All geek questions in one place

Using multiple SSL certificates in a single tomcat instance

I know that tomcat can handle multiple SSL certificates by setting up multiple connectors listening on different IP addresses, but is it possible to configure them on the same IP address?

The situation is that we have several web applications running on the same tomcat instance. Our server has only 1 static IP address. Tomcat is configured to work with virtual servers, so depending on the domain that it serves in another application. However, if we want to use SSL in one of these applications, I predict that we may have problems.

Does anyone have more experience in this area?

+4
source share
3 answers

To be able to use multiple certificates on the same IP address and port, you need server name support. Unfortunately, this was introduced in Java 7, only on the client side .

(There are still problems with SNI support on the client side. SNI, especially due to the lack of support from any version of IE on Win XP, Java 6 and below, and some mobile browsers.)

The workaround for this is to use a single certificate that supports multiple host names. The preferred way to do this is to have a certificate with multiple objects with an alternate object name (SAN). Otherwise, if the names have a pattern, a wildcard certificate may be appropriate (e.g. *.example.com for www.example.com and secure.example.com ).

Apache Httpd supports SNI , so you can solve your problem by using different VirtualHost for each hostname you want to serve, and use a reverse proxy to a different Tomcat configuration for each host.

+5
source

I do not believe that you will succeed with 1 ip address, but you can use multiple ports

 <Connector port="9001" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="${user.home}/.keystore" keystorePass="changeit" clientAuth="false" sslProtocol="TLS"/> -->

then https: 9001 // myurl

for your connections, I personally would pass it to Apache httpd a reverse proxy, though, since it gives you more flexibility and more security with proper configuration.

+1
source

I'm not sure here if "SNI" really matters.

But in your case, a typical solution would be the so-called ssloffloading or ssl Termination: ie put your tomcat behind apache, which is configured to use multiple vhosts / domain names on the same ip. You can configure for each vhost in apache to use its own SSL certificate.

Below is a step-by-step guide for this topic:

http://milestonenext.blogspot.de/2012/09/ssl-offloading-with-modjk-part-1.html

0
source

Source: https://habr.com/ru/post/958770/

More articles:


All Articles