4.1.0.5 Apache

The following are instructions provided by Luiz Rufato

Apache

# apt install apache2

When installed, lets activate SSL module and its dependencies

# a2enmod ssl
# apt install openssl

And activate SSL default Apache page.

# a2ensite default-ssl.conf

Now restart Apache to changes take place.

# systemctl restart apache2.service

Do not forget to open firewall rules.

# ufw allow "Apache Full"

At this point, you should redirect some ports (80 and 443) on your router / gateway to your OSCAR server.

Certbot - LetsEncrypt

Source: https://certbot.eff.org/lets-encrypt/ubuntuxenial-apache

First, lets take care of dependencies and installing certbot itself.

# apt install software-properties-common
# add-apt-repository ppa:certbot/certbot
# apt update
# apt install python-certbot-apache

Soon its installed, just run it and follow instructions from screen. Should be all automatic and self explanatory.

# certbot --apache

Once its installed, you can point your browser to your server address and check the green padlock appears.
However, Tomcat uses a bit different setup for SSL keys, so lets prepare the certificate to work with Tomcat.

# apt install openssl

Remember change *FQDN* for your server internet address and *PASSWORD* with your tomcat7/server.xml keystorePass directive.

openssl pkcs12 -export -in /etc/letsencrypt/live/*FQDN*/cert.pem -inkey /etc/letsencrypt/live/*FQDN*/privkey.pem -out /srv/ssl/cert_and_key.p12 -password pass:*PASSWORD* -name tomcat -CAfile /etc/letsencrypt/live/*FQDN*/chain.pem -caname root
keytool -importkeystore -deststorepass *PASSWORD* -destkeypass *PASSWORD* -destkeystore /srv/ssl/SSLKeystore.jks -srckeystore /srv/ssl/cert_and_key.p12 -srcstoretype PKCS12 -srcstorepass *PASSWORD* 
-alias tomcat
keytool -import -trustcacerts -alias root -file /etc/letsencrypt/live/*FQDN*/chain.pem -keystore /srv/ssl/SSLKeystore.jks -storepass *PASSWORD*

Thats it. Now lets copy the resulting keystore to default location.

cp -a /srv/ssl/SSLKeystore.jks /etc/tomcat7/.keystore

And restart Tomcat to new settings take place.

# systemctl restart tomcat7.service

If you have problems at this point, please check if /etc/tomcat7/server.xml have the same password from the keystore you created.

Point you browser to your OSCAR setup and check the green padlock.

LetsEncrypt have one downside: the certificates last for only 90 days. That is why we will create an script to automate the certificate renewal and manipulation.

Put this file on /etc/cron.weekly:

#!/bin/bash
# Get new, updated certificate, if needed:
/usr/bin/certbot renew >> /var/log/le-renew.log
sleep 10
# Clean the way
rm -rf /srv/ssl/cert_and_key.p12 /srv/ssl/SSLKeystore.jks
# Remember change *FQDN* for your server internet address and *PASSWORD* with your tomcat7/server.xml keystorePass directive.

openssl pkcs12 -export -in /etc/letsencrypt/live/*FQDN*/cert.pem -inkey /etc/letsencrypt/live/*FQDN*/privkey.pem -out /srv/ssl/cert_and_key.p12 -password pass:*PASSWORD* -name tomcat -CAfile /etc/letsencrypt/live/*FQDN*/chain.pem -caname root

keytool -importkeystore -deststorepass *PASSWORD* -destkeypass 
*PASSWORD* -destkeystore /srv/ssl/SSLKeystore.jks -srckeystore 
/srv/ssl/cert_and_key.p12 -srcstoretype PKCS12 -srcstorepass *PASSWORD* 
-alias tomcat
keytool -import -trustcacerts -alias root -file /etc/letsencrypt/live/*FQDN*/chain.pem -keystore /srv/ssl/SSLKeystore.jks -storepass *PASSWORD*
# And finally:
cp -a /srv/ssl/SSLKeystore.jks /etc/tomcat7/.keystore
systemctl restart tomcat7.service
# EOF

You should now have a valid certificate for your external connections to your OSCAR server.

Mod_jk

Lets install mod_jk, responsible for integration:

 # apt install apache2 libapache2-mod-jk

Lets enable it in Apache.

# a2enmod jk

Just two small file adjustments needed:

 # nano /etc/apache2/sites-available/default-ssl.conf

# nano /etc/tomcat7/server.xml

# systemctl restart tomcat7.service
# systemctl restart apache2.service