Development-SSL requests via https protocol

== Introduction ==

Sooner or later you will need to develop WebObjects applications that work with SSL requests over https protocol. If ssl is configured on your deployment server, you can probably just change http to https in the app entry URL and the app will probably just work over https protocol. However if your application requires security, you cannot just depend on your users typing in a URL that begins with https. Also since SSL encryption adds more load to the webserver, you may want decide that just some pages need to be returned securely over https and the rest returned via plain old http. In any case, you may want to or need to set up your local OS X development machine to support https protocol so that you can properly test your application. Note also that setting up ssl for testing can be a far simpler task (and not really secure) than setting up real authentic SSL certificates for use in a production server.

4

5

6

7

These instructions were written and tested on the following, but should work on any 10.5.X config or later

8

* OS X Leopard Client 10.5.4

9

* Standard built-in apache2

10

* If you like record and verify your OS config as follows:

11

** $ openssl version

12

*** OpenSSL 0.9.8g 19 Oct 2007

13

** $ httpd \-v

14

*** Server version: Apache/2.2.8 (Unix)

=== References ===

* [[http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert]]

21

* [[http://homepage.mac.com/kelleherk/iblog/C463983418/E683365024/index.html]]

22

* [[http://www.macosxhints.com/article.php?story=20080628074917113]]

23

* [[http://www.macosxhints.com/article.php?story=20041129143420344]]

24

* [[http://developer.apple.com/internet/serverside/modssl.html]]

25

26

== Development via Apache Webserver ==

27

28

By default, WebObjects development installations typically run via DirectConnect. For https development, we must run thru the apache webserver built in to every OS X machine. So before going any further, configure your WebObjects development environment so that your development application launches and [[runs thru apache>>Development Tools-Running Through Apache]] using the host name "localhost".

29

30

== Configuring Apache for [[https://localhost]] ==

31

32

=== Make the private key and SSL certificate ===

33

34

Normally creating SSL certificates for production use is quite involved, however since we are just doing localhost development and testing, we can bypass all the mumbo-jumbo and create the minimal unpassworded private key and SSL certificate the easy way. Do not use this method for creating production server SSL certificates

35

36

Open terminal and follow the commands shown below in my transcript which is self-explanatory if you are familiar with Terminal...

mymac$ cd /etc/apache2/

41

mymac$ sudo -s

42

43

bash-3.2# mkdir devsslcerts

44

bash-3.2# cd devsslcerts/

Next run the one single openssl command that will make the two files we need in their final folder that we just created above.

50

Note you will be asked for a bunch of info for the certificate. Follow what I have done below. **In particular, enter "localhost" in the Common Name field**

bash-3.2# openssl req -days 3650 -new -x509 -nodes -out localhost_server.crt -keyout localhost_server.key

55

56

Generating a 1024 bit RSA private key

57

.........................++++++

58

.....++++++

59

writing new private key to 'localhost_server.key'

60

-----

61

You are about to be asked to enter information that will be incorporated

62

into your certificate request.

63

What you are about to enter is what is called a Distinguished Name or a DN.

64

There are quite a few fields but you can leave some blank

65

For some fields there will be a default value,

66

If you enter '.', the field will be left blank.

67

-----

68

Country Name (2 letter code) [AU]:US

69

State or Province Name (full name) [Some-State]:Florida

70

Locality Name (eg, city) []:Tampa

71

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Five WebObjects Sailors, Inc.

72

Organizational Unit Name (eg, section) []:Software Engineering Department

73

Common Name (eg, YOUR name) []:localhost

74

Email Address []:developer@webobjects.com

bash-3.2# ls -al

total 16

drwxr-xr-x 4 root wheel 136 Jul 21 16:58 .

79

drwxr-xr-x 10 root wheel 340 Jul 21 16:56 ..

80

-rw-r--r-- 1 root wheel 1497 Jul 21 16:58 localhost_server.crt

81

-rw-r--r-- 1 root wheel 887 Jul 21 16:58 localhost_server.key

=== Configure Apache2 to Use Your Development Certificates for localhost ===

87

88

Using your favorite command line editor, edit the apache config file at

89

**/etc/apache2/httpd.conf**

90

making the changes shown in the following 2 screenshots:

!step1_servernamelocalhost.jpg!

