Transfer SSL Certificate from Tomcat to Apache

After Setup Tomcat with Apache Web Server in Linux, you might want to transfer the SSL certificate from Apache Tomcat Server to Apache Web Server.

1. Convert Tomcat SSL Certificate to Apache Web Server SSL Certificate:
   • keytool -importkeystore -scrkeystore [tomcat key file] -destkeystore [new p12 key file] -srcstoretype jks -deststoretype pkcs12
   • openssl pkcs12 -in [new p12 key file] -out [new pem file]
   • openssl x509 -text -in [new pem file]
   • (command above will show some text, copy the certificate portion and paste to a new certificate file)
2. [Optional] Convert the certificate to run without password
   • openssl rsa -in [new pem file] -out [no password pem file]
   • openssl x509 -text -in [no password pem file]
   • (same as step 1, copy the certificate portion and paste to a new certificate file)
3. Edit httpd.conf:
   • uncomment “Inlucde conf/extra/httpd-ssl.conf”
   • enable mod_ssl
   • enable mod_socache_shmcb
4. Edit httpd-ssl.conf:
   • SSLCertificateFile [certificate file location]
   • SSLCertificateKeyFile [pem file location]
   • add JkMount /[SSL Web] balancer

Setup Tomcat with Apache Web Server in Linux

Tutorial below show how to setup Apache Tomcat as back-end and Apache Web Server as front-end at your Web Server. In this way user can run both PHP and JSP in one single server without setting up different ports, and also make use of the advantage of Apache Web Server Modules like Mod Security. All the installation files mentioned below are in source code format, however you may also install using respective Linux package manager.

(This tutorial is assumed Tomcat is already installed in the server, located at /apache-tomcat)

1. First of all, install httpd by running command below inside the httpd extracted directory  (get it from http://httpd.apache.org). The SSL feature is optional (httpd will be installed at /usr/local/apache2).
   • ./configure –enable-ssl –enable-so –with-ssl=/usr/local/ssl
   • make
   • make install
2. Troubleshoot: the following packages are missing during my installation of httpd, for your reference
   • install apr
     • ./configure
     • make
     • make install
   • install apr-util
     • ./configure –with-apr=/usr/local/apr
     • make
     • make install
   • install pcre
     • ./configure –disable-cpp
     • make
     • make install
3. Install tomcat-connectors (to create mod_jk.so)
   • in terminal, change directory to native folder in the extracted directory and issue following commands:
     • ./configure –with-apxs=/usr/local/apache2/bin/apxs
     • make
     • make install
   • copy native/apache-2.0/mod_jk.so to /usr/local/apache2/modules (it might auto put it into the folder during the installation)
   • copy conf/httpd-jk.conf to /apache-tomcat/conf/mod_jk.conf
   • copy conf/workers.properties to /apache-tomcat/conf/workers.properties
   • edit /usr/local/apache2/conf/httpd.conf
     • add line “Include /apache-tomcat/conf/mod_jk.conf”
   • edit /apache-tomcat/conf/mod_jk.conf (this is the part to specify which url to refer Apahce Tomcat, eg jspSystem)
     • JkWorkersFile workers.properties
     • add line “JkMount /jspSystem/* balancer”
     • add line “JkMount /jspSystem/ balancer”
   • edit /apache-tomcat/conf/workers.properties
     • worker.node1.port=8009
     • worker.node2.activation=D
4. Set Apache Tomcat to run at port 8080.
5. Now you can start Apache Web Server (like using this command /usr/local/apache2/bin/apachectl -k start)

 

How to adjust Tomcat PermGen Space Size

When we putting more than 3 applications in Tomcat Webapp, we might experience slowness and eventually application crash, even after we have increase Tomcat reserved memory. It is normally refer as Out of Memory Error in PermGen space.

Default PermGen space size is 64MB. To increase it, similar to increase Tomcat reserved memory, we need to edit $TOMCAT/bin/catalina.bat (or catalina.sh in Linux) and look for JAVA_OPTS:

set JAVA_OPTS = ""

Add in -XX:PermSize=500m -XX:MaxPermSize=500m to JAVA_OPTS. If JAVA_OPTS exists with other parameters, just append the new parameters to it.

set JAVA_OPTS = "-Xms2000m -Xmx2000m -XX:PermSize=500m -XX:MaxPermSize=500m"

It is recommended to set size as 1/4 of the reserved memory, eg 1/4 of the 2GB reserved memory will be 500MB PermGen space size.

Other reference: 2 solution of java.lang.OutOfMemoryError in Java

Make Tomcat Auto Start in Linux

Here is another method to install tomcat startup script in Linux (there is another method in my earlier post)

1. Download tomcat and rename the file name from tomcat.doc to tomcat only (remove the extension)
2. Put the file under /etc/inid.d
3. Give execute privilege to the file (chmod +x /etc/init.d/tomcat)
4. Adjust 2 parameters in the file, TOMCAT and JAVA_HOME.
5. Add the file into service list (chkconfig ––add tomcat)
6. Done!

Now you can double check whether tomcat is inside your service list or not by using “chkconfig ––list tomcat”. To start or stop tomcat, simply “service tomcat start” and “service tomcat stop”.

Setup SSL Certificate at Tomcat

The method here is to implement CA certified SSL certificate in Tomcat Service.

