Let s Encrypt Apache Tomcat * * Full disclosure: Tomcat will not actually be encrypted.

Similar documents
SSL/TLS Certificate Generation

Let's Encrypt - Free SSL certificates for the masses. Pete Helgren Bible Study Fellowship International San Antonio, TX

Wildcard Certificates

Provisioning Certificates

LET S ENCRYPT WITH PYTHON WEB APPS. Joe Jasinski Imaginary Landscape

SSL/TLS Certificate Generation

eroaming platform Secure Connection Guide

SSL/TLS Certificate Generation

Securing Apache Tomcat. AppSec DC November The OWASP Foundation

SSL Configuration Oracle Banking Liquidity Management Release [April] [2017]

SAML with ADFS Setup Guide

Configuring the RTP Server

Teradici PCoIP Connection Manager 1.8 and Security Gateway 1.14

Weblogic Configuration Oracle FLEXCUBE Investor Servicing Release [October] [2015]

Weblogic Configuration Oracle FLEXCUBE Universal Banking Release [May] [2017]

Using ISE 2.2 Internal Certificate Authority (CA) to Deploy Certificates to Cisco Platform Exchange Grid (pxgrid) Clients

The State of TLS in httpd 2.4. William A. Rowe Jr.

How to convert.crt SSL Certificate to.pfx format (with openssl Linux command) and Import newly generated.pfx to Windows IIS Webserver

Unified Management Portal

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

ADFS Setup (SAML Authentication)

Assuming you have Icinga 2 installed properly, and the API is not enabled, the commands will guide you through the basics:

Avaya Aura Experience Portal 7.2 Mobile Web Best Practices Guide Issue 1.0

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

SSO Authentication with ADFS SAML 2.0. Ephesoft Transact Documentation

1 Configuring SSL During Installation

How to use an EPR certificate with the MESH client

Avaya Callback Assist Application Notes for SSL or TLS Configuration

Public Key Infrastructure. What can it do for you?

Server software page. Certificate Signing Request (CSR) Generation. Software

Public Key Enabling Oracle Weblogic Server

Comprehensive Setup Guide for TLS on ESA

How to Enable Client Certificate Authentication on Avi

Let s Encrypt and DANE

Security. DevOps Bootcamp, OSU, Feb 2015 Kees Cook (pronounced Case )

Development Guide. BlackBerry Dynamics SDK for Windows 10

Configuring CA WA Agent for Application Services to Work with IBM WebSphere Application Server 8.x

Install the ExtraHop session key forwarder on a Windows server

Cisco WCS Server Hardening

GlobalForms SSL Installation Tech Brief

How to Configure SSL Interception in the Firewall

13/11/2014. Pa rt 2 S S L i m p a c t a n d o p t i m i s a t i o n. Pa rt 1 A b o u t S S L C e r t f i c a t e s. W h a t i s S S L / T L S

SSL or TLS Configuration for Tomcat Oracle FLEXCUBE Universal Banking Release [December] [2016]

Using Certificates with HP Network Automation

Creating an authorized SSL certificate

X-road MISP2 installation and configuration guide. Version 1.20

Certificate Renewal on Cisco Identity Services Engine Configuration Guide

Oracle WebLogic Server 11g: Administration Essentials

Apache Server Configuration for FLEXCUBE Oracle FLEXCUBE Universal Banking Release [December] [2017]

Genesys Security Deployment Guide. What You Need

No-Nonsense Guide to SSL

# Application server configuration

Apache Server Configuration for FLEXCUBE Oracle FLEXCUBE Universal Banking Release [May] [2016]

apiman - Installation Guide

Encryption, Certificates and SSL DAVID COCHRANE PRESENTATION TO BELFAST OWASP CHAPTER OCTOBER 2018

Configure DNA Center Assurance for Cisco ISE Integration

Apache Tomcat 9. Preview. Mark Thomas, August Pivotal Software, Inc. All rights reserved.

