Setting up an Apache Web Server with mod_jk

Instead of using a proxy you can use mod_jk which uses a JK connector between Apache and Tomcat. This allows combining it with mod_rewrite to have any type of external URLs, for OCSP, CRLs etc, and mapping them to other URLs in EJBCA.

This section covers how to use an Apache with mod_jk in front of EJBCA. The resulting server will:

  • Display EJBCA public web at http://demo.primekey.se/
  • Require a client SSL certificate when accessing https://demo.primekey.se/, which works for the admin-GUI.

This example was created on Ubuntu 64-bit Server 8.10 using the Apache Web Server 2.2 package but should be easy to adapt to any system able to run Apache.

# sudo apt-get install apache2 libapache2-mod-jk
# vim /etc/libapache2-mod-jk/workers.properties
-----
worker.list=jboss

# Define a worker using ajp13
worker.jboss.port=8009
worker.jboss.host=127.0.0.1
worker.jboss.type=ajp13
-----
# vim /etc/apache2/sites-available/demo.primekey.se
-----
<VirtualHost demo.primekey.se:80>
  # We must disable default charset or everything will be ISO-8859-1,
  AddDefaultCharset off
  ServerAdmin webmaster@primekey.se
  ServerName demo.primekey.se
  ServerAlias demo.primekey.se

  JkLogFile /var/log/apache2/mod_jk.log
  JkLogLevel debug

  JkMount /* jboss
  JkMount / jboss
</VirtualHost>

<VirtualHost demo.primekey.se:443>>
  # We must disable default charset or everything will be ISO-8859-1,
  AddDefaultCharset off
  ServerAdmin webmaster@primekey.se
  ServerName demo.primekey.se
  ServerAlias demo.primekey.se

  SSLEngine on
  
  JkLogFile /var/log/apache2/mod_jk.log
  JkLogLevel debug

  JkMount /* jboss
  JkMount / jboss

  # JkExtractSSL is On by default
  # JkExtractSSL On
</VirtualHost>
-----
# vim /etc/apache2/mods-available/ssl.conf
-----
SSLVerifyClient require
SSLVerifyDepth 3

SSLCACertificateFile /etc/apache2/ssl/apache-CA.pem
SSLCertificateFile /etc/apache2/ssl/apache.pem

SSLOptions +StdEnvVars +ExportCertData
-----
# vim /etc/apache2/mods-available/jk.load
-----
LoadModule jk_module /usr/lib/apache2/modules/mod_jk.so
JkWorkersFile /etc/libapache2-mod-jk/workers.properties
-----

Now enable ssl.load and ssl.conf in /etc/apache2/mods-enabled.

Finally restart Apache and go to http://demo.primekey.se/ (or https). Note that the same security considerations as for using proxy applies.

To enable an AJP connector in JBoss 7 / EAP 6, run the following command:

/subsystem=web/connector=ajp:add(socket-binding=ajp, protocol="AJP/1.3", enabled=true, scheme="http")

If you are using External OCSP Responders, ensure that the following line is included in the file apache2.conf:

KeepAlive Off

If not, Apache will hang.

It is also recommended to add the following lines to the Virtual Host configuration, to enable specifying only the server name instead of the full URL:

RewriteEngine on
  RewriteRule .* /ejbca/publicweb/status/ocsp [PT]

  JkMount /ejbca/publicweb/status/ocsp/* ocsp_worker
  JkMount /ejbca/publicweb/status/ocsp ocsp_worker