Setting up an Apache Web Server with mod_jk

Instead of using a proxy you can use mod_jk which uses a JK connector between Apache and Tomcat. This allows combining it with mod_rewrite to have any type of external URLs, for OCSP, CRLs etc, and mapping them to other URLs in EJBCA.

This section covers how to use an Apache with mod_jk in front of EJBCA. The resulting server will:

  • Display EJBCA public web at http://demo.primekey.se/

  • Require a client SSL certificate when accessing https://demo.primekey.se/, which works for the admin-GUI.

This example was created on Ubuntu 64-bit Server 8.10 using the Apache Web Server 2.2 package but should be easy to adapt to any system able to run Apache.

# sudo apt-get install apache2 libapache2-mod-jk
# vim /etc/libapache2-mod-jk/workers.properties
-----
worker.list=jboss
 
# Define a worker using ajp13
worker.jboss.port=8009
worker.jboss.host=127.0.0.1
worker.jboss.type=ajp13
-----
# vim /etc/apache2/sites-available/demo.primekey.se
-----
<VirtualHost demo.primekey.se:80>
# We must disable default charset or everything will be ISO-8859-1,
AddDefaultCharset off
ServerAdmin webmaster@primekey.se
ServerName demo.primekey.se
ServerAlias demo.primekey.se
 
JkLogFile /var/log/apache2/mod_jk.log
JkLogLevel debug
 
JkMount /* jboss
JkMount / jboss
</VirtualHost>
 
<VirtualHost demo.primekey.se:443>>
# We must disable default charset or everything will be ISO-8859-1,
AddDefaultCharset off
ServerAdmin webmaster@primekey.se
ServerName demo.primekey.se
ServerAlias demo.primekey.se
 
SSLEngine on
JkLogFile /var/log/apache2/mod_jk.log
JkLogLevel debug
 
JkMount /* jboss
JkMount / jboss
 
# JkExtractSSL is On by default
# JkExtractSSL On
</VirtualHost>
-----
# vim /etc/apache2/mods-available/ssl.conf
-----
SSLVerifyClient require
SSLVerifyDepth 3
 
SSLCACertificateFile /etc/apache2/ssl/apache-CA.pem
SSLCertificateFile /etc/apache2/ssl/apache.pem
 
SSLOptions +StdEnvVars +ExportCertData
-----
# vim /etc/apache2/mods-available/jk.load
-----
LoadModule jk_module /usr/lib/apache2/modules/mod_jk.so
JkWorkersFile /etc/libapache2-mod-jk/workers.properties
-----

Now enable ssl.load and ssl.conf in /etc/apache2/mods-enabled.

Finally restart Apache and go to http://demo.primekey.se/ (or https). Note that the same security considerations as for using proxy applies.

To enable an AJP connector in JBoss 7 / EAP 6, run the following command:

/subsystem=web/connector=ajp:add(socket-binding=ajp, protocol="AJP/1.3", enabled=true, scheme="http")

If you are using External OCSP Responders, ensure that the following line is included in the file apache2.conf:

KeepAlive Off

If not, Apache will hang.

It is also recommended to add the following lines to the Virtual Host configuration, to enable specifying only the server name instead of the full URL:

RewriteEngine on
RewriteRule .* /ejbca/publicweb/status/ocsp [PT]
 
JkMount /ejbca/publicweb/status/ocsp/* ocsp_worker
JkMount /ejbca/publicweb/status/ocsp ocsp_worker