Tomcat WebVoyáge
Apache SSL Configuration
With Voyager 7, Ex Libris has begun distributing an SSL-enabled Apache instance. However, they leave SSL configuration up to the customer.
This tutorial assumes you have already generated a key and a certificate signing request and have received your certificate from the Certificate Authority. For testing purposes, you can generate your own self-signed certificate.
Important Caveat
I am *not* in any way an expert on security, encryption, Apache, or SSL. This tutorial is very much a seat-of-the-pants implementation. It is IMPORTANT that you read all the pertinent Apache mod_ssl documentation to ensure that you are not creating any security vulnerabilities.
Use this information at your own risk.
Configuration "How To"
The following steps will require root access.
xxxdb == your db name
Create a directory for the SSL key and certificate:
cd /m1/shared/apache2/conf/
mkdir ssl
chmod 700 ssl
cp /path-to/ur_private_key.key /m1/shared/apache2/conf/ssl
cp /path-to/ur_certificate.crt /m1/shared/apache2/conf/ssl
Ex Libris will likely leave the mod_ssl module config file with
an uppercase file extension to prevent it loading:
/m1/shared/apache2/conf/modules.conf/mod_ssl.CONF
The expectation is that you will review and edit that file
as needed, and will then rename it thus:
mv mod_ssl.CONF mod_ssl.conf
Note: I didn't make any changes to that file, however
because some of the directives referenced a
/var/cache/apache2 path, I created that directory.
Create an SSL httpd config file:
cd /m1/shared/apache2/conf/ConfiguredVirtualHosts/
touch xxxdb_ssl_httpd.conf
Put your SSL directives in the ssl httpd config file:
vi xxxdb_ssl_httpd.conf
These directives seemed to work for us:
[see xxxdb_ssl_httpd.conf below]
Note: For conciseness, I've stripped out most
of the comments in the xxxdb_ssl_httpd.conf file
listed below as well as some optional directives.
Again, it's important that you consult the
Apache mod_ssl documentation. This example file
is only provided as a bare-bones illustration.
Create a symbolic link in the ActivatedVirtualHosts directory:
cd /m1/shared/apache2/conf/ActivatedVirtualHosts
ln -s ../ConfiguredVirtualHosts/xxxdb_ssl_httpd.conf .
Check your configuration:
/m1/shared/apache2/bin/apachectl -t
If it checks out okay, restart Apache in order for the
configuration change to take effect.
/m1/shared/apache2/bin/apachectl restart
Check to see if it actually works...
If you have problems, check the Apache logs.
xxxdb_ssl_httpd.conf
Listen 443
<VirtualHost *:443>
ServerName ur_server.ur_domain.edu
DocumentRoot "/m1/voyager/xxxdb/tomcat/vwebv/context/vwebv/htdocs"
Alias /vwebv/ui/ "/m1/voyager/xxxdb/tomcat/vwebv/context/vwebv/ui/"
Include conf/ConfiguredVirtualHosts/xxxdb.jkmounts.conf
<Directory /m1/voyager/xxxdb/tomcat/vwebv/context/vwebv/htdocs>
AllowOverride All
Options FollowSymLinks
Order allow,deny
Allow from all
</Directory>
# SSL Engine Switch: Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:-AES256-SHA:-DHE-RSA-AES256-SHA:-DHE-DSS-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# Server Certificate:
SSLCertificateFile /m1/shared/apache2/conf/ssl/ur_certificate.crt
# Server Private Key:
SSLCertificateKeyFile /m1/shared/apache2/conf/ssl/ur_private_key.key
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /m1/shared/apache2/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>