How to Secure Payara Server with Apache

Photo of Jonathan Coustick by Jonathan Coustick

In a previous blog of this series we set up Apache httpd to forward traffic to Payara Server. However, this only covers forwarding HTTP and not HTTPS. This blog will demonstrate how to secure Payara Server with Apache over HTTPS on Ubuntu.

 

What is HTTPS?

HTTPS, or Secure HTTP encrypts the traffic to prevent anyone from tampering with the message or eavesdropping on it, although this only works as long as both endpoints maintain the secure channel. You will know when you are on a website using HTTPS as your browser will display a green padlock to the left of the address bar and the URL will start with https:// as shown in Firefox:

 

image2017-2-21_12-18-20.png

 

How Do I Set up Apache to Forward HTTPS Requests?

Presuming that you have already set up Apache httpd as in the previous blog there are several additional modules that must be enabled. To enable them, use the a2enmod command as shown:

 

sudo a2enmod proxy proxy_ajp proxy_http rewrite 
proxy_balancer proxy_connect proxy_html xml2enc ssl

 

And then restart the server:

 

sudo service apache2 restart

 

At this point if you go to https://localhost in a browser it will return a 502 error. This is because you do not have an SSL certificate configured for use in the Apache web server.

 

How do I get an SSL certificate?

Both domain1 and payaradomain (default domains shipped with most distributions) come with sample, pregenerated SSL certificates that use Payara Limited Services as its OU for the localhost domain. Also, when creating a new domain in Payara Server, a new SSL certificate is generated in the same way for the current hostname of the machine where the command is run. However, this should NOT be used in production, it is strongly recommended that you get a custom certificate from a trusted Certificate Authority for production usage. For instructions on how to use a custom SSL certificate with Payara Server, see our blog post on "Securing Payara Server with Custom SSL Certificate". Both the keystore and truststore for Payara Server can be found in the config directory of the relevant Payara Server domain. The default certificate for Payara can be found in keystore.jks within that directory. The keystore used in Payara Server is a JKS or Java KeyStore; different to Apache Server which uses the PKCS12 type. The Java Keytool can be used to convert a JKS keystore to a PKCS12 store with the following steps:

  • Use the Keytool to export the public certificate as "public.cert"
  • Use the Keytool to convert the keystore to pkcs12 format as "mystore.p12"
  • Use openssl to 
keytool -export -alias s1as -keystore keystore.jks -rfc -file public.cert

keytool -importkeystore -srckeystore keystore.jks -destkeystore mystore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass changeit -deststorepass mysecret -srcalias s1as -destalias s1as -destkeypass mykeypass -noprompt

openssl pkcs12 -in mystore.p12 -out mystore.pem -passin pass:mysecret -passout pass:mysecret

 

You will now have the files public.cert which is the SSL certificate and mystore.pem which is the key file and has the password of mysecret.

 

Editing the configuration

Now that you have the certificate and key you need to edit the Apache configuration file. If you followed the previous blog it will be under /etc/apache2/sites-available/payaraSite.confIf the file does not exist, run the following command to create it:

sudo cp /etc/apache2/sites-avaliable/000-default.conf /etc/apache2/sites-avaliable/payaraSite.conf

 

Now, you should find the following section in the file, which starts with <VirtualHost *:80> as below:

 

image1.png

 

Add the following configuration fragment:

<VirtualHost *:443>
 
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
 
        SSLProxyEngine On
        SSLProxyCheckPeerExpire on
 
        SSLCertificateFile /path/to/payara/payara41/glassfish/domains/domain1/config/public.cert
        SSLCertificateKeyFile /path/to/payara/payara41/glassfish/domains/domain1/config/mystore.pem
 
        ProxyRequests Off
        ProxyPreserveHost Off
 
        ProxyPass / http://localhost:8080/
        ProxyPassReverse / http://localhost:8080/
 
</VirtualHost>

 

Note that the Payara Server port we are proxying to is still the HTTP port. This is because the Payara Server instance is local to the Apache webserver, so encryption is not needed at this point and would slow things down. Port 8080 should not be exposed to the internet and should be behind a firewall. For 

 

The default certificate is only valid for localhost and will return a 502 error if you try accessing it via the 127.0.0.1 address or your hostname. SSLProxyCheckPeerExpire makes sure that the certificate is not out of date.SSLCertificateFile and SSLCertificateKeyFile are the paths for the both the certificate and private key files respectively.

 

Now restart the ApacheServer.

sudo service apache2 restart

 

You will be required to type in the password for your key file, which will be set to the value used earlier of mysecret. You will be required to type it in every time the Apache server starts.

 

Storing the key password

It is very important to note that it is a security risk to store this password on the server. In production, this file must be encrypted, but it is better not to store it at all.

 

To avoid retyping the password for the key every time you restart Apache, you can create a bash script to automatically input the password. As the root user in the /etc/apache2 directory, create a file called "password.sh". Open it with your preferred text editor and write the following:

 

#!/bin/sh
echo "mysecret"

Where mysecret is the password of the key file if you set it to be something other than the default. Then make the file executable by running

sudo chmod +x /etc/apache2/password.sh

 

Finally, add the following configuration element in your virtual host definition:

SSLPassPhraseDialog exec:/etc/apache2/password.sh

 

Now when you start Apache you will no longer be asked for the password to your keyfile. If you go to https://localhost you will see a security warning which should look something like this:

 

image2.png

 

This is because you are using a self-signed certificate rather than an externally verified certificate issued by a Certificate Authority such as LetsEncrypt or Verisign. Click on Advanced and then Add Security Exception you will be able to reach the Payara Server home page.

 

image3.png

 

Success! You have now reached Payara’s welcome screen using HTTPS.

 

 

Related Posts

Comments