SSL offloading for JBOSS and Tomcat servers.

posted in: Tech | 0

SSL offloading for JBOSS and Tomcat servers.

Many customers who run ZXTM in front of a J2EE application server, like JBoss or Tomcat, would like to use the high performance SSL processing of ZXTM but still need their application to know when the connection was secured. The Apache AJP protocol can be used to achieve this.

Modify the J2EE application server

The first thing we need to do is create two AJP listeners in our application server. The first server will process non-secure connections and the second will process the secured connections.

In JBoss you would edit the file $JBOSSHOME/server/<profile>/deploy/jbossweb-tomcat55.sar/server.xml and make the following changes:


<!-- A AJP 1.3 Connector on port 8009 -->
<Connector port="8009" address="${jboss.bind.address}"
emptySessionPath="true" enableLookups="false" redirectPort="8443"
protocol="AJP/1.3"/>
<!-- A AJP 1.3 Connector on port 8010 -->
<Connector port="8010" address="${jboss.bind.address}"
emptySessionPath="true" enableLookups="false" redirectPort="8443"
scheme="https" secure="true"
protocol="AJP/1.3"/>

You will already have an AJP connector on port 8009. We just added a second on port 8010 and set the two optional attributes “secure” and “scheme”. These relate to the two J2EE methods request.getScheme() and request.isSecure().

To make the change in Tomcat it should be very similar to JBoss, but the file you need to edit is $CATALINAHOME/conf/server.xml.

Apache mod_jk

If you are connecting to JBOSS using Mod_JK with Apache or Microsoft IIS you will need to add a new worker connection for the new service. In your worker properties file for mod_jk, add a worker with the following attributes:


worker.ajp13_secure.port=8010
worker.ajp13_secure.host=localhost
worker.ajp13_secure.type=ajp13

Here we created a new worker called “ajp13_secure”. Now we can map requests to this worker from the Apache or IIS configuration and the applications run via this connection will be told they are secure.

The Web Server and ZXTM

You will now want to create a new virtual server. It can be a name based virtual host or you could run it on a different IP or port. You will need to be able to send the SSL traffic to this new server without causing confusion with the non secure version. This new virtual server will map J2EE apps via the ajp13_secure mod_jk worker.

When you create your HTTP service with SSL Decryption enabled you will want to attach the vserver to a pool containing the service which backs onto the AJP listener you have set to be secured. In the Apache mod_jk configuration above it would map to ajp13_secure.

If you are connecting with Zeus Web Server you will need to configure the Java Servlet mapping through the admin interface. If you run both secure and insecure versions of the website you will need to run two identical virtual servers. The first will take HTTP traffic and connect to the AJP listener on port 8009 (the normal service), and the second will map to the AJP listener on port 8010 (the secured version).