ssl setup with tomcat

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

ssl setup with tomcat

Iain Mac Donald
I am trying to setup a ssl certificate with Ofbiz using Tomcat. I have
been using the "Basic Ofbiz Production Setup" as a guide. I have just
inserted my signed cert (PKCS#7 format) into the keystore and was about
to edit the ofbiz-containers.xml file with the relevant path and
password.

However, I have just noticed that the whole http & https-connector
sections are missing from ofbiz-containers.xml.

How should I proceed?

As I am quite new to Ofbiz I am a little concerned about doing something
wrong with a crucial part of the system.

The guide was for revision 4558 and I am using 5274.
--
Regards,
Iain.



Reply | Threaded
Open this post in threaded view
|

Re: ssl setup with tomcat

BJ Freeman
what version are you using?


Iain Mac Donald sent the following on 6/29/2006 11:55 AM:

> I am trying to setup a ssl certificate with Ofbiz using Tomcat. I have
> been using the "Basic Ofbiz Production Setup" as a guide. I have just
> inserted my signed cert (PKCS#7 format) into the keystore and was about
> to edit the ofbiz-containers.xml file with the relevant path and
> password.
>
> However, I have just noticed that the whole http & https-connector
> sections are missing from ofbiz-containers.xml.
>
> How should I proceed?
>
> As I am quite new to Ofbiz I am a little concerned about doing something
> wrong with a crucial part of the system.
>
> The guide was for revision 4558 and I am using 5274.
Reply | Threaded
Open this post in threaded view
|

Re: ssl setup with tomcat

Iain Mac Donald
On Thu, 2006-06-29 at 11:58 -0700, BJ Freeman wrote:
> what version are you using?

I am using ofbiz version 3 revision 5274.



> >
> > The guide was for revision 4558 and I am using 5274.

--
Regards,
Iain.



Reply | Threaded
Open this post in threaded view
|

RE: ssl setup with tomcat

Vinay Agarwal
Iain,

If you haven't looked at this, it may be a good place to start.
http://ofbizwiki.go-integral.com/Wiki.jsp?page=Mod_jk_config

BTW, your OFBiz version is too old, not sure if that will work. I suggest
the latest from SVN.

Regards,
Vinay Agarwal

-----Original Message-----
From: Iain Mac Donald [mailto:[hidden email]]
Sent: Thursday, June 29, 2006 12:03 PM
To: [hidden email]
Subject: Re: ssl setup with tomcat

On Thu, 2006-06-29 at 11:58 -0700, BJ Freeman wrote:
> what version are you using?

I am using ofbiz version 3 revision 5274.



> >
> > The guide was for revision 4558 and I am using 5274.

--
Regards,
Iain.



Reply | Threaded
Open this post in threaded view
|

RE: ssl setup with tomcat

Andrew Sykes
Iain,

This version should certainly have a lot of functional code and will
probably be stable enough, but you are a long way out of date, an update
would be a really good idea.

- Andrew

On Thu, 2006-06-29 at 12:09 -0700, Vinay Agarwal wrote:

> Iain,
>
> If you haven't looked at this, it may be a good place to start.
> http://ofbizwiki.go-integral.com/Wiki.jsp?page=Mod_jk_config
>
> BTW, your OFBiz version is too old, not sure if that will work. I suggest
> the latest from SVN.
>
> Regards,
> Vinay Agarwal
>
> -----Original Message-----
> From: Iain Mac Donald [mailto:[hidden email]]
> Sent: Thursday, June 29, 2006 12:03 PM
> To: [hidden email]
> Subject: Re: ssl setup with tomcat
>
> On Thu, 2006-06-29 at 11:58 -0700, BJ Freeman wrote:
> > what version are you using?
>
> I am using ofbiz version 3 revision 5274.
>
>
>
> > >
> > > The guide was for revision 4558 and I am using 5274.
>
--
Kind Regards
Andrew Sykes <[hidden email]>
Sykes Development Ltd
http://www.sykesdevelopment.com

Reply | Threaded
Open this post in threaded view
|

RE: ssl setup with tomcat

Iain Mac Donald
In reply to this post by Vinay Agarwal
On Thu, 2006-06-29 at 12:09 -0700, Vinay Agarwal wrote:

>
> If you haven't looked at this, it may be a good place to start.
> http://ofbizwiki.go-integral.com/Wiki.jsp?page=Mod_jk_config

Thanks. I had seen this before plus some other guides in the wiki. I had
discounted this method as I am using apache 1.3 and wasn't using the
mod_jk method.

