Thursday

Implementing SSL in Liferay with Apache Web Server

CheckLists & Pre-requisites

Configuring Apache Web Server with Liferay - http

Apache WebServer Changes

  • Make sure Apache Web server is running. Open your favorite browser and type http://localhost

  • You should be able to see a page which displays "It works"

  • Go to your Apache installation directory and open httpd.conf file under conf directory

  • Uncomment the following lines

LoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

LoadModule proxy_balancer_module modules/mod_proxy_balancer.so

LoadModule proxy_connect_module modules/mod_proxy_connect.so

LoadModule proxy_ftp_module modules/mod_proxy_ftp.so

LoadModule proxy_http_module modules/mod_proxy_http.so

  • At the very end of the file append the following

ProxyRequests On

ProxyPass / http://localhost:8080/

ProxyPassReverse / http://localhost:8080/

  • Restart Apache Web server

Liferay Changes

  • Open you portal-ext.properties in Liferay

  • Add the following lines

web.server.http.port=80

web.server.https.port=443

  • Restart Liferay.

  • Open your browser and type http://localhost.

  • You should be able to see your liferay homepage.

  • You have configured Liferay to use with Apache web server


Creating Self-signed SSL certificate

Pre-requisites

  • Open the OpenSSL toolkit that you have installed

Generating Private Key

  • The first step is to create your RSA Private Key.

  • This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.

  • On the toolkit command prompt type the following

genrsa -des3 -out server.key 1024

  • It will create server.key

Generate a CSR(Certificate Signing Request)

  • Once the private key is generated a Certificate Signing Request can be generated.

  • The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate.

  • The second option is to self-sign the CSR, which we will do.

  • During the generation of the CSR, you will be prompted for several pieces of information.

  • The command to generate the CSR is as follows

req -new -key server.key -out server.csr

Remove Passphrase from key

  • Make another copy of server.key and name it as server.key.org

  • Type the following in ssl toolkit command prompt

rsa -in server.key.org -out server.key

Generate a self-signed certificate

  • At this point you will need to generate a self-signed certificate because you either don't plan on having your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing your certificate.

  • This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.

  • To generate a temporary certificate which is good for 365 days, issue the following command

x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

  • You should have server.key, server.csr and server.crt generated at this step


Configuring Apache Web Server with Liferay - https

  • Copy server.key, server.csr and server.crt generated to conf directory of Apache.

  • Open httpd.conf in Apache and uncomment the following lines to enable mod_ssl and configuration file for https

LoadModule ssl_module modules/mod_ssl.so

Include conf/extra/httpd-ssl.conf

  • Restart your Apache web server

  • Open your browser and type https://localhost

  • You should be able to see your liferay main page in https

Configuring login and create account page for https

  • Open your portal-ext.properties and add the following property

company.security.auth.requires.https=true

  • Restart your tomcat

  • Open your browser and type http://localhost

  • Click on sign in or create account page. This should change the protocol to https

  • Enter your credentials and Login to the application. The protocol should change back to http when user is logged in.

Disabling https with apache web server

  • Comment out or remove the following properties in portal-ext.properties

web.server.http.port=80

web.server.https.port=443

company.security.auth.requires.https=true

  • Restart the tomcat.

  • This would make Tomcat run alone without apache. You have to access application using http://localhost:8080

5 comments:

  1. Our website set-up has recently changed from Windows Server 2003 to Apache (after being recommended by an IT expert), to which I found your post on implementing SSL Certificates on the Apache Server particularly useful. Thanks for posting this!

    ReplyDelete
  2. Is there a way that we can implement SSL with only tomcat and keytool

    I 'm researching that but I couldnt find any thing that guide to that

    ReplyDelete
  3. Hi,

    You may want to check out this wiki

    https://www.liferay.com/community/wiki/-/wiki/Main/HTTPS+Architecture+with+Liferay

    ReplyDelete
  4. Thanks a lot. You made it real easy.

    ReplyDelete