How to Secure Payara Server with Apache

In a previous blog of this series we set up Apache httpd to forward traffic to Payara Server. However, this only covers forwarding HTTP and not HTTPS. This blog will demonstrate how to secure Payara Server with Apache over HTTPS on Ubuntu.

What is HTTPS?

HTTPS, or Secure HTTP encrypts the traffic to prevent anyone from tampering with the message or eavesdropping on it, although this only works as long as both endpoints maintain the secure channel. You will know when you are on a website using HTTPS as your browser will display a green padlock to the left of the address bar and the URL will start with https:// as shown in Firefox:

How Do I Set up Apache to Forward HTTPS Requests?

Presuming that you have already set up Apache httpd as in the previous blog there are several additional modules that must be enabled. To enable them, use the a2enmod command as shown:

sudo a2enmod proxy proxy_ajp proxy_http rewrite 
proxy_balancer proxy_connect proxy_html xml2enc ssl

And then restart the server:

sudo service apache2 restart

At this point if you go to https://localhost in a browser it will return a 502 error. This is because you do not have an SSL certificate configured for use in the Apache web server.

How do I get an SSL certificate?

Both domain1 and payaradomain (default domains shipped with most distributions) come with sample, pregenerated SSL certificates that use Payara Limited Services as its OU for the localhost domain. Also, when creating a new domain in Payara Server, a new SSL certificate is generated in the same way for the current hostname of the machine where the command is run. However, this should NOT be used in production, it is strongly recommended that you get a custom certificate from a trusted Certificate Authority for production usage. For instructions on how to use a custom SSL certificate with Payara Server, see our blog post on "Securing Payara Server with Custom SSL Certificate". Both the keystore and truststore for Payara Server can be found in the config directory of the relevant Payara Server domain. The default certificate for Payara can be found in keystore.jks within that directory. The keystore used in Payara Server is a JKS or Java KeyStore; different to Apache Server which uses the PKCS12 type. The Java Keytool can be used to convert a JKS keystore to a PKCS12 store with the following steps:

• Use the Keytool to export the public certificate as "public.cert"
• Use the Keytool to convert the keystore to pkcs12 format as "mystore.p12"
• Use openssl to 

keytool -export -alias s1as -keystore keystore.jks -rfc -file public.cert

keytool -importkeystore -srckeystore keystore.jks -destkeystore mystore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass changeit -deststorepass mysecret -srcalias s1as -destalias s1as -destkeypass mykeypass -noprompt

openssl pkcs12 -in mystore.p12 -out mystore.pem -passin pass:mysecret -passout pass:mysecret

You will now have the files public.cert which is the SSL certificate and mystore.pem which is the key file and has the password of mysecret.

Editing the configuration

Now that you have the certificate and key you need to edit the Apache configuration file. If you followed the previous blog it will be under /etc/apache2/sites-available/payaraSite.conf. If the file does not exist, run the following command to create it:

sudo cp /etc/apache2/sites-avaliable/000-default.conf /etc/apache2/sites-avaliable/payaraSite.conf

 

Now, you should find the following section in the file, which starts with <VirtualHost *:80> as below:

Add the following configuration fragment:

<VirtualHost *:443>
 
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
 
        SSLProxyEngine On
        SSLProxyCheckPeerExpire on
 
        SSLCertificateFile /path/to/payara/payara41/glassfish/domains/domain1/config/public.cert
        SSLCertificateKeyFile /path/to/payara/payara41/glassfish/domains/domain1/config/mystore.pem
 
        ProxyRequests Off
        ProxyPreserveHost Off
 
        ProxyPass / http://localhost:8080/
        ProxyPassReverse / http://localhost:8080/
 
</VirtualHost>

The default certificate is only valid for localhost and will return a 502 error if you try accessing it via the 127.0.0.1 address or your hostname. SSLProxyCheckPeerExpire makes sure that the certificate is not out of date.SSLCertificateFile and SSLCertificateKeyFile are the paths for the both the certificate and private key files respectively.

Now restart the ApacheServer.

sudo service apache2 restart

 

You will be required to type in the password for your key file, which will be set to the value used earlier of mysecret. You will be required to type it in every time the Apache server starts.

Storing the key password

To avoid retyping the password for the key every time you restart Apache, you can create a bash script to automatically input the password. As the root user in the /etc/apache2 directory, create a file called "password.sh". Open it with your preferred text editor and write the following:

#!/bin/sh
echo "mysecret"

Where mysecret is the password of the key file if you set it to be something other than the default. Then make the file executable by running

sudo chmod +x /etc/apache2/password.sh

 

Finally, add the following configuration element in your virtual host definition:

SSLPassPhraseDialog exec:/etc/apache2/password.sh

 

Now when you start Apache you will no longer be asked for the password to your keyfile. If you go to https://localhost you will see a security warning which should look something like this:

This is because you are using a self-signed certificate rather than an externally verified certificate issued by a Certificate Authority such as LetsEncrypt or Verisign. Click on Advanced and then Add Security Exception you will be able to reach the Payara Server home page.

Success! You have now reached Payara’s welcome screen using HTTPS.