL Virtual Host Context

##

<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration

#DocumentRoot "/var/www/html"

#ServerName www.example.com:443

# Use separate log files for the SSL virtual host; note that LogLevel

# is not inherited from httpd.conf.

ErrorLog logs/ssl_error_log

TransferLog logs/ssl_access_log

LogLevel warn

#   SSL Engine Switch:

#   Enable/Disable SSL for this virtual host.

SSLEngine on

#   SSL Protocol support:

# List the enable protocol levels with which clients will be able to

# connect.  Disable SSLv2 access by default:

SSLProtocol all -SSLv2

#   SSL Cipher Suite:

# List the ciphers that the client is permitted to negotiate.

# See the mod_ssl documentation for a complete list.

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

#   Server Certificate:

# Point SSLCertificateFile at a PEM encoded certificate.  If

# the certificate is encrypted, then you will be prompted for a

# pass phrase.  Note that a kill -HUP will prompt again.  A new

# certificate can be generated using the genkey(1) command.

SSLCertificateFile /etc/httpd/conf/certs/www.xyz.com.crt

#   Server Private Key:

#   If the key is not combined with the certificate, use this

#   directive to point at the key file.  Keep in mind that if

#   you've both a RSA and a DSA private key you can configure

#   both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile /etc/httpd/conf/certs/www.xyz.com.key

#   Server Certificate Chain:

#   Point SSLCertificateChainFile at a file containing the

#   concatenation of PEM encoded CA certificates which form the

#   certificate chain for the server certificate. Alternatively

#   the referenced file can be the same as SSLCertificateFile

#   when the CA certificates are directly appended to the server

#   certificate for convinience.

#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

#   Certificate Authority (CA):

#   Set the CA certificate verification path where to find CA

#   certificates for client authentication or alternatively one

#   huge file containing all of them (file must be PEM encoded)

#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

#   Client Authentication (Type):

#   Client certificate verification type and depth.  Types are

#   none, optional, require and optional_no_ca.  Depth is a

#   number which specifies how deeply to verify the certificate

#   issuer chain before deciding the certificate is not valid.

#SSLVerifyClient require

#SSLVerifyDepth  10

#   Access Control:

#   With SSLRequire you can do per-directory access control based

#   on arbitrary complex boolean expressions containing server

#   variable checks and other lookup directives.  The syntax is a

#   mixture between C and Perl.  See the mod_ssl documentation

#   for more details.

#<Location />

#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \

#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \

#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \

#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \

#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \

#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

#</Location>

#   SSL Engine Options:

#   Set various options for the SSL engine.

#   o FakeBasicAuth:

#     Translate the client X.509 into a Basic Authorisation.  This means that

#     the standard Auth/DBMAuth methods can be used for access control.  The

#     user name is the `one line' version of the client's X.509 certificate.

#     Note that no password is obtained from the user. Every entry in the user

#     file needs this password: `xxj31ZMTZzkVA'.

#   o ExportCertData:

#     This exports two additional environment variables: SSL_CLIENT_CERT and

#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the

#     server (always existing) and the client (only existing when client

#     authentication is used). This can be used to import the certificates

#     into CGI scripts.

#   o StdEnvVars:

#     This exports the standard SSL/TLS related `SSL_*' environment variables.

#     Per default this exportation is switched off for performance reasons,

#     because the extraction step is an expensive operation and is usually

#     useless for serving static content. So one usually enables the

#     exportation for CGI and SSI requests only.

#   o StrictRequire:

#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even

#     under a "Satisfy any" situation, i.e. when it applies access is denied

#     and no other module can change it.

#   o OptRenegotiate:

#     This enables optimized SSL connection renegotiation handling when SSL

#     directives are used in per-directory context.

#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