{{panel title="Including SSL Configuration file into main Apache config file"}}

99

100

!step2_includesslconfig.jpg!

Next edit the ssl config file itself at

105

**/etc/apache2/extra/httpd-ssl.conf**

106

making the changes shown in the following sceenshot:

!step3_sslconfig.jpg!

Restart apache

bash-3.2# apachectl graceful

~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-

JEFF SCHMITZ

Right at this point I got the error:

127

128

ulimit: open files: cannot modify limit: Invalid arg

129

130

After a quick google search I found this which seems to have fixed the error:

131

132

[[http://www.perkiset.org/forum/all_things_apple/apache_osx_and_ulimit_a_little_chunk_of_weirdness-t909.0.html]]

133

134

Also, for my [[https://]]... links my rewrite rules in apache weren't getting fired.  To get them to work I had to add them to the httpd-ssl.conf file just below the General setup stuff shown in the figure above.  I just copied them from my httpd.conf file and pasted them in.  Not sure if this is the best way to handle it, but it's working for me on my development machine at least.

135

136

~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-

137

138

Finally, verify that https is working:

!httpslocalhost2.jpg!

== Detecting SSL ==

Code for detecting whether SSL is active for the current request:

149

I'm told this won't work with IIS:

// Is this page being accessed securely?

154

boolean secureMode = false;

155

String header = context.request().headerForKey("https");

156

if( header == null ) {

157

log.debug( "no https header, looking for server_port" );

158

header = context.request().headerForKey( "server_port" );

159

if( header == null ) {

160

log.debug( "no server_port header found, assuming insecure connection" );

161

} else {

162

log.debug( "server_port header found, using it" );

163

secureMode = header.equals( "443" );

164

}

165

} else {

166

log.debug( "https header found, using it" );

167

secureMode = header.equals( "on" );

168

}

169

log.debug( "secure mode set to " + secureMode );

== Using SSL in DirectConnect ==

174

175

Mike Schrag said in early 2011 that it was possible to use SSL in DirectConnect, that is was simply hidden. A property was added to enable it, and instructions added to the Properties file of ERExtensions. This is the part from the Properties file:

## You should probably not enable any of these settings in a normal Apache webserver deployment,

181

## in particular the ssl port property, as this is used by ERX to generate https URLs, which must

182

## match your Apache config.

183

##

184

## To enable SSL support with DirectConnect, you must do the following:

185

##

186

## * In your Resources folder, run "keytool -genkey -alias WebObjects -keyalg RSA -keystore adaptorssl.key". Select a

187

## password for your keystore (i.e. "changeit"), and set the "your first name and last name" field to match the hostname

188

## that you will be running your directconnect app off of.

189

## * In your Resources folder, create an executable script (it MUST BE EXECUTABLE) named "adaptorsslpassphrase" with the

190

## contents:

191

## echo changeit

192

## where you should replace "changeit" for whatever password you selected in the previous step.

193

## * Set the following property to true

194

#er.extensions.ERXApplication.ssl.enabled=true

195

196

## (optional) To specify an SSL host name other than what is returned from a call to

197

## application.host(), you can override it below

198

#er.extensions.ERXApplication.ssl.host=localhost

199

200

## (optional) To select an SSL port other than 443, uncomment the following. If you are already running Apache with SSL,

201

## you probably want to set this. If the port number is 0, the SSL port will be automatically assigned (using the same

202

## mechanism that WO uses to set the regular port)

203

#er.extensions.ERXApplication.ssl.port=0

204

205

Wiki source code of Development-SSL requests via https protocol

Applications

Navigation

My Recent Modifications

Need help?