1. Generate a key store file using keytool utility (installed together with JDK). It will ask for a password to generate the key store file.
   keytool -genkey -alias <any alias name> -keyalg RSA -keystore <output file>
   For example:
   keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.key
2. Generate a certificate request file.
   keytool -certreq -keyalg RSA -alias <alias> -file <output file> -keystore <keystore file>
   Example:
   keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore tomcat.key
3. Then submit the certificate request to your CA. Normally you just need to submit the content of the request file.
4. As a result you will get the content of the certificate. Copy the content and save it as a certificate file (for example tomcat.cer)
5. For some CA (like Thawte), you need to download the CA trusted certificate from the their website in order to complete the implementation (EV_Root.cer and EV_intermediate.cer)
6. Finally import the certificates using command below:
   keytool -import -alias <alias name> -keystore <keystore file> -trustcacerts -file <certificate>
   For example:
   keytool -import -alias EV_Root -keystore online.key -trustcacerts -file EV_Root.cer
keytool -import -alias EV_intermediate -keystore online.key -trustcacerts -file EV_intermediate.cer
keytool -import -alias tomcat -keystore tomcat.key -trustcacerts -file tomcat.cer

Some references to retrieve private key from the key store that you generate.

Restrict IP coming to Tomcat Service

We can restrict incoming connection by IP address in Tomcat, for example we only allow connection from IP 10.10.10.* to access. We only need to add a valve tag in the context:

<Context>
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192\.168\.56\..*" deny="192\.168\.56\.1"/>
</Context>

It is quite straight forward: allow attribute to allow what IP pattern to go through, while deny is to block. The value of the attribute use regular expression. Another example of regular expression, 192.168.*.* need to set as 192\.168\..*\..*.

2 ways to do this: either you want to implement the restriction to all the applications, or to particular application. If you want to apply to all applications, put the tag in TOMCAT_HOME/conf/context.xml.

If you only want to apply the restriction to particular application, put the tag in TOMCAT_HOME/conf/catalina/locahost/<webapp>.xml. The name of the file follow the name of your web application. Create the file if it is not exist.

How to adjust Tomcat Reserved Memory

By default, Tomcat Service is running under memory limit to 64MB. Java Memory Heap Exception might occur if the application has no enough memory to use. To increase or adjust the memory limit in Tomcat Service, simply edit $TOMCAT/bin/catalina.bat (or catalina.sh in Linux) and look for JAVA_OPTS:

set JAVA_OPTS = ""

Add in -Xms128m -Xmx256m to JAVA_OPTS. Xms is the initial memory when Tomcat is run while Xmx is the maximum memory that Tomcat can use.

set JAVA_OPTS = "-Xms128m -Xmx256m"

How to set Unlimited Session Timeout in Tomcat

Session Timeout in Tomcat is set at web.xml, either at Server Level ($TOMCAT/config/web.xml) or Web App Level ($TOMCAT/webapps/yourwebapp/WEB-INF/web.xml). Look for the following tag (or add in):

<session-config>
<session-timeout>60</session-timeout>
</session-config>

The number in session-timeout tag is in minutes. To make it unlimited or no time out, simply set the number to -1 and restart your Tomcat Service.

<session-config>
<session-timeout>-1</session-timeout>
</session-config>


Enable GZIP Compression in Tomcat

Tomcat Service has this feature to compress the web pages before being downloaded by surfer, no special plug in or add on at both server or client (browser) side. To activate this feature:

1. Edit the conf/server.xml configuration file
2. Look for the connector tag
3. Add the following attributes:
   • compression=”on”
   • compressionMinSize=”2048″
   • noCompressionUserAgents=”gozilla, traviata”
   • compressableMimeType=”text/html,text/xml”
4. The end result will be something like this (bold is the added attributes): <Connector port=”8080″ maxHttpHeaderSize=”8192″
   maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″
   enableLookups=”false” redirectPort=”8443″ acceptCount=”100″
   connectionTimeout=”20000″ disableUploadTimeout=”true”
   compression=”on”
   compressionMinSize=”2048″
   noCompressionUserAgents=”gozilla, traviata”
   compressableMimeType=”text/html,text/xml”/>

(Source from http://viralpatel.net/blogs/2008/11/enable-gzip-compression-in-tomcat.html)

In order to know the edit works or not, use the following  link to test the website or webpage:

• http://www.gidnetwork.com/tools/gzip-test.php
• http://www.whatsmyip.org/http_compression/

In chrome browser you can check the compress status by clicking the icon at the left side of address bar (where the https sign showed)

Update 110813: in order to include more file types into the compression, fill in more MIME Type, for example:

<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/json,text/javascript,text/css,text/plain,
application/javascript,application/xml,application/xml+xhtml"/>

Increase or Make Unlimited Maximum Post Size in Tomcat

Tomcat by default has limited the amount of data (2 MB) that you can submit to Tomcat Service through Form Post Method. In other word, exception will occur if you upload something more than 2 MB. To increase the maximum post size or make it unlimited, you only need to:

1. Edit the server.xml file in conf folder
2. Look for the line (or similar):
   <Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443"/>
3. Add this attribute: maxPostSize=”o”. Set the value 0 (zero) make it unlimited, or any size like “4MB”. Now it is look like this:
   <Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" maxPostSize="0"/>
4. Restart Tomcat Service and done