<Files ~ "\.(cgi|shtml|phtml|php3?)$">

    SSLOptions +StdEnvVars

</Files>

<Directory "/var/www/cgi-bin">

    SSLOptions +StdEnvVars

</Directory>

#   SSL Protocol Adjustments:

#   The safe and default but still SSL/TLS standard compliant shutdown

#   approach is that mod_ssl sends the close notify alert but doesn't wait for

#   the close notify alert from client. When you need a different shutdown

#   approach you can use one of the following variables:

#   o ssl-unclean-shutdown:

#     This forces an unclean shutdown when the connection is closed, i.e. no

#     SSL close notify alert is send or allowed to received.  This violates

#     the SSL/TLS standard but is needed for some brain-dead browsers. Use

#     this when you receive I/O errors because of the standard approach where

#     mod_ssl sends the close notify alert.

#   o ssl-accurate-shutdown:

#     This forces an accurate shutdown when the connection is closed, i.e. a

#     SSL close notify alert is send and mod_ssl waits for the close notify

#     alert of the client. This is 100% SSL/TLS standard compliant, but in

#     practice often causes hanging connections with brain-dead browsers. Use

#     this only for browsers where you know that their SSL implementation

#     works correctly.

#   Notice: Most problems of broken clients are also related to the HTTP

#   keep-alive facility, so you usually additionally want to disable

#   keep-alive for those clients, too. Use variable "nokeepalive" for this.

#   Similarly, one has to force some clients to use HTTP/1.0 to workaround

#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

#   "force-response-1.0" for this.

SetEnvIf User-Agent ".*MSIE.*" \

         nokeepalive ssl-unclean-shutdown \

         downgrade-1.0 force-response-1.0

#   Per-Server Logging:

#   The home of a custom SSL log file. Use this when you want a

#   compact non-error SSL logfile on a virtual host basis.

CustomLog logs/ssl_request_log \

          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

LoadModule slotmem_module modules/mod_slotmem.so

LoadModule manager_module modules/mod_manager.so

LoadModule proxy_cluster_module modules/mod_proxy_cluster.so

LoadModule advertise_module modules/mod_advertise.so

NameVirtualHost 1.1.1.1:443

MemManagerFile /var/cache/httpd

<VirtualHost 1.1.1.1:443>

    <Location /mod_cluster_manager>

        SetHandler mod_cluster-manager

        Order deny,allow

        Allow from all

    </Location>

    KeepAliveTimeout 60

    MaxKeepAliveRequests 0

    ManagerBalancerName testcluster

    AdvertiseFrequency 5

    DocumentRoot "/var/www/html"

    ErrorLog logs/ssl_error_log

    TransferLog logs/ssl_access_log

    LogLevel warn

    SSLEngine on

    SSLProtocol all -SSLv2

    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

    SSLCertificateFile /etc/httpd/conf/certs/www.xyz.com.crt

    SSLCertificateKeyFile /etc/httpd/conf/certs/www.xyz.com.key

    SSLCertificateChainFile /etc/httpd/conf/certs/www.xyz.com.crt

    <Files ~ "\.(cgi|shtml|phtml|php3?)$">

        SSLOptions +StdEnvVars

    </Files>

    <Directory "/var/www/cgi-bin">

        SSLOptions +StdEnvVars

    </Directory>

    <Directory "/var/www/html">

         AllowOverride None

         Order allow,deny

         Allow from all

    </Directory>

</VirtualHost>

Once these changes have been made you should be able to reach to Apache over SSL [https://1.1.1.1/][1]

Upgrade Jboss for mod_cluster and SSL

The Jboss 7.1.1.Final doesn’t work with mod_cluster and SSL configuration. It basically ignores the certificate configuration to SSL of mod_cluster. We need to upgrade to higher Jboss such as Download higher source tag from Git https://github.com/jbossas/jboss-as/tree/7.1.3.Final If you already have Maven 3 installed

$ mvn install

If you don't have Maven 3

$ ./build.sh

Creating self-signed certificates using KeyTool

Generating the key pair into a keystore (JKS), for RSA:

[root@s4-app-dev jbossuser]# keytool -genkey -keyalg RSA -keysize 2048 -keystore xyz_keystore.jks -alias xyz

Import server certificate into keystore

[root@s4-app-dev jbossuser]# keytool -import -alias wxyz -file /etc/httpd/conf/certs/www.xyz.com.crt -storetype JKS -keystore /home/jboss-as-7.1.1.final/keystore/xyz_keystore.jks

To list keystore content

[root@s4-app-dev jbossuser]# keytool -list -keystore /home/jboss-as-7.1.1.final/keystore/xyz_keystore.jks

Jboss mod_cluster ssl configuration

In domain.xml add system properties for truststore and password.

