Using OpenSSL on Unix

On Unix systems, Resin's bin/resin can support SSL using the OpenSSL libraries. Although the ./configure script will detect many configurations, you can specify the openssl location directly:

resin> ./configure --with-openssl=/usr/local/ssl

The SSL port is configured in the httpd.conf's <http> element by adding the ssl flag and configuring a key with the certificate-pem element:

... <http-server> <http port='443' ssl> <certificate-file>/opt/resin/cert/ssl.crt>/certificate-file> <certificate-key-file>/opt/resin/cert/ssl.key>/certificate-key-file> </http> ... </http-server>

Since OpenSSL uses the same certificate as Apache, you can get signed certificates using the same method as for Apache's mod_ssl or following the OpenSSL instructions.

OpenSSL's engine support is configured with crypto-device.

Install JSSE from Sun

If OpenSSL is not available, you can use Sun's JSSE to provide SSL. Sun's implementation of JSSE is significantly slower than OpenSSL, though.

This section gives a quick guide to installing a test SSL configuration using Sun's JSSE. It avoids as many complications as possible and uses Sun's keytool to create a server certificate.

Resin's SSL support is provided by Sun's JSSE. Because of export restrictions, patents, etc, you'll need to download the JSSE distribution from Sun or get a commercial JSSE implementation.

More complete JSSE installation instructions for JSSE are at http://java.sun.com/products/jsse/install.html.

1. First download Sun's JSSE.
2. Uncompress and extract the downloaded file.
3. Install the JSSE jar files: jsse.jar, jnet.jar, and jcert.jar. You can either put them into the CLASSPATH or you can put them into $JAVA_HOME/jre/lib/ext. Since you will use "keytool" with the new jars, you need to make them visible to keytool. Just adding them to resin/lib is not enough.
4. Register the JSSE provider (com.sun.net.ssl.internal.ssl.Provider). Modify $JAVA_HOME/jre/lib/security/java.security so it contains something like:

   security.provider.1=sun.security.provider.Sun security.provider.2=com.sun.net.ssl.internal.ssl.Provider

   Adding the JSSE provider allows "keytool" to create a key using the RSA algorithm.

Create a test server certificate

The server certificate is the core of SSL. It will identify your server and contain the secret key to make encryption work.

• Sun's keytool
• A self-signed certificate using open_ssl
• A test certificate from Thawte
• A production certificate from one of the certificate authorities (Verisign, Thawte, etc)

In this case, we're using Sun's keytool to generate the server certificate. Here's how:

resin1.2.b2> mkdir keys resin1.2.b2> keytool -genkey -keyalg RSA -keystore keys/server.keystore Enter keystore password: changeit What is your first and last name? [Unknown]: www.caucho.com What is the name of your organizational unit? [Unknown]: Resin Engineering What is the name of your organization? [Unknown]: Caucho Technology, Inc. What is the name of your City or Locality? [Unknown]: San Francisco What is the name of your State or Province? [Unknown]: California What is the two-letter country code for this unit? [Unknown]: US Is <CN=www.caucho.com, OU=Resin Engineering, O="Caucho Technology, Inc.", L=San Francisco, ST=California, C=US> correct? [no]: yes Enter key password for <mykey> (RETURN if same as keystore password): changeit

Currently, the key password and the keystore password must be the same.

resin.conf

The Resin SSL configuration extends the http configuration with a few new elements.

<caucho.com> <http-server> <http port=8443> <ssl>true</ssl> <key-store-file>keys/server.keystore</key-store-file> <key-store-password>changeit</key-store-password> </http> ... </http-server> </caucho.com>

Testing

With the above configuration, you can test SSL with https://localhost:8443. A quick test is the following JSP.

Secure? <%= request.isSecure() %>

Copyright © 1998-2002 Caucho Technology, Inc. All rights reserved. Resin® is a registered trademark, and HardCoretm and Quercustm are trademarks of Caucho Technology, Inc.