Setting up an Apache Web Server with mod_jk

This page describes how to deploy EJBCA behind Apache HTTP Server using mod_jk.

Instead of using a traditional reverse proxy configuration, you can integrate Apache HTTP Server with Tomcat using mod_jk. This approach provides efficient communication between Apache and the application server while allowing Apache modules such as mod_rewrite to manage external URL structures.

Using mod_jk allows exposing flexible public URLs for services such as OCSP and CRLs, while internally routing requests to the appropriate EJBCA endpoints.

This section covers how to use an Apache with mod_jk in front of EJBCA. The resulting server will:

Display EJBCA at http://demo.primekey.se/
Require a client SSL certificate when accessing https://demo.primekey.se/, which works for the EJBCA Administration UI.

This example was created on Ubuntu 64-bit Server 8.10 using the Apache Web Server 2.2 package, but the same principles apply to most Apache-based environments with minor adjustments.

# sudo apt-get install apache2 libapache2-mod-jk
# vim /etc/libapache2-mod-jk/workers.properties
-----
worker.list=jboss

# Define a worker using ajp13
worker.jboss.port=8009
worker.jboss.host=127.0.0.1
worker.jboss.type=ajp13
-----

# vim /etc/apache2/sites-available/demo.primekey.se
-----
<VirtualHost demo.primekey.se:80>
  # We must disable default charset or everything will be ISO-8859-1,
  AddDefaultCharset off
  ServerAdmin webmaster@primekey.se
  ServerName demo.primekey.se
  ServerAlias demo.primekey.se

  