<property name="javax.net.ssl.trustStore" value="${jboss.domain.config.dir}/keystore/xyz_keystore.jks"/>

<property name="javax.net.ssl.trustStorePassword" value="xyzmanish"/>

Modify mod_cluster subsystem to now listen to 6666 and use keystore that we configured.

<subsystem xmlns="urn:jboss:domain:modcluster:1.1">

  <mod-cluster-config advertise-socket="modcluster" connector="ajp" proxy-list="1.1.1.1:6666" advertise-security-key="xyzmanish">

   <dynamic-load-provider>

         <load-metric type="busyness"/>

   </dynamic-load-provider>

   <!-- SSL/TLS configuration for mod_cluster advertise-security-key -->

   <ssl password="xyzmanish" key-alias="xyz" ca-certificate-file="${jboss.domain.config.dir}/keystore/xyz_keystore.jks"  certificate-key-file="${jboss.domain.config.dir}/keystore/xyz_keystore.jks" cipher-suite="ALL" protocol="TLSv1"/>

  </mod-cluster-config>

</subsystem>>

Once you make this changes restart the JBOSS server and try to access your application via Apache over SSL.

去除Apache启动时要求输入密语(pass-phrase)的提示信息?

要求输入密语的原因是server.key文件中的RSA私钥是出于安全考虑而被加密存储的,而密语就是用来解密私钥的。解除密语的保护就剥去了一层安全保护,所以做这个操作的时候请三思而后行!

  1. 首先备份原始RSA私钥文件,然后再去除RSA私钥文件上的密语保护:
    $ cp server.key server.key.org
    $ openssl rsa -in server.key.org -out server.key
  2. 确保server.key只能被root读取:
    $ chmod 400 server.key

现在,server.key中就包含了一份未加密的私钥。如果你让Apache使用这个文件,那么就不会在启动
的时候提示输入密语了。但是如果有任何其他人获得了这个未加密的私钥文件,那么他就可以冒充你的身份。所以你必须确保只有root用户可以读取它,然后以
root启动Apache并以其他用户身份运行Apache的子进程。

另一种选择是使用"SSLPassPhraseDialog exec:/path/to/program"功能,但是需要切记的是这种做法并不能获得更高的安全性(当然也不更低)。

JBoss集群中启用HTTPS协议的更多相关文章

  1. 无需手动输入命令,简单3步即可在K8S集群中启用GPU!

    随着全球各大企业开始广泛采用Kubernetes,我们看到Kubernetes正在向新的阶段发展.一方面,Kubernetes被边缘的工作负载所采用并提供超越数据中心的价值.另一方面,Kubernet ...

  2. ingress-nginx 的使用 =》 部署在 Kubernetes 集群中的应用暴露给外部的用户使用

    文章转载自:https://mp.weixin.qq.com/s?__biz=MzU4MjQ0MTU4Ng==&mid=2247488189&idx=1&sn=8175f067 ...

  3. Traefik实现Kubernetes集群服务外部https访问

    转载请注明出处:http://www.cnblogs.com/wayneiscoming/p/7707942.html traefik 是一个前端http反向代理服务器以及负载均衡器,支持多种微服务后 ...

  4. 运维小知识之nginx---nginx配置Jboss集群负载均衡

      codyl 2016-01-26 00:53:00 浏览385 评论0 负载均衡 转自 运维小知识之nginx---nginx配置Jboss集群负载均衡-博客-云栖社区-阿里云https://yq ...

  5. 转:Redis设置认证密码 Redis使用认证密码登录 在Redis集群中使用认证密码

    Redis默认配置是不需要密码认证的,也就是说只要连接的Redis服务器的host和port正确,就可以连接使用.这在安全性上会有一定的问题,所以需要启用Redis的认证密码,增加Redis服务器的安 ...

