Configuring the APR HTTPS Interface of Redwood Platform
The APR connector allows Redwood Platform to use the OpenSSL libraries for encryption. Since these libraries run natively, this connector offers better performance. This connector requires you compile a native library for your platform; on MS Windows, although it is possible, the tools to compile the library are not always handily available. Besides, keeping OpenSSL up-to-date on MS Windows Servers is more tedious. For these reasons, if you have to run Redwood Platform on MS Windows Servers, Redwood recommends you stick to the built-in NIO connector.
Cipher Suites
The following cipher suites provide relatively adequate security, according to the Mozilla Project:
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:
ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA
And the following are inherently insecure and should not be used, hence the! which disallows them:
!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
Redwood recommends you use these cipher suites (the above list and the list of exclusions) in your configuration. These cipher suites have been chosen after careful research, however, Redwood cannot guarantee that these cipher-suites are 100% secure.
If a client needs to connect to your central Redwood Server and does not support these strong ciphers, you add a second connector, specifically for your client. You configure your firewall to restrict connections to this connector to your client. The port number should be smaller than the main connector, for licensing reasons.
Process Flow
- Create a private key and Certificate Signing Request (CSR).
- Perform one of the following:
- Request your purchased certificate.
- Create a private key and a self-signed certificate.
- Install the certificate.
- Compile the Native Library.
- Configure Redwood Platform for Encryption.
- Update the
ContextURLregistry entry.
Prerequisites
- OpenSSL for key creation and, optionally, certificate signing
- Installed and configured Java Development Kit (JDK), which should ideally be the latest version shipped by the platform vendor (it must be supported).
Procedure
Create a private key and Certificate Signing Request (CSR)
openssl req -new -newkey rsa:2048 -nodes -out <csr_file> -keyout <key_file> [ -subj "/C=<country_code>/ST=<state>/L=<city>/O=<orgranization>/OU=<department>/CN=<server_fqdn>" ]
If you leave out the -subj parameter, you will be prompted for the information.
Request your purchased certificate
Send the CSR file generated in the previous step to your Certificate authority.
Create self-signed certificate:
Only required when you want to use a self-signed certificate. Skip this step if you are sending a certificate signing request to a CA.
openssl genrsa -aes256 -out <key_file> 2048
openssl x509 -req -days 365 -in <csr_file> -signkey <key_file> -out <cert_file>
Install the certificate:
UNIX:
$ cp <ca_cert_file> <install_dir>/j2ee/cluster/server<n>/conf/
$ cp <key_file> <install_dir>/j2ee/cluster/server<n>/conf/
$ cp <cert_file> <install_dir>/j2ee/cluster/server<n>/conf/
Windows:
> copy <ca_cert_file> <install_dir>\j2ee\cluster\server<n>\conf
> copy <key_file> <install_dir>\j2ee\cluster\server<n>\conf
> copy <cert_file> <install_dir>\j2ee\cluster\server<n>\conf
Compile the Native Library
You will need apr-devel and apr-util-devel on RedHat/Suse or libaprutil1-dev on Debian-based systems. Please see your platform documentation or refer to the numerous resources online for information if you have a different platform.
The following can be copied into a shell script; the sample here was used on a GNU/Linux system.