Certificate Properties File Realm

Configure Cisco DNA Assurance

FileAudit Plus. Steps for Enabling SSL: The following steps will help you in the installation of SSL certificate in FileAudit Plus

Symantec Data Center Security Installation Guide. Version 6.5

COPYRIGHTED MATERIAL

MSE System and Appliance Hardening Guidelines

HP Operations Orchestration

DPI-SSL. DPI-SSL Overview

Application notes for supporting third-party certificate in Avaya Aura System Manager 6.3.x and 7.0.x. Issue 1.3. November 2017

Scan Report Executive Summary

Configuring SSL Security

Datapath. Encryption

Configuring Cisco Unified MeetingPlace Web Conferencing Security Features

An internal CA that is part of your IT infrastructure, like a Microsoft Windows CA

SAS Event Stream Processing 5.2: Visualizing Event Streams with Streamviewer

Datapath. Encryption

SSL Configuration on WebSphere Oracle FLEXCUBE Universal Banking Release [February] [2016]

CA Spectrum. Common Access Card Authentication Solution Guide. Release 9.4

AirWatch Mobile Device Management

Oracle B2B 11g Technical Note. Technical Note: 11g_006 Security. Table of Contents

Protecting MySQL network traffic. Daniël van Eeden 25 April 2017

jetnexus Virtual Load Balancer

VMware vrealize Operations for Horizon Security. VMware vrealize Operations for Horizon 6.5

Avaya Callback Assist Application Notes for HTTPS Configuration

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

Symantec PKI Enterprise Gateway Deployment Guide. v8.15

Securing Apache Tomcat for your environment. Mark Thomas March 2009

Install the ExtraHop session key forwarder on a Windows server

Open Source in the Corporate World. Open Source. Single Sign On. Erin Mulder

Introducing Apache Tomcat 7

Managing Certificates

Scan Report Executive Summary

DataFlux Secure 2.5. Administrator s Guide. Second Edition. SAS Documentation

Elastic Load Balancing. User Guide. Date

Information Security CS 526

Advantech AE Technical Share Document

Prescription Monitoring Program Information Exchange. RxCheck State Routing Service. SRS Installation & Setup Guide

Scenarios for Setting Up SSL Certificates for View. Modified for Horizon VMware Horizon 7 7.3

Configuring MWTM to Run with Various Networking Options

Installing and Configuring VMware vrealize Orchestrator. vrealize Orchestrator 7.5

Wireless Terminal Emulation Advanced Terminal Session Management (ATSM) Device Management Stay-Linked

Securing VMware NSX MAY 2014

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Transcription:

Let s Encrypt Apache Tomcat * * Full disclosure: Tomcat will not actually be encrypted.

Christopher Schultz Chief Technology Officer Total Child Health, Inc. * Slides available on the Linux Foundation / ApacheCon2017 web site and at http://people.apache.org/~schultz/apachecon NA 2017/Let s Encrypt Apache Tomcat.odp

Apache Tomcat Java Web Application Server Implements J2EE API Specifications Java Servlet Java ServerPages (JSP) Java Expression Language (EL) Java WebSocket

Apache Tomcat Provides Services Java Naming and Directory Interface (JNDI) JDBC DataSource, Mail Session via JNDI Provides Client Connectivity HTTP, AJP HTTPS using SSL/TLS

Transport Layer Security (TLS) Formerly known as Secure Sockets Layer Provides authenticated and confidential conversations Client and server can authenticate each other Conversation is encrypted

Transport Layer Security Client and server negotiate a cipher suite Protocol (e.g. TLSv1, TLSv1.2, TLSv1.3, etc.) Authentication (X.509 with RSA/DSA) Key exchange (RSA, DHE, ECDHE, etc.) Bulk encryption algorithm (e.g. AES, 3DES, CHACHA20, etc.) Message authentication code (e.g. SHA-1, SHA-2, etc.)