  6. Kubernetes集群中Jmeter对公司演示的压力测试

    6分钟阅读 背景 压力测试是评估Web应用程序性能的有效方法.此外,越来越多的Web应用程序被分解为几个微服务,每个微服务的性能可能会有所不同,因为有些是计算密集型的,而有些是IO密集型的. 基于微服 ...

  7. 集群中Session共享解决方案分析

    一.为什么要Session共享 Session存储在服务器的内存中,比如Java中,Session存放在JVM的中,Session也可以持久化到file,MySQL,redis等,SessionID存 ...

  8. 实操教程丨如何在K8S集群中部署Traefik Ingress Controller

    注:本文使用的Traefik为1.x的版本 在生产环境中,我们常常需要控制来自互联网的外部进入集群中,而这恰巧是Ingress的职责. Ingress的主要目的是将HTTP和HTTPS从集群外部暴露给 ...

  9. kubernetes集群中的pause容器

    昨天晚上搭建好了k8s多主集群,启动了一个nginx的pod,然而每启动一个pod就伴随这一个pause容器,考虑到之前在做kubelet的systemd unit文件时有见到: 1 2 3 4 5 ...

随机推荐

  1. 字符编码 and cpp

    预备知识 字符:抽象的最小文本单位.仅代表符合没有实际意义(如:¥, a, 国) 字符集:字符的集合(如gb2312, ASCII, UNICODE) 编码:是对字符集的描述,计算机要准确的处理各种字 ...

  2. maven+springMVC+mybatis+mysql详细过程

    1.工程目录 a.在src/main/java文件夹中,新建包cn.springmvc.model(存放javabean), cn.springmvc.dao(存放spring与mybatis连接接口 ...

  3. 在 ASP.NET 中使用 jQuery.load() 方法

    今天就让我们看看在 ASP.NET 中使用 jQuery.load() 方法来调用 ASP.NET 的方法,实现无刷新的加载数据. 使用 jQuery 的朋友应该知道可以使用 jQuery.load( ...

  4. 从头开始一步一步实现EF6+Autofac+MVC5+Bootstarp极简前后台ajax表格展示及分页(二)前端修改、添加表格行点击弹出模态框

    在前一篇中,由于不懂jquery,前端做的太差了,今天做稍做修改,增加一个跳转到指定页面功能,表格行点击样式变化.并且在表格中加入bootstarp的按钮组,按钮点击后弹出模态框,须修改common, ...

  5. HTML5之FileReader的使用

    HTML5定义了FileReader作为文件API的重要成员用于读取文件,根据W3C的定义,FileReader接口提供了读取文件的方法和包含读取结果的事件模型. FileReader的使用方式非常简 ...

  6. Win10系统Start Menu上的图标莫名消失

    今天在工作过程中,突然有测试的同事给我报来一个问题.她是这么描述的“执行完XXX工具之后,在Start Menu找不到图标了.” 针对问题本身: 1,是执行完XXXX工具之后? 2,Start Men ...

  7. 整理课堂笔记 pl/sql orcale异常

      1>>>>>异常错误处理 1 >预定义的异常处理 预定义说明的部分 ORACLE 异常错误对这种异常情况的处理,只需在PL/SQL块的异常处理部分,直接引用相应 ...

  8. Android监听应用程序安装和卸载

    Android监听应用程序安装和卸载 第一. 新建监听类:BootReceiver继承BroadcastReceiver package com.rongfzh.yc; import android. ...

  9. Duilib实现类似电脑管家扫描目录效果

    实现原理: 1.后台开线程遍历目录,遍历出一个文件路径在界面上更新显示(通过发消息通知主界面) 2.需要扩展一下Duilib控件,在此我扩展了CLabelUI,重写了PaintText函数 扩展控件的 ...

  10. [问题2015S02] 复旦高等代数 II(14级)每周一题(第三教学周)

    [问题2015S02]  设 \(a,b,c\) 为复数且 \(bc\neq 0\), 证明下列 \(n\) 阶方阵 \(A\) 可对角化: \[A=\begin{pmatrix} a & b ...