Are you saying that the method described in the PDF guide won't work? I
was hoping that it might just be a case of inserting the relevant
sections and I would be finished.

>
> BTW, your OFBiz version is too old, not sure if that will work. I suggest
> the latest from SVN.
>

Can't do that really as we have made significant changes to ancillary
systems to squeeze our data into Ofbiz. Using a newer version of Ofbiz
now would break that and put us back to square one.


--
Regards,
Iain.



Reply | Threaded
Open this post in threaded view
|

RE: ssl setup with tomcat

Iain Mac Donald
On Thu, 2006-06-29 at 20:26 +0100, Iain Mac Donald wrote:

>  as I am using apache 1.3 and wasn't using the
> mod_jk method.

Sorry. Brain to fingers problem.

What I meant to type was I am not using the Apache 2 with mod_jk method.
I am using mod_jk with Apache 1.3.

--
Regards,
Iain.



Reply | Threaded
Open this post in threaded view
|

Re: ssl setup with tomcat

Walter Vaughan
In reply to this post by Iain Mac Donald
Iain Mac Donald wrote:
> Can't do that really as we have made significant changes to ancillary
> systems to squeeze our data into Ofbiz. Using a newer version of Ofbiz
> now would break that and put us back to square one.

This is the kind of thing that scares the poop out of me. I know less than
nothing when it comes to working with diff's, but could someone document the
steps in running diffs between the version he started with and his version and
the current version. There has to be a recipe to follow, even if it's manually
cutting and pasting.

--
Walter
Reply | Threaded
Open this post in threaded view
|

Re: ssl setup with tomcat

BJ Freeman
Si did a terrific job of showing how to create patches on the new
incubator pages.
http://docs.ofbiz.org/display/OFBADMIN/OFBiz+Contributors+Best+Practices
hope that helps.
create a new folder for the upgrade so you don't loose your current setup.


Walter Vaughan sent the following on 6/29/2006 12:49 PM:

> Iain Mac Donald wrote:
>> Can't do that really as we have made significant changes to ancillary
>> systems to squeeze our data into Ofbiz. Using a newer version of Ofbiz
>> now would break that and put us back to square one.
>
> This is the kind of thing that scares the poop out of me. I know less
> than nothing when it comes to working with diff's, but could someone
> document the steps in running diffs between the version he started with
> and his version and the current version. There has to be a recipe to
> follow, even if it's manually cutting and pasting.
>
> --
> Walter
>
Reply | Threaded
Open this post in threaded view
|

Re: ssl setup with tomcat

Adrian Crum
This is also a good opportunity to stress the importance of keeping
modifications outside the OFBiz codebase. Of course there will always be a
handful of files that need to be updated with configuration changes and such,
but for the most part you should try to put modifications in a separate component.

Example: we created our own component called OFBizEx and put all of our
modifications in there.


BJ Freeman wrote:

> Si did a terrific job of showing how to create patches on the new
> incubator pages.
> http://docs.ofbiz.org/display/OFBADMIN/OFBiz+Contributors+Best+Practices
> hope that helps.
> create a new folder for the upgrade so you don't loose your current setup.
>
>
> Walter Vaughan sent the following on 6/29/2006 12:49 PM:
>
>> Iain Mac Donald wrote:
>>
>>> Can't do that really as we have made significant changes to ancillary
>>> systems to squeeze our data into Ofbiz. Using a newer version of Ofbiz
>>> now would break that and put us back to square one.
>>
>>
>> This is the kind of thing that scares the poop out of me. I know less
>> than nothing when it comes to working with diff's, but could someone
>> document the steps in running diffs between the version he started
>> with and his version and the current version. There has to be a recipe
>> to follow, even if it's manually cutting and pasting.
>>
>> --
>> Walter
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: ssl setup with tomcat

Iain Mac Donald
Does anyone know if it is possible to just add the http and
https-connector statements to ofbiz-containers.xml or will that result
in something dire happening?