Delegated Trust Model Public Key Infrastructure Server produces certificate Server authenticates to Certificate Authority (CA) Certificate Authority signs Server s certificate Server presents CA-signed certificate to client when a client initiates a connection Client trusts the Certificate Authority Client therefore trusts Server

Certificate Authorities Public Key Infrastructure Have nearly universal (client) trust Provide multiple levels of authentication Domain-Validated Extended Validation (EV) Require human interaction for requests, issuance Issue certificates for several years Charge a fee for a issuance

Wanted widespread TLS Free Easy Makes the Web a safer place Questioned CA s Let s Encrypt Signing-request and issuance processes Fees for freely-available crypto Built a better mousetrap

Let s Encrypt Near-universal trust Cross-signed certificate from IdenTrust Provides a single level of authentication Domain-Validated Requires automated interaction for requests, issuance Issues certificates valid for 60-day intervals Charges no fee for issuance

Let s Encrypt Not replacing CAs No Extended-Validation certificates No code- or email-signing certificates No wildcard certificates SANs are supported Merely reduces the financial barrier for mundane TLS to zero

The Plan Once Request a certificate from Let s Encrypt Periodically (~50 day intervals) Request a certificate renewal Deploy the new certificate into Tomcat

The Plan Request a certificate from Let s Encrypt Easy: use EFF s certbot tool Periodically request a renewal Easy: Use cron + EFF s certbot tool Install the new certificate into Tomcat Not straightforward

Tomcat Troubles Tomcat usually doesn t bind to port 80 Might be tricky to renew certificates Tomcat uses Java Keystores certbot produces plain-old PEM files Tomcat has no graceful reload httpd has this, and certbot uses it

Tomcat Troubles Port binding jsvc iptables Java Keystores Can import PEM files Tomcat reloads Can be done Short downtime Will kill in-process requests

Getting that first LE Cert iptables More than just a firewall Can perform routing and forwarding Need a few commands to redirect port 80 8080

iptables magic sauce Getting that first LE Cert NAT PREROUTING 80 8080 NAT OUTPUT 8080 80 NAT PREROUTING 443 8443 NAT OUTPUT 8443 443 Also may require: FILTER FORWARD 80 ACCEPT FILTER FORWARD 443 ACCEPT

iptables magic sauce HTTP Getting that first LE Cert iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat -A OUTPUT -o lo -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 HTTPS iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443 iptables -t nat -A OUTPUT -o lo -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

iptables magic sauce Also might need Getting that first LE Cert iptables -A FORWARD -p tcp -m tcp dport 80 -j ACCEPT iptables -A FORWARD -p tcp -m tcp dport 443 -j ACCEPT

Getting that first LE Cert Now we can run certbot-auto to get a new certificate certbot-auto certonly --webroot \ --webroot-path ${CATALINA_BASE}/webapps/ROOT \ -d www.example.com \ --rsa-key-size 4096

Reconfiguring Tomcat s TLS Start with self-signed certificates keytool -genkeypair -keystore conf/keystore.jks.1 -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keysize 4096 -validity 10 Hostname: localhost Organizational Unit: Keystore #1

Reconfiguring Tomcat s TLS Generate a second keystore keytool -genkeypair -keystore conf/keystore.jks.2 -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keysize 4096 -validity 10 Hostname: localhost Organizational Unit: Keystore #2

Reconfiguring Tomcat s TLS Symlink conf/keystore.jks.1 conf/keystore.jks Configure the connector in Tomcat <Connector port= 8443 keystorefile= conf/keystore.jks /> Start Tomcat Verify connection openssl s_client -no_ssl3 -connect localhost:8443

Reconfiguring Tomcat s TLS Remove existing symlink Symlink conf/keystore.jks.2 conf/keystore.jks Now what?

