Thursday, August 27, 2009

Configure SSL in Apache server and Monitoring Apache in Https mode using JMX

This blog mentions how to enable SSL in Apache Http server and use of JMX to monitor Apache Web server.

-: Configure SSL in Apache Web server and Monitoring Apache in Https mode using JMX :-

1) Downloading Software.
2) Installation of Apache web server.
3) Creation of key and certificate for SSL.
4) Changes required in Apache configuration files for enabling SSL.
5) Changes required in Apache configuration files for monitoring.
6) References.

1) First download Apache Http with OpenSSL feature from here:-
Now you can download “apache_2.2.11-win32-x86-openssl-0.9.8i.msi” for windows.

For UNIX:-
It will show you list of Operating systems. Choose your OS, then choose an rpm package and install it on Linux machine.

2) After downloading, install it properly in Operating System, we need “openssl” command for this. This comes with the software installation package.
Go to “bin” sub-directory after installation of Apache server. Copy “conf/openssl.conf” to bin directory.

3) Now create key and get certificate to use in Apache.

openssl req -config openssl.cnf -new - out apacheserver.csr -keyout apacheserver.pem

You'll be prompted to answer a bunch of questions, the answers to which can all be left blank except for:
•PEM pass phrase: This is the password associated with the private key (apacheserver.pem) that you're generating. This will only be used in the next step, so make it anything you like, but don't forget it.

•Common Name: This should be the fully-qualified domain name associated with this certificate. I have given here “”.

Now we need to create a non-password protected key for Apache to use:

openssl rsa -in apacheserver.pem -out apacheserver.key

You'll be prompted for the password that you created above, after which a file called “apacheserver.key” should appear in your folder.

Finally, we need to create an X.509 certificate, which Apache also requires:

openssl x509 -in apacheserver.csr -out apacheserver.cert -req -signkey apacheserver.key -days 365

And that's it - you now have a self-signed certificate that Apache can use to enable SSL.

4) Now move these (apacheserver.key and apacheserver.cert) files to any of your directory. I created “ssl” folder inside “conf” folder of Apache_Install_Directory and pasted in newly created “ssl” folder.
By the way you have to give this address in Apache config files, explained later.

Open your httpd.conf file (which for me is in “conf” folder of Apache installation directory) and uncomment (remove the # sign) the following lines:
#LoadModule ssl_module modules/
#Include conf/extra/httpd-ssl.conf

Open your httpd-ssl.conf file (which for me is in “Apache_Install_Dir\conf\extra\”) and update the section entitled .
You'll need to update the values of ServerAdmin, DocumentRoot, ServerName, ErrorLog and CustomLog to match your environment. For me I have put like:-

Listen 443

#General setup for the virtual host
DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs"
ErrorLog “C:/Program Files/Apache Software Foundation/Apache2.2/logs/error.log"
TransferLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/access.log"

You'll also need to point SSLCertificateFile to your .cert file and SSLCertificateKeyFile to your .key file.
For me I gave like:-

SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/apachessl.cert"
SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/apachessl.key"

Now you restart your Apache Http web server, your server will start working in https mode. Now type:-

5) Monitoring Apache Web servers in HTTPS mode:-

The Collector uses HTTP to access Apache server status page. If you wish to monitor an Apache Web server running in HTTPS mode, you must create a virtual host running in HTTP mode on the Apache server, bind it to a specific port, then configure the Collector to use that port.

Enable this module in “httpd.conf” file.
LoadModule status_module modules/

And add these lines to “httpd.conf” file.
ExtendedStatus on

SetHandler server-status
Order deny,allow
Deny from none
Allow from

For example, to enable the Collector to access an Apache the server's status page on port 1234:

* Create a virtual host by adding the following configuration to the Apache Web server configuration file (httpd.conf file):
Listen 1234

SetHandler server-status
Order deny,allow
Deny from none
Allow from

After doing all changes, restart your apache server. It will listen Http at 80, 1234 port numbers and Https at 443 port number.

6) Reference:-


No comments:

Post a Comment