I have also just come across this...
http://ofbizwiki.go-integral.com/Wiki.jsp?page=ConfiguringSSL

I take it that isn't true as the PDF document (written in 2005) I was
following suggested just the approach the wiki article (2004) warns
about?

Thank you for all the responses.
--
Regards,
Iain.



Reply | Threaded
Open this post in threaded view
|

Re: ssl setup with tomcat

BJ Freeman
that is where they are in the current versions.
int the 3.0 version it was
jetty-container
after 3.2, i believe it is catalina-container

you can do you have a components folder or application and framework?



Iain Mac Donald sent the following on 6/29/2006 2:35 PM:

> Does anyone know if it is possible to just add the http and
> https-connector statements to ofbiz-containers.xml or will that result
> in something dire happening?
>
>
> I have also just come across this...
> http://ofbizwiki.go-integral.com/Wiki.jsp?page=ConfiguringSSL
>
> I take it that isn't true as the PDF document (written in 2005) I was
> following suggested just the approach the wiki article (2004) warns
> about?
>
> Thank you for all the responses.
Reply | Threaded
Open this post in threaded view
|

Re: ssl setup with tomcat

Iain Mac Donald
On Thu, 2006-06-29 at 14:57 -0700, BJ Freeman wrote:
> that is where they are in the current versions.
> int the 3.0 version it was
> jetty-container
> after 3.2, i believe it is catalina-container

Well it looks to me like there is both jetty and tomcat and the docs I
have read seem to suggest that is the case too. Everything else is
working perfectly just the certificate bit is missing.

I am using the ofbiz embedded tomcat rather than the one that comes with
my distribution.


>
> you can do you have a components folder or application and framework?
>

I don't understand what you mean here?

--
Regards,
Iain.



Reply | Threaded
Open this post in threaded view
|

Re: ssl setup with tomcat

Ray Barlow
In reply to this post by Iain Mac Donald
I used to use Apache 1.3 with mod_jk linked up to OFBiz. In fact as long
as you have mod_jk installed and configured for Apache then the
destination web application server does not really care or know if it is
Apache 1.3 or 2 routing the requests.

If you have Apache 1.3 with mod_jk configured I would use Apache to
control http and https with the SSL certificate and disable the http and
https hosting configurations from OFBiz and just set it to host and
accept ajp13 connections with mod_jk. You can then also let Apache host
the static image content which it is supposed to be pretty good at doing.

Ray


Iain Mac Donald wrote:

> On Thu, 2006-06-29 at 20:26 +0100, Iain Mac Donald wrote:
>
>  
>>  as I am using apache 1.3 and wasn't using the
>> mod_jk method.
>>    
>
> Sorry. Brain to fingers problem.
>
> What I meant to type was I am not using the Apache 2 with mod_jk method.
> I am using mod_jk with Apache 1.3.
>
>  
Reply | Threaded
Open this post in threaded view
|

Re: ssl setup with tomcat

Iain Mac Donald
On Fri, 2006-06-30 at 10:00 +0100, Ray Barlow wrote:
>
> If you have Apache 1.3 with mod_jk configured I would use Apache to
> control http and https with the SSL certificate and disable the http and
> https hosting configurations from OFBiz and just set it to host and
> accept ajp13 connections with mod_jk. You can then also let Apache host
> the static image content which it is supposed to be pretty good at doing.
>
Currently I have a hybrid setup. I have Apache serving a whole lot of
static content outside of Ofbiz. Ofbiz is then used mostly for
the /ecommerce stuff. It is my intention to run multiple instances of
Ofbiz for different domains. This would be controlled using different
IP/port number combinations.

I have read elsewhere, in agreement with what you are saying, that
getting Apache to deal with the ssl stuff provides better performance.
However, previously I didn't have opportunity to test this.

If I were to move over to using Apache, as you suggest, can I use the
description here...
http://ofbizwiki.go-integral.com/Wiki.jsp?page=Mod_jk_config
or is that Apache 2.0 specific.

Of course that would also mean having to get my signed certs converted
from PKCS#7 format (and I can't remember if I can do that with openssl)
--
Regards,
Iain.