Home About Contact Archives
Home > Voyager > Tomcat WebVoyáge > Apache SSL Configuration
Validate the HTML of this page

Tomcat WebVoyáge

Apache SSL Configuration

With Voyager 7, Ex Libris has begun distributing an SSL-enabled Apache instance. However, they leave SSL configuration up to the customer.

This tutorial assumes you have already generated a key and a certificate signing request and have received your certificate from the Certificate Authority. For testing purposes, you can generate your own self-signed certificate.

Important Caveat

I am *not* in any way an expert on security, encryption, Apache, or SSL. This tutorial is very much a seat-of-the-pants implementation. It is IMPORTANT that you read all the pertinent Apache mod_ssl documentation to ensure that you are not creating any security vulnerabilities.

Use this information at your own risk.

Configuration "How To"

  The following steps will require root access.
  xxxdb == your db name

  Create a directory for the SSL key and certificate:
    cd /m1/shared/apache2/conf/
    mkdir ssl
    chmod 700 ssl
    cp  /path-to/ur_private_key.key  /m1/shared/apache2/conf/ssl
    cp  /path-to/ur_certificate.crt  /m1/shared/apache2/conf/ssl

  Ex Libris will likely leave the mod_ssl module config file with 
  an uppercase file extension to prevent it loading:
    /m1/shared/apache2/conf/modules.conf/mod_ssl.CONF
  The expectation is that you will review and edit that file
  as needed, and will then rename it thus:
    mv  mod_ssl.CONF  mod_ssl.conf

        Note: I didn't make any changes to that file, however
	because some of the directives referenced a
        /var/cache/apache2 path, I created that directory.

  Create an SSL httpd config file:
    cd /m1/shared/apache2/conf/ConfiguredVirtualHosts/
    touch xxxdb_ssl_httpd.conf

  Put your SSL directives in the ssl httpd config file:
    vi xxxdb_ssl_httpd.conf

  These directives seemed to work for us:
   [see xxxdb_ssl_httpd.conf below]

        Note: For conciseness, I've stripped out most 
	of the comments in the xxxdb_ssl_httpd.conf file
	listed below as well as some optional directives.
	Again, it's important that you consult the 
	Apache mod_ssl documentation.  This example file
        is only provided as a bare-bones illustration. 

  Create a symbolic link in the ActivatedVirtualHosts directory:
    cd /m1/shared/apache2/conf/ActivatedVirtualHosts
    ln -s ../ConfiguredVirtualHosts/xxxdb_ssl_httpd.conf .

  Check your configuration:
    /m1/shared/apache2/bin/apachectl -t

  If it checks out okay, restart Apache in order for the 
  configuration change to take effect.
    /m1/shared/apache2/bin/apachectl restart 

  Check to see if it actually works...

  If you have problems, check the Apache logs.

xxxdb_ssl_httpd.conf

Listen 443

<VirtualHost *:443>

    ServerName ur_server.ur_domain.edu
    DocumentRoot "/m1/voyager/xxxdb/tomcat/vwebv/context/vwebv/htdocs"

    Alias /vwebv/ui/ "/m1/voyager/xxxdb/tomcat/vwebv/context/vwebv/ui/"

    Include conf/ConfiguredVirtualHosts/xxxdb.jkmounts.conf

    <Directory /m1/voyager/xxxdb/tomcat/vwebv/context/vwebv/htdocs>
      AllowOverride All
      Options FollowSymLinks
      Order allow,deny
      Allow from all
    </Directory>

#   SSL Engine Switch:  Enable/Disable SSL for this virtual host.
SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:-AES256-SHA:-DHE-RSA-AES256-SHA:-DHE-DSS-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

#   Server Certificate:
SSLCertificateFile /m1/shared/apache2/conf/ssl/ur_certificate.crt

#   Server Private Key:
SSLCertificateKeyFile /m1/shared/apache2/conf/ssl/ur_private_key.key

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog /m1/shared/apache2/logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>