7 Replies Latest reply on Jul 29, 2016 5:01 AM by fdlprod

    mod_cluster/ajp over ssl (ajps) on Wildfly

    stephen.lorenz

      Hello,

       

      We are attempting to setup mod_cluster with our Wildfly 8.1.0 instance(s) and one of our requirements is that all server-to-server communication be encrypted.  Our cluster/ajp configuration works fine in non-ssl mode but unfortunately we cannot run this way in production.  We are trying to figure out:

       

      1. is it possible to encrypt ajp traffic natively (ie. no stunnel tricks)?
      2. if so, what are the steps required to enable this in Wildfly and in the mod_cluster Apache config?

       

      We have searched these forums and the web for documentation for how to do this but we have found sparse mention of this.  We have seen some mention of "ajps" but no documentation or examples of how this can be configured in Wildfly or JBoss AS 7.  We have tried setting the ajp-listener scheme to "https".  But this doesn't seem to make any difference (and, of course, this configuration change seems far too simple to work!).  We have played around with other configurations but none seem to make a difference.   Any guidance would be helpful.

       

      Thanks!

        • 1. Re: mod_cluster/ajp over ssl (ajps) on Wildfly
          venkata.rammohan

          I'm also facing the same problem. My applciation is running file with HTTP, but when it comes to the https, apache is not redirecting to the https URL.Following the snippet of SSL virtualhost configuration from httpd.conf

          <IfModule manager_module>

            Listen 192.168.1.111:6666

            ManagerBalancerName mycluster

            <VirtualHost 192.168.1.111:6666>

              <Location />

               Order deny,allow

               Deny from all

               Allow from 192.168.1.

              </Location>

           

           

              KeepAliveTimeout 300

              MaxKeepAliveRequests 0

              ServerAdvertise on http://192.168.1.111:6666

              AdvertiseFrequency 5

              AdvertiseSecurityKey secret

              AdvertiseGroup 224.0.1.105:23364

              EnableMCPMReceive

           

           

              <Location /mod_cluster_manager>

                 SetHandler mod_cluster-manager

                 Order deny,allow

                 Deny from all

                 Allow from 192.168.1.

              </Location>

            </VirtualHost>

           

            <VirtualHost *:80>

            ServerName myserver

            

            #RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

            # RewriteEngine on

            RewriteCond %{HTTPS} on

            RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301]

            </VirtualHost>

           

            Listen 443

          <VirtualHost *:443>

            ServerName myserver

            ErrorLog "logs/ssl-apache-error.log"

            CustomLog "logs/ssl-apache-access.log" common

           

            BrowserMatch ".*MSIE.*" \

                  nokeepalive ssl-unclean-shutdown \

                 downgrade-1.0 force-response-1.0

           

            SSLEngine on

            SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

            SSLCertificateFile "C:\mysitename.crt"

            SSLCertificateKeyFile "C:\mysitename.key"

            SSLCertificateChainFile "C:\mysitename.crt"

          </VirtualHost>

          can anyone help me in this regard.

          • 2. Re: mod_cluster/ajp over ssl (ajps) on Wildfly
            jfclere

            AJP doesn't support encryption you have to use https.

            • 3. Re: mod_cluster/ajp over ssl (ajps) on Wildfly
              jfclere

              "apache is not redirecting to the https" What do you mean? Are you speaking of the mod_rewrite directive?

              • 4. Re: mod_cluster/ajp over ssl (ajps) on Wildfly
                venkata.rammohan

                Hi Jean,

                 

                Thanks for the quicker response.

                 

                "apache is not redirecting to https " , by this I wanted to convey that , I was expected that "http://host/mywebapp" will be redirected to "https://host/mywebapp" . previously, we were able to achieve this with the wildfly 8.1.10final ain athe "standalone" mode. Now we wanted to build a load-balancer with the "httpd2.2+mod_cluster+1.2.x+wildfly8.1.0". We are successful till HTTP part, but we are stuck at the SSL part.  I also have a doubt in this regard...

                 

                1.We've used the ".keystore" , in the standalone mode and want to continue with the same here also (how can I achieve it in this context).

                2.I also tried the SSL part with the OpenSSL (as I show in my .config file's snippet).


                I could not get that functionality in either ways.

                 

                Can anyone help me in this regard. (configure SSL with a .keystore / achieve the SSL rewriting in the httpd+mod_cluster+Wildfly8.1.0 final)

                 

                Sorry if I am pulping out too much, but I have a trunk of doubts and want to learn the wildfly administration as this is the starting point for me in administering a server.


                Thanks in advance.

                Venkata Rammohan CH.

                • 5. Re: mod_cluster/ajp over ssl (ajps) on Wildfly
                  jfclere

                  "# RewriteEngine on" the rewrite rule might be ignored that explains why the redirect doesn't work. Try to RewriteLog "rewrite.log" and look in the file.

                   

                  If you want to encrypt the data between httpd and wildfly that is not related to the rewrite problem.

                  Basically you have to encrypt all the data between httpd and wildfy (look to http://httpd.apache.org/docs/2.2/mod/mod_ssl.html and search SSLProxy*). The frist step is to get SSL working on wildfly and use a client to connect directly to it.

                  • 6. Re: mod_cluster/ajp over ssl (ajps) on Wildfly
                    mbabacek

                    Here you might use some of my configuration as an inspiration for Client <--HTTPS-->Balancer<--HTTPS-->Workers communication:

                    mod_cluster HTTPS-only configuration example

                    • 7. Re: mod_cluster/ajp over ssl (ajps) on Wildfly
                      fdlprod

                      Hi, i manage to do it with ajp connector, never manage to do it in https because i have a secured connection between jboss => mcm port :

                       

                      apache :

                       

                      <VirtualHost 172.20.30.13:443>

                       

                       

                        #LogLevel debug

                       

                       

                       

                       

                        SSLEngine on

                        SSLCipherSuite ALL:!MD5:!EXPORT:!DES:!3DES:!DHE:!EDH:!RC4:!aNULL:!eNULL:!MEDIUM:!LOW

                       

                       

                              SSLCertificateFile /etc/httpd/certs/newcert.pem

                              SSLCertificateKeyFile /etc/httpd/certs/newkey.pem

                              SSLCertificateChainFile /etc/httpd/certs/newcert.pem

                       

                       

                        SSLHonorCipherOrder on

                        SSLVerifyClient require

                       

                       

                          SSLVerifyDepth 10

                       

                       

                        SSLCACertificateFile /etc/httpd/certs/cacert.pem

                       

                       

                        # this option is mandatory to force apache to forward the client cert data to tomcat

                          SSLOptions +ExportCertData

                       

                       

                        <Directory />

                        SSLOptions +StdEnvVars

                              Require all granted

                        </Directory>

                        

                        <Location /mcm>

                              SetHandler mod_cluster-manager

                              Require all granted

                          </Location>

                       

                       

                        AllowDisplay On

                        AllowCmd Off

                        KeepAliveTimeout 180

                        TimeOut 300

                       

                       

                       

                       

                      </VirtualHost>

                       

                       

                      # Management Module

                       

                       

                      <VirtualHost 172.20.30.13:6666>

                       

                        SSLProtocol all -SSLv2 -SSLv3

                        SSLHonorCipherOrder on

                        SSLEngine on

                        SSLCipherSuite ALL:!MD5:!EXPORT:!DES:!3DES:!DHE:!EDH:!RC4:!aNULL:!eNULL:!MEDIUM:!LOW

                        SSLCertificateFile /etc/httpd/certs/newcert.pem

                              SSLCertificateKeyFile /etc/httpd/certs/newkey.pem

                              SSLCertificateChainFile /etc/httpd/certs/newcert.pem

                       

                       

                        <Directory />

                              Require all granted

                        </Directory>

                       

                        #AdvertiseFrequency 5

                        #ServerAdvertise on http://...

                        EnableMCPMReceive

                        # ManagerBalancerName value must be lowercase !

                        ManagerBalancerName loadbalancer

                       

                      </VirtualHost>

                       

                      domain.xml (or standalone) wildfly 9.XX :

                       

                      in mod-cluster choose ajp connector

                       

                       

                      On Domain.xml or standalone.xml add this listener:

                      <https-listener name="https" socket-binding="https" security-realm="SSLRealm" verify-client="REQUESTED"/>

                       

                      Then transform the ajp listener like this :

                      ajp-listener name="ajp" scheme="https" socket-binding="ajp" max-header-size="65536" max-post-size="65536" request-parse-timeout="10000"/>

                       

                      Then I case of the http listener:

                      <http-listener name="default" certificate-forwarding="true" socket-binding="http" redirect-socket="https" proxy-address-forwarding="true" max-header-size="65536" max-post-size="65536

                      Delete if not already done the tag single-sign-on in default-server.

                       

                      Example of one realm:

                       

                      <security-domain name="AofRealm" cache-type="default">

                      <authentication>

                      <login-module code="Certificate" flag="required">

                      <module-option name="password-stacking" value="useFirstPass"/>

                      <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>

                      <module-option name="securityDomain" value="realm"/>

                      </login-module>

                      </authentication>

                      <jsse keystore-password="XXXX" keystore-url="file:${jboss.domain.config.dir}/keystoreWeb.jks" truststore-password="XXXX" truststore-url="file:${jboss.domain.config.dir}/keystoreWeb.jks" client-auth="true"/>

                      </security-domain>

                       

                      Exemple of one host.xml

                              <security-realms>

                                                                <security-realm name="SSLRealm">

                          <server-identities>

                              <ssl protocol="TLSv1">

                                  <keystore path="keystoreWeb.jks" relative-to="jboss.domain.config.dir" keystore-password="XXXX" alias="alias"/>

                              </ssl>

                          </server-identities>

                          <authentication>

                              <truststore path="keystoreWeb.jks" relative-to="jboss.domain.config.dir" keystore-password="XXXX"/>

                          </authentication>

                      </security-realm>

                       

                      Application

                       

                      1. Web.xml :

                      <security-constraint>

                                    <web-resource-collection>

                                    <web-resource-name>Secure Content</web-resource-name>

                                    <url-pattern>/faces/*</url-pattern>

                                    <http-method>GET</http-method>

                                    <http-method>POST</http-method>

                                    </web-resource-collection>

                      <user-data-constraint>

                      <transport-guarantee>CONFIDENTIAL</transport-guarantee>

                        </user-data-constraint>

                      <auth-constraint>

                                    <role-name>AOF</role-name>

                      </auth-constraint>

                      </security-constraint>

                      <security-role>

                                    <role-name>AOF</role-name>

                      </security-role>

                                    <login-config>

                      <!--        To activate kerberos put SPNEGO instead of FORM -->

                                                  <auth-method>CLIENT-CERT</auth-method>

                      <realm-name>realm</realm-name>

                       

                                                  <form-login-config>

                                                                <form-login-page>/login.xhtml</form-login-page>

                                                                <form-error-page>/error.xhtml</form-error-page>

                                                  </form-login-config>

                                    </login-config>

                       

                      and in jboss-web.xml security domain = realm