Reconfiguring Tomcat s TLS Tomcat Exposes Connectors via JMX Connectors via JMX stop start

Reconfiguring Tomcat s TLS Connect to Tomcat via JMX Navigate to the proper Connector Stop the Connector Start the Connector Verify Connection openssl s_client -no_ssl3 -connect localhost:8443

Manual Deployment Reconfiguring Tomcat s TLS Inconvenient (VisualVM in production?) Time-consuming Required with irritating frequency every 8 weeks for every server Doesn t scale

Automation is Required Reconfiguring Tomcat s TLS 1. Renew certificate from Let s Encrypt (certbot) 2. Build a new Java keystore (openssl/keytool) 3. Bounce Tomcat s Connector

Invoke certbot-auto renew Celebrate! Let s Encrypt Renewals

Build a new Java Keystore Package server key and certificate into PKCS#12 file openssl pkcs12 -export -in [cert] -inkey [key] -certfile [chain] -out [p12file] Import PKCS#12 into Java Keystore keytool -importkeystore -srckeystore [p12file] -destkeystore conf/mykeystore.jks Celebrate!

Bounce Tomcat s Connector Tomcat Manager to the Rescue JMXProxyServlet Enable Manager Application Need to configure a <Realm> Security! Need to configure a second <Connector> Don t pull the rug from underneath yourself

Stop Connector Bounce Tomcat s Connector curl http://localhost:8080/manager/jmxproxy?invoke=catalina %3Atype%3DConnector%2Cport%3D8443&op=stop Start Connector curl http://localhost:8080/manager/jmxproxy?invoke=catalina %3Atype%3DConnector%2Cport%3D8443&op=start Celebrate

Scripting * will set you free certbot-auto renew Automated Deployment openssl pkcs12 -export -in [cert] -inkey [key] -certfile [chain] -out [p12file] keytool -importkeystore -srckeystore [p12file] -destkeystore conf/mykeystore.jks curl http://localhost:8080/manager/jmxproxy?invoke=catalina%3atype %3DConnector%2Cport%3D8443&op=stop curl http://localhost:8080/manager/jmxproxy?invoke=catalina%3atype %3DConnector%2Cport%3D8443&op=start * The actual script has a lot more detail that won t fit here.

Challenges Between stop and start, Tomcat is not accepting any requests Stopping the connector immediately terminates all in-use connections

Challenges Between stop and start, Tomcat is not accepting any requests Stopping the connector immediately terminates all in-use connections What about graceful re-initialization?

Challenges SSL engine can be swapped-out from a configured Connector

Challenges SSL engine can be swapped-out from a configured Connector but it requires additional tracking of in-flight requests using the SSL engine.

Challenges SSL engine can be swapped-out from a configured Connector but it requires additional tracking of in-use connections using that SSL engine. SSL engines must be cleanly shut-down after all in-use connections have been closed.

Challenges Tracking connections using SSL engines can be complicated Classic HTTP/1 request/response is easy Don t forget KeepAlives Servlet 3+ async can be tricky HTTP/2 can be tricky

Challenges Tracking connections using SSL engines can be complicated Classic HTTP/1 request/response is easy Don t forget KeepAlives Servlet 3+ async can be tricky HTTP/2 can be tricky Must add reference-counting to SSL engine management

Challenges Tracking connections using SSL engines can be complicated Classic HTTP/1 request/response is easy Don t forget KeepAlives Servlet 3+ async can be tricky HTTP/2 can be tricky Websocket can be tricky Must add reference-counting to SSL engine management which adds overhead that some people won t need.

Future Solutions Reference-counting for SSL engines Configurable so only users who need it suffer management overhead Should allow truly graceful connector reloads

Future Solutions Bonuses Allows CRL reloading (if you like that kind of thing) Allows on-the-fly TLS reconfiguration Protocols Cipher suites Allows additional certificates to be added (e.g. EC) anything else encapsulated by the SSL engine

Future Solutions Will work for all connector types NIO/NIO2 APR

Future Solutions Will work for all connector types NIO/NIO2 APR Probably will land in Tomcat 9 Probably will be back-ported to 8.5 once deemed reliable

Let s Encrypt Apache Tomcat Let s Encrypt provides free (beer) certificates Automation is required for issuance and renewal Tomcat presents some challenges to overcome Those challenges have some solutions available now We can improve these solutions over time

Questions Slides available on the Linux Foundation / ApacheCon2017 web site and at http://people.apache.org/~schultz/apachecon NA 2017/Let s Encrypt Apache Tomcat.odp Sample code available in the same directory.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback