Home Contact
Validate the HTML of this page

Tomcat WebVoyáge

Apache SSL Configuration

With Voyager 7, Ex Libris began distributing an SSL-enabled Apache instance. My original understanding was that the official support policy is that they distribute the SSL-enabled Apache software, but it was the customer's responsibility to configure it. However, it's possible that Ex Libris can (or has) done some or all of the configuration for you.

This tutorial assumes you have already generated a key and a certificate signing request and have received your certificate from the Certificate Authority. For testing purposes, you can generate your own self-signed certificate.

Important Caveat

I am *not* in any way an expert on security, encryption, Apache, or SSL. This tutorial is very much a seat-of-the-pants implementation. It is IMPORTANT that you read all the pertinent Apache mod_ssl documentation to ensure that you are not creating any security vulnerabilities.

Use this information at your own risk.

Configuration "How To"

  The following steps will require root access.
  xxxdb == your db name

  Create a directory for the SSL key and certificate:
    cd /m1/shared/apache2/conf/
    mkdir ssl
    chmod 700 ssl
    cp  /path-to/ur_private_key.key  /m1/shared/apache2/conf/ssl
    cp  /path-to/ur_certificate.crt  /m1/shared/apache2/conf/ssl

  Ex Libris will likely leave the mod_ssl module config file with 
  an uppercase file extension to prevent it loading:
    /m1/shared/apache2/conf/modules.conf/mod_ssl.CONF
  The expectation is that you will review and edit that file
  as needed, and will then rename it thus:
    mv  mod_ssl.CONF  mod_ssl.conf

        Note: I didn't make any changes to that file, however
	because some of the directives referenced a
        /var/cache/apache2 path, I created that directory.

  Create an SSL httpd config file:
    cd /m1/shared/apache2/conf/ConfiguredVirtualHosts/
    touch xxxdb_ssl_httpd.conf

  Put your SSL directives in the ssl httpd config file:
    vi xxxdb_ssl_httpd.conf

  These directives seemed to work for us:
   [see xxxdb_ssl_httpd.conf below]

        Note: For conciseness, I've stripped out most 
	of the comments in the xxxdb_ssl_httpd.conf file
	listed below as well as some optional directives.
	Again, it's important that you consult the 
	Apache mod_ssl documentation.  This example file
        is only provided as a bare-bones illustration. 

  Create a symbolic link in the ActivatedVirtualHosts directory:
    cd /m1/shared/apache2/conf/ActivatedVirtualHosts
    ln -s ../ConfiguredVirtualHosts/xxxdb_ssl_httpd.conf .

  Check your configuration:
    /m1/shared/apache2/bin/apachectl -t

  If it checks out okay, restart Apache in order for the 
  configuration change to take effect.
    /m1/shared/apache2/bin/apachectl restart 

  Check to see if it actually works...

  If you have problems, check the Apache logs. 

xxxdb_ssl_httpd.conf

Listen 443

<VirtualHost *:443>

    ServerName ur_server.ur_domain.edu
    DocumentRoot "/m1/voyager/xxxdb/tomcat/vwebv/context/vwebv/htdocs"

    Alias /vwebv/ui/ "/m1/voyager/xxxdb/tomcat/vwebv/context/vwebv/ui/"

    Include conf/ConfiguredVirtualHosts/xxxdb.jkmounts.conf

    <Directory /m1/voyager/xxxdb/tomcat/vwebv/context/vwebv/htdocs>
      AllowOverride All
      Options FollowSymLinks
      Order allow,deny
      Allow from all
    </Directory>

#   SSL Engine Switch:  Enable/Disable SSL for this virtual host.
SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:-AES256-SHA:-DHE-RSA-AES256-SHA:-DHE-DSS-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

#   Server Certificate:
SSLCertificateFile /m1/shared/apache2/conf/ssl/ur_certificate.crt

#   Server Private Key:
SSLCertificateKeyFile /m1/shared/apache2/conf/ssl/ur_private_key.key

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog /m1/shared/apache2/logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>