Enable SSL https for Alfresco or any other web application
by Stanislav on Wednesday Jun 08, 2016
Enabling of SSL-secured connection for some web application (Alfresco ECM, for instance) is a very common task within web community. That’s right, most of the companies running their own business over the internet require a protection of exchanged data. In current post I’ll show how to switch on such connection by means of Apache Web Server.
Ok, let’s start. Assume that we have some web application (Alfresco ECM is our case), this application is managed by Tomcat servlet container. Sure we can configure Tomcat in a way it to listen for requests on port 8443 (Tomcat default SSL port), but in case of Alfresco, when we have two webapps (/alfresco and /share), it’s simpler to use Apache server in conjunction with Tomcat: no need to change anything in Alfresco configuration (e.g. in share-custom-config.xml), no need to tweak Tomcat. If you have a web application other than Alfresco, then Tomcat + Apache Server might be a good option as well:
- Tomcat is not as fast as Apache when it comes to static pages.
- Tomcat is not as configurable as Apache.
- Tomcat is not as robust as Apache.
- Tomcat may not address many sites' need for functionality found only in Apache modules (e.g. Perl, PHP, etc.).
Please install Apache2 if not yet installed and 2 Apache modules: mod_jk – the module that manages Apache Server to Tomcat communication, mod_ssl – the module that provides SSL v3 and TLS v1.x support. Commands to install mod_jk (mod_ssl is normally installed by default within Apache Server) and to enable both modules:
sudo apt-get install libapache2-mod-jk sudo a2enmod jk sudo a2enmod ssl
In order to use SSL-secured connection we need the SSL-certificate. We can request such certificate at some official authority, e.g. at Digicert, for this we should generate a certificate request file (*.crt). While generating the crt-file together with it an jks-file (java key store) can come from which a private key can be retrieved (link). After sending crt to the issuing authority, you’ll get back 2 certificate files: a digital certificate itself and a certificate chain file. Both of them and the private key should be referenced in Apache2 VirtualHost configuration:
<VirtualHost *:443> ServerName somesite.com SSLEngine On SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" SSLHonorCipherOrder on SSLProtocol All -SSLv2 -SSLv3 SSLCertificateFile /opt/alfresco/cert/somesite_com.crt SSLCertificateKeyFile /opt/alfresco/cert/pr_key/somesite_com_pr.key SSLCertificateChainFile /opt/alfresco/cert/DigiCertCA.crt <Location /> SSLRequireSSL On SSLVerifyClient optional SSLRenegBufferSize 104860000 SSLVerifyDepth 1 SSLOptions +StdEnvVars +StrictRequire </Location> # Send everything for the context / to worker named worker1 via ajp13 JkMount /* ajp13_worker </VirtualHost>
A couple important things should be noticed in this config:
- JkMount /* ajp13_worker – the id of the mod_jk AJP worker that will communicate to Tomcat AJP port. Tomcat is usually defined on localhost with port 8009 (see Tomcat’s config/server.xml). Apache mod_jk worker.properties excerpt:
# # Defining a worker named ajp13_worker and of type ajp13 # Note that the name and the type do not have to match. # worker.ajp13_worker.port=8009 worker.ajp13_worker.host=localhost worker.ajp13_worker.type=ajp13
- SSLCipherSuite – is one of the best Cipher Suite together with SSLProtocol configuration that can be used nowadays in order to get “A” rank at SSLLabs test. Modern browsers and OSs are very sensitive to outdated SSL protocols and ciphers (and this approach is right), so we need to enable only approved ones. SSLProtocol All -SSLv2 –SSLv3 – enable all SSL protocols except deprecated SSL2 (that causes DROWN vulnerability) and except deprecated SSL3 (that causes POODLE vulnerability). Modern and correct SSLCipherSuite set is also required especially for MacOS which is oriented to high level of security, otherwise https connection to your site may be rejected.
That’s it, after apache2 is restarted, SSL connection will be established and you can navigate to your Alfresco/Share web application (or your custom web application) by means of https. You connection will correspond to modern security protocols and will have “A” rank at SSL checking services.