author	version	line-number	content
		1	== Introduction ==
		2
		3	Sooner or later you will need to develop WebObjects applications that work with SSL requests over https protocol. If ssl is configured on your deployment server, you can probably just change http to https in the app entry URL and the app will probably just work over https protocol. However if your application requires security, you cannot just depend on your users typing in a URL that begins with https. Also since SSL encryption adds more load to the webserver, you may want decide that just some pages need to be returned securely over https and the rest returned via plain old http. In any case, you may want to or need to set up your local OS X development machine to support https protocol so that you can properly test your application. Note also that setting up ssl for testing can be a far simpler task (and not really secure) than setting up real authentic SSL certificates for use in a production server.
		4
		5	{{info title="Compatability"}}
		6
		7	These instructions were written and tested on the following, but should work on any 10.5.X config or later
		8	* OS X Leopard Client 10.5.4
		9	* Standard built-in apache2
		10	* If you like record and verify your OS config as follows:
		11	** $ openssl version
		12	*** OpenSSL 0.9.8g 19 Oct 2007
		13	** $ httpd \-v
		14	*** Server version: Apache/2.2.8 (Unix)
		15
		16	{{/info}}
		17
		18	=== References ===
		19
		20	* [[http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert]]
		21	* [[http://homepage.mac.com/kelleherk/iblog/C463983418/E683365024/index.html]]
		22	* [[http://www.macosxhints.com/article.php?story=20080628074917113]]
		23	* [[http://www.macosxhints.com/article.php?story=20041129143420344]]
		24	* [[http://developer.apple.com/internet/serverside/modssl.html]]
		25
		26	== Development via Apache Webserver ==
		27
		28	By default, WebObjects development installations typically run via DirectConnect. For https development, we must run thru the apache webserver built in to every OS X machine. So before going any further, configure your WebObjects development environment so that your development application launches and [[runs thru apache>>Development Tools-Running Through Apache]] using the host name "localhost".
		29
		30	== Configuring Apache for [[https://localhost]] ==
		31
		32	=== Make the private key and SSL certificate ===
		33
		34	Normally creating SSL certificates for production use is quite involved, however since we are just doing localhost development and testing, we can bypass all the mumbo-jumbo and create the minimal unpassworded private key and SSL certificate the easy way. Do not use this method for creating production server SSL certificates
		35
		36	Open terminal and follow the commands shown below in my transcript which is self-explanatory if you are familiar with Terminal...
		37
		38	{{noformat}}
		39
		40	mymac$ cd /etc/apache2/
		41	mymac$ sudo -s
		42
		43	bash-3.2# mkdir devsslcerts
		44	bash-3.2# cd devsslcerts/
		45
		46
		47	{{/noformat}}
		48
		49	Next run the one single openssl command that will make the two files we need in their final folder that we just created above.
		50	Note you will be asked for a bunch of info for the certificate. Follow what I have done below. In particular, enter "localhost" in the Common Name field
		51
		52	{{noformat}}
		53
		54	bash-3.2# openssl req -days 3650 -new -x509 -nodes -out localhost_server.crt -keyout localhost_server.key
		55
		56	Generating a 1024 bit RSA private key
		57	.........................++++++
		58	.....++++++
		59	writing new private key to 'localhost_server.key'
		60	-----
		61	You are about to be asked to enter information that will be incorporated
		62	into your certificate request.
		63	What you are about to enter is what is called a Distinguished Name or a DN.
		64	There are quite a few fields but you can leave some blank
		65	For some fields there will be a default value,
		66	If you enter '.', the field will be left blank.
		67	-----
		68	Country Name (2 letter code) [AU]:US
		69	State or Province Name (full name) [Some-State]:Florida
		70	Locality Name (eg, city) []:Tampa
		71	Organization Name (eg, company) [Internet Widgits Pty Ltd]:Five WebObjects Sailors, Inc.
		72	Organizational Unit Name (eg, section) []:Software Engineering Department
		73	Common Name (eg, YOUR name) []:localhost
		74	Email Address []:developer@webobjects.com
		75
		76	bash-3.2# ls -al
		77	total 16
		78	drwxr-xr-x 4 root wheel 136 Jul 21 16:58 .
		79	drwxr-xr-x 10 root wheel 340 Jul 21 16:56 ..
		80	-rw-r--r-- 1 root wheel 1497 Jul 21 16:58 localhost_server.crt
		81	-rw-r--r-- 1 root wheel 887 Jul 21 16:58 localhost_server.key
		82
		83
		84	{{/noformat}}
		85
		86	=== Configure Apache2 to Use Your Development Certificates for localhost ===
