Part II: Setting up Apache, Tomcat, and mod_jk on RHEL4

After managing to get Tomcat5.5 working with Apache2 using mod_jk, my next venture was to enable SSL using a self-signed certificate in Tomcat. This proved to be quite a task.

The system I’m setting up is running RedHat Enterprise Linux 4.4. I installed all the official RedHat RPM’s to get Tomcat and Apache talking together with mod_jk (see Part I of this tutorial).

After 4 days of banging my head on my keyboard, I noticed that when I would run:

#java -version

It spit out this:

Java(TM) 2 Runtime Environment, Standard Edition (build pxi32dev-20061002a (SR3) )
IBM J9 VM (build 2.3, J2RE 1.5.0 IBM J9 2.3 Linux x86-32 j9vmxi3223-20061001 (JIT enabled)
J9VM - 20060915_08260_lHdSMR
JIT - 20060908_1811_r8
GC - 20060906_AA)
JCL - 20061002

This let me know that I am supposed to be using IBM’s version of java, which apparently is the default on my RedHat system, not Sun’s version. I think somewhere along the way I downloaded Sun’s jvm, and I assumed that I was supposed to be using it’s keytool to generate an SLL certificate for Tomcat, but such is not the case. This caused me much confusion, but here’s how I ended up fixing it:

1. Generate Keystore file
(NOTE: all of this assumes you already have Apache configured with SSL. I used OpenSSL, which I don’t go into here, but there are loads of resources online for you, and it’s relatively easy to do).

Assuming you have the default RedHat java rpm already installed, run this:

# /usr/lib/jvm/java-1.5.0-ibm-1.5.0.3/jre/bin/keytool -genkey -alias tomcat -keyalg RSA

NOTE: I used Tomcat’s default password of ‘changeit’ when prompted.

The keystore file gets dropped in the home directory of whatever user you are logged in as. I was root, so I then moved the keystore file to the tomcat home directory:

# mv /root/.keystore /etc/tomcat5/
# chown tomcat.tomcat /etc/tomcat5/.keystore

2. Next you have to edit Tomcat’s server.xml file

# nano /etc/tomcat5/server.xml

Uncomment the SSL connector and set it up like so:


<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" algorithm="IbmX509" sslProtocol="SSL"
keystoreFile="/etc/tomcat5/.keystore"
keystorePass="changeit" />

Note that I added algorithm=”IbmX509″ and I changed sslProtocol=”TLS” to sslProtocol=”SSL”. This is necessary to get things working with IBM’s jvm.

3. Restart everything

# service tomcat5 stop
# service tomcat5 start
# apachectl restart

If you were following along from my last article, then browse to:

https://yoursite.com:8443/hello.jsp

If all went well, you should see the hello.jsp page showing you the system time!

About Will Chatham

Will Chatham is a Cyber Security Analyst, Ethical Hacker, and Penetration Tester at a federal data center in Asheville, NC. Since Netscape 2.0, he has worked in a wide array of environments including non-profit, corporate, small business, and government. His varied background, from developer to search engine optimizer to security professional, has helped him build a wide range of skills that help those with whom he works and teaches.
Bookmark the permalink.

Leave a Reply