export INSTALL_DIR=/opt/redwood
export APR_PATH=/usr/bin/apr-1-config
export JAVA_HOME=/opt/java
export TOMCAT_HOME=${INSTALL_DIR}/j2ee/cluster/global/tomcat
export INSTALL_PREFIX=`mktemp -d`
cd /tmp
rm -rf tomcat-native-*
tar -zxf $TOMCAT_HOME/bin/tomcat-native.tar.gz
cd /tmp/tomcat-native-*/jni/native
./configure --with-apr=$APR_PATH --with-java-home=$JAVA_HOME --prefix=$INSTALL_PREFIX
make && make install
mkdir -p ${INSTALL_DIR}/j2ee/cluster/global/tomcat/lib/x86_64/
cp $INSTALL_PREFIX/lib/libtcnative* ${INSTALL_DIR}/j2ee/cluster/global/tomcat/lib/x86_64/
echo "Please delete the following directory: $INSTALL_PREFIX"
Ensure the library has all dependencies met:
$ ldd ${TOMCAT_HOME}/lib/x86_64/libtcnative-1.so
Configure Redwood Platform for Encryption
Stop Redwood Platform by issuing the following command:
UNIX
<install_dir>/j2ee/cluster/server<n>/bin/stop.sh
Windows
<install_dir>/j2ee/cluster/server<n>/bin/stop.cmd
Add the following connector to <install_dir>/j2ee/cluster/server<n>/conf/server.xml
<!-- Define a SSL HTTP/1.1 Connector on port <port> -->
<Connector port="<port>"
protocol="org.apache.coyote.http11.Http11AprProtocol"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
connectionTimeout="20000"
keepAliveTimeout="90000"
clientAuth="false"
sslProtocol="TLSv1.3"
SSLEngine="on"
SSLHonorCipherOrder="true"
SSLCipherSuite="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:
ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:
!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"
SSLEnabled="true"
SSLPassword="<password>"
SSLCertificateFile="<install_dir>/j2ee/cluster/server<n>/conf/<cert_file>"
SSLCertificateKeyFile="<install_dir>/j2ee/cluster/server<n>/conf/<key_file>"
SSLCACertificateFile="<install_dir>/j2ee/cluster/server<n>/conf/<ca_cert>"
URIEncoding="UTF-8" compression="2048"
compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css" maxThreads="150"
connectionTimeout="20000" keepAliveTimeout="90000"/>
In the above, replace <port>, <password>, server<n>, <cert_file>, <key_file>, and <ca_cert>, remember that the latter three all have to be encoded using PEM. For test purposes, use a <port> that is smaller than the licensed port; if you installed a license for port 10180, use 10179 or lower.
Start Redwood Platform again and test the connection
openssl s_client -connect <server>:<port>
Ensure the output of the above command reads TLSv1.3 and that the cipher that is used is one of the above ciphers.
Attempt to connect with a supported browser, a successful login should be sufficient.
Stop Redwood Platform and adapt the default connector, add redirectPort as follows:
<Connector port="10180" protocol="org.apache.coyote.http11.Http11Protocol"
redirectPort="443"
URIEncoding="UTF-8" compression="2048"
compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css" maxThreads="150"
connectionTimeout="20000" keepAliveTimeout="90000"/>
Adapt web.xml
A new security constraint and a number of filters need to be added to the end of j2ee/cluster/server1/conf/web.xml; after the following block:
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
The lines to add to the files are between <!-- Start of change --> and <!-- End of change -->:
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<!-- Start of change -->
<security-constraint>
<web-resource-collection>
<web-resource-name>twx-portal</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
<!--The mapping for the HTTP header security Filter-->
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<!-- End of change -->
</web-app>
Protecting Cookies
You add the secure flag to cookies by adding or amending the <cookie-config> in j2ee/cluster/server1/conf/web.xml:
Locate the <session-config> in web.xml:
<session-config>
<session-timeout>30</session-timeout>
</session-config>
The add or amend the <cookie-config> tag as follows:
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>
Update the ContextURL registry entry
- Navigate to Configuration > Registry.
- Expand configuration, locate ContextURL.
- Specify the FQDN, a name that all clients will be able to access, ensure the port is correct and not blocked by any firewall. For example:
https://pr1.example.com:53000/redwood. - Restart Redwood Platform.
Issue the following command to restart
UNIX
<install_dir>/j2ee/cluster/server<n>/bin/start.sh
Windows
<install_dir>\j2ee\cluster\server<n>\bin\start.cmd
See Also
- HTTP/HTTPS Connector Configuration
- SSL/TLS Configuration HOW-TO
- Configuring the HTTP or HTTPS Interface of Redwood Platform
onsiteTopic