Tomcat WebVoyáge
Apache SSL Configuration
With Voyager 7, Ex Libris began distributing an SSL-enabled Apache instance. My original understanding was that the official support policy is that they distribute the SSL-enabled Apache software, but it was the customer's responsibility to configure it. However, it's possible that Ex Libris can (or has) done some or all of the configuration for you.
This tutorial assumes you have already generated a key and a certificate signing request and have received your certificate from the Certificate Authority. For testing purposes, you can generate your own self-signed certificate.
Important Caveat
I am *not* in any way an expert on security, encryption, Apache, or SSL. This tutorial is very much a seat-of-the-pants implementation. It is IMPORTANT that you read all the pertinent Apache mod_ssl documentation to ensure that you are not creating any security vulnerabilities.
Use this information at your own risk.
Configuration "How To"
The following steps will require root access.
xxxdb == your db name
Create a directory for the SSL key and certificate:
cd /m1/shared/apache2/conf/
mkdir ssl
chmod 700 ssl
cp /path-to/ur_private_key.key /m1/shared/apache2/conf/ssl
cp /path-to/ur_certificate.crt /m1/shared/apache2/conf/ssl
Ex Libris will likely leave the mod_ssl module config file with
an uppercase file extension to prevent it loading:
/m1/shared/apache2/conf/modules.conf/mod_ssl.CONF
The expectation is that you will review and edit that file
as needed, and will then rename it thus:
mv mod_ssl.CONF mod_ssl.conf
Note: I didn't make any changes to that file, however
because some of the directives referenced a
/var/cache/apache2 path, I created that directory.
Create an SSL httpd config file:
cd /m1/shared/apache2/conf/ConfiguredVirtualHosts/
touch xxxdb_ssl_httpd.conf
Put your SSL directives in the ssl httpd config file:
vi xxxdb_ssl_httpd.conf
These directives seemed to work for us:
[see xxxdb_ssl_httpd.conf below]
Note: For conciseness, I've stripped out most
of the comments in the xxxdb_ssl_httpd.conf file
listed below as well as some optional directives.
Again, it's important that you consult the
Apache mod_ssl documentation. This example file
is only provided as a bare-bones illustration.
Create a symbolic link in the ActivatedVirtualHosts directory:
cd /m1/shared/apache2/conf/ActivatedVirtualHosts
ln -s ../ConfiguredVirtualHosts/xxxdb_ssl_httpd.conf .
Check your configuration:
/m1/shared/apache2/bin/apachectl -t
If it checks out okay, restart Apache in order for the
configuration change to take effect.
/m1/shared/apache2/bin/apachectl restart
Check to see if it actually works...
If you have problems, check the Apache logs.
xxxdb_ssl_httpd.conf
Listen 443
<VirtualHost *:443>
ServerName ur_server.ur_domain.edu
DocumentRoot "/m1/voyager/xxxdb/tomcat/vwebv/context/vwebv/htdocs"
Alias /vwebv/ui/ "/m1/voyager/xxxdb/tomcat/vwebv/context/vwebv/ui/"
Include conf/ConfiguredVirtualHosts/xxxdb.jkmounts.conf
<Directory /m1/voyager/xxxdb/tomcat/vwebv/context/vwebv/htdocs>
AllowOverride All
Options FollowSymLinks
Order allow,deny
Allow from all
</Directory>
# SSL Engine Switch: Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:-AES256-SHA:-DHE-RSA-AES256-SHA:-DHE-DSS-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# Server Certificate:
SSLCertificateFile /m1/shared/apache2/conf/ssl/ur_certificate.crt
# Server Private Key:
SSLCertificateKeyFile /m1/shared/apache2/conf/ssl/ur_private_key.key
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /m1/shared/apache2/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>