7 Replies Latest reply on Jul 29, 2016 5:01 AM by fdlprod

mod_cluster/ajp over ssl (ajps) on Wildfly

stephen.lorenz Jun 25, 2014 9:37 AM

Hello,

We are attempting to setup mod_cluster with our Wildfly 8.1.0 instance(s) and one of our requirements is that all server-to-server communication be encrypted. Our cluster/ajp configuration works fine in non-ssl mode but unfortunately we cannot run this way in production. We are trying to figure out:

is it possible to encrypt ajp traffic natively (ie. no stunnel tricks)?
if so, what are the steps required to enable this in Wildfly and in the mod_cluster Apache config?

We have searched these forums and the web for documentation for how to do this but we have found sparse mention of this. We have seen some mention of "ajps" but no documentation or examples of how this can be configured in Wildfly or JBoss AS 7. We have tried setting the ajp-listener scheme to "https". But this doesn't seem to make any difference (and, of course, this configuration change seems far too simple to work!). We have played around with other configurations but none seem to make a difference. Any guidance would be helpful.

Thanks!

1. Re: mod_cluster/ajp over ssl (ajps) on Wildfly

venkata.rammohan Oct 27, 2014 6:55 AM (in response to stephen.lorenz)

I'm also facing the same problem. My applciation is running file with HTTP, but when it comes to the https, apache is not redirecting to the https URL.Following the snippet of SSL virtualhost configuration from httpd.conf
<IfModule manager_module>
Listen 192.168.1.111:6666
ManagerBalancerName mycluster
<VirtualHost 192.168.1.111:6666>
    <Location />
     Order deny,allow
     Deny from all
     Allow from 192.168.1.
    </Location>

    KeepAliveTimeout 300
    MaxKeepAliveRequests 0
    ServerAdvertise on http://192.168.1.111:6666
    AdvertiseFrequency 5
    AdvertiseSecurityKey secret
    AdvertiseGroup 224.0.1.105:23364
    EnableMCPMReceive

    <Location /mod_cluster_manager>
       SetHandler mod_cluster-manager
       Order deny,allow
       Deny from all
       Allow from 192.168.1.
    </Location>
</VirtualHost>

<VirtualHost *:80>
ServerName myserver

#RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
# RewriteEngine on
RewriteCond %{HTTPS} on
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301]
</VirtualHost>

Listen 443
<VirtualHost *:443>
ServerName myserver
ErrorLog "logs/ssl-apache-error.log"
CustomLog "logs/ssl-apache-access.log" common

BrowserMatch ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
       downgrade-1.0 force-response-1.0

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "C:\mysitename.crt"
SSLCertificateKeyFile "C:\mysitename.key"
SSLCertificateChainFile "C:\mysitename.crt"
</VirtualHost>
can anyone help me in this regard.
Actions
2. Re: mod_cluster/ajp over ssl (ajps) on Wildfly

jfclere Oct 28, 2014 4:08 AM (in response to stephen.lorenz)

AJP doesn't support encryption you have to use https.
Actions
3. Re: mod_cluster/ajp over ssl (ajps) on Wildfly

jfclere Oct 28, 2014 4:13 AM (in response to venkata.rammohan)

"apache is not redirecting to the https" What do you mean? Are you speaking of the mod_rewrite directive?
Actions
4. Re: mod_cluster/ajp over ssl (ajps) on Wildfly

venkata.rammohan Oct 28, 2014 7:25 AM (in response to jfclere)

Hi Jean,

Thanks for the quicker response.

"apache is not redirecting to https " , by this I wanted to convey that , I was expected that "http://host/mywebapp" will be redirected to "https://host/mywebapp" . previously, we were able to achieve this with the wildfly 8.1.10final ain athe "standalone" mode. Now we wanted to build a load-balancer with the "httpd2.2+mod_cluster+1.2.x+wildfly8.1.0". We are successful till HTTP part, but we are stuck at the SSL part. I also have a doubt in this regard...

1.We've used the ".keystore" , in the standalone mode and want to continue with the same here also (how can I achieve it in this context).
2.I also tried the SSL part with the OpenSSL (as I show in my .config file's snippet).

I could not get that functionality in either ways.

Can anyone help me in this regard. (configure SSL with a .keystore / achieve the SSL rewriting in the httpd+mod_cluster+Wildfly8.1.0 final)

Sorry if I am pulping out too much, but I have a trunk of doubts and want to learn the wildfly administration as this is the starting point for me in administering a server.

Thanks in advance.
Venkata Rammohan CH.
Actions
5. Re: mod_cluster/ajp over ssl (ajps) on Wildfly

jfclere Oct 29, 2014 5:10 AM (in response to venkata.rammohan)

"# RewriteEngine on" the rewrite rule might be ignored that explains why the redirect doesn't work. Try to RewriteLog "rewrite.log" and look in the file.

If you want to encrypt the data between httpd and wildfly that is not related to the rewrite problem.
Basically you have to encrypt all the data between httpd and wildfy (look to http://httpd.apache.org/docs/2.2/mod/mod_ssl.html and search SSLProxy*). The frist step is to get SSL working on wildfly and use a client to connect directly to it.
Actions
6. Re: mod_cluster/ajp over ssl (ajps) on Wildfly

mbabacek Oct 29, 2014 5:14 AM (in response to venkata.rammohan)

Here you might use some of my configuration as an inspiration for Client <--HTTPS-->Balancer<--HTTPS-->Workers communication:
mod_cluster HTTPS-only configuration example
Actions
7. Re: mod_cluster/ajp over ssl (ajps) on Wildfly

fdlprod Jul 29, 2016 5:01 AM (in response to mbabacek)
Hi, i manage to do it with ajp connector, never manage to do it in https because i have a secured connection between jboss => mcm port :

apache :

<VirtualHost 172.20.30.13:443>

#LogLevel debug

SSLEngine on
SSLCipherSuite ALL:!MD5:!EXPORT:!DES:!3DES:!DHE:!EDH:!RC4:!aNULL:!eNULL:!MEDIUM:!LOW

        SSLCertificateFile /etc/httpd/certs/newcert.pem
        SSLCertificateKeyFile /etc/httpd/certs/newkey.pem
        SSLCertificateChainFile /etc/httpd/certs/newcert.pem

SSLHonorCipherOrder on
SSLVerifyClient require

    SSLVerifyDepth 10

SSLCACertificateFile /etc/httpd/certs/cacert.pem

# this option is mandatory to force apache to forward the client cert data to tomcat
    SSLOptions +ExportCertData

<Directory />
SSLOptions +StdEnvVars
        Require all granted
</Directory>

<Location /mcm>
        SetHandler mod_cluster-manager
        Require all granted
    </Location>

AllowDisplay On
AllowCmd Off
KeepAliveTimeout 180
TimeOut 300

</VirtualHost>

# Management Module

<VirtualHost 172.20.30.13:6666>

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLEngine on
SSLCipherSuite ALL:!MD5:!EXPORT:!DES:!3DES:!DHE:!EDH:!RC4:!aNULL:!eNULL:!MEDIUM:!LOW
SSLCertificateFile /etc/httpd/certs/newcert.pem
        SSLCertificateKeyFile /etc/httpd/certs/newkey.pem
        SSLCertificateChainFile /etc/httpd/certs/newcert.pem

<Directory />
        Require all granted
</Directory>

#AdvertiseFrequency 5
#ServerAdvertise on http://...
EnableMCPMReceive
# ManagerBalancerName value must be lowercase !
ManagerBalancerName loadbalancer

</VirtualHost>

domain.xml (or standalone) wildfly 9.XX :

in mod-cluster choose ajp connector

On Domain.xml or standalone.xml add this listener:
<https-listener name="https" socket-binding="https" security-realm="SSLRealm" verify-client="REQUESTED"/>

Then transform the ajp listener like this :
ajp-listener name="ajp" scheme="https" socket-binding="ajp" max-header-size="65536" max-post-size="65536" request-parse-timeout="10000"/>

Then I case of the http listener:
<http-listener name="default" certificate-forwarding="true" socket-binding="http" redirect-socket="https" proxy-address-forwarding="true" max-header-size="65536" max-post-size="65536
Delete if not already done the tag single-sign-on in default-server.

Example of one realm:

<security-domain name="AofRealm" cache-type="default">
<authentication>
<login-module code="Certificate" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>
<module-option name="securityDomain" value="realm"/>
</login-module>
</authentication>
<jsse keystore-password="XXXX" keystore-url="file:${jboss.domain.config.dir}/keystoreWeb.jks" truststore-password="XXXX" truststore-url="file:${jboss.domain.config.dir}/keystoreWeb.jks" client-auth="true"/>
</security-domain>

Exemple of one host.xml
        <security-realms>
                                          <security-realm name="SSLRealm">
    <server-identities>
        <ssl protocol="TLSv1">
            <keystore path="keystoreWeb.jks" relative-to="jboss.domain.config.dir" keystore-password="XXXX" alias="alias"/>
        </ssl>
    </server-identities>
    <authentication>
        <truststore path="keystoreWeb.jks" relative-to="jboss.domain.config.dir" keystore-password="XXXX"/>
    </authentication>
</security-realm>

Application

Web.xml :
<security-constraint>
              <web-resource-collection>
              <web-resource-name>Secure Content</web-resource-name>
              <url-pattern>/faces/*</url-pattern>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
              </web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint>
              <role-name>AOF</role-name>
</auth-constraint>
</security-constraint>
<security-role>
              <role-name>AOF</role-name>
</security-role>
              <login-config>

                            <auth-method>CLIENT-CERT</auth-method>
<realm-name>realm</realm-name>

                            <form-login-config>
                                          <form-login-page>/login.xhtml</form-login-page>
                                          <form-error-page>/error.xhtml</form-error-page>
                            </form-login-config>
              </login-config>

and in jboss-web.xml security domain = realm
Actions

Go to original post

Application