		87
		88	Using your favorite command line editor, edit the apache config file at
		89	/etc/apache2/httpd.conf
		90	making the changes shown in the following 2 screenshots:
		91
		92	{{panel title="Setting Apache server name to localhost"}}
		93
		94	!step1_servernamelocalhost.jpg!
		95
		96	{{/panel}}
		97
		98	{{panel title="Including SSL Configuration file into main Apache config file"}}
		99
		100	!step2_includesslconfig.jpg!
		101
		102	{{/panel}}
		103
		104	Next edit the ssl config file itself at
		105	/etc/apache2/extra/httpd-ssl.conf
		106	making the changes shown in the following sceenshot:
		107
		108	{{panel title="Setting up the SSL Config file"}}
		109
		110	!step3_sslconfig.jpg!
		111
		112	{{/panel}}
		113
		114	Restart apache
		115
		116	{{noformat}}
		117
		118	bash-3.2# apachectl graceful
		119
		120	{{/noformat}}
		121
		122	~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
		123
		124	JEFF SCHMITZ
		125
		126	Right at this point I got the error:
		127
		128	ulimit: open files: cannot modify limit: Invalid arg
		129
		130	After a quick google search I found this which seems to have fixed the error:
		131
		132	[[http://www.perkiset.org/forum/all_things_apple/apache_osx_and_ulimit_a_little_chunk_of_weirdness-t909.0.html]]
		133
		134	Also, for my [[https://]]... links my rewrite rules in apache weren't getting fired.  To get them to work I had to add them to the httpd-ssl.conf file just below the General setup stuff shown in the figure above.  I just copied them from my httpd.conf file and pasted them in.  Not sure if this is the best way to handle it, but it's working for me on my development machine at least.
		135
		136	~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-
		137
		138	Finally, verify that https is working:
		139
		140	{{panel title="Verify https://localhost is working"}}
		141
		142	!httpslocalhost2.jpg!
		143
		144	{{/panel}}
		145
		146	== Detecting SSL ==
		147
		148	Code for detecting whether SSL is active for the current request:
		149	I'm told this won't work with IIS:
		150
		151	{{code}}
		152
		153	// Is this page being accessed securely?
		154	boolean secureMode = false;
		155	String header = context.request().headerForKey("https");
		156	if( header == null ) {
		157	log.debug( "no https header, looking for server_port" );
		158	header = context.request().headerForKey( "server_port" );
		159	if( header == null ) {
		160	log.debug( "no server_port header found, assuming insecure connection" );
		161	} else {
		162	log.debug( "server_port header found, using it" );
		163	secureMode = header.equals( "443" );
		164	}
		165	} else {
		166	log.debug( "https header found, using it" );
		167	secureMode = header.equals( "on" );
		168	}
		169	log.debug( "secure mode set to " + secureMode );
		170
		171	{{/code}}
		172
		173	== Using SSL in DirectConnect ==
		174
		175	Mike Schrag said in early 2011 that it was possible to use SSL in DirectConnect, that is was simply hidden. A property was added to enable it, and instructions added to the Properties file of ERExtensions. This is the part from the Properties file:
		176
		177	{{code}}
		178
		179
		180	## You should probably not enable any of these settings in a normal Apache webserver deployment,
		181	## in particular the ssl port property, as this is used by ERX to generate https URLs, which must
		182	## match your Apache config.
		183	##
		184	## To enable SSL support with DirectConnect, you must do the following:
		185	##
		186	## * In your Resources folder, run "keytool -genkey -alias WebObjects -keyalg RSA -keystore adaptorssl.key". Select a
		187	## password for your keystore (i.e. "changeit"), and set the "your first name and last name" field to match the hostname
		188	## that you will be running your directconnect app off of.
		189	## * In your Resources folder, create an executable script (it MUST BE EXECUTABLE) named "adaptorsslpassphrase" with the
		190	## contents:
		191	## echo changeit
		192	## where you should replace "changeit" for whatever password you selected in the previous step.
		193	## * Set the following property to true
		194	#er.extensions.ERXApplication.ssl.enabled=true
		195
		196	## (optional) To specify an SSL host name other than what is returned from a call to
		197	## application.host(), you can override it below
		198	#er.extensions.ERXApplication.ssl.host=localhost
		199
		200	## (optional) To select an SSL port other than 443, uncomment the following. If you are already running Apache with SSL,
		201	## you probably want to set this. If the port number is 0, the SSL port will be automatically assigned (using the same
		202	## mechanism that WO uses to set the regular port)
		203	#er.extensions.ERXApplication.ssl.port=0
		204
		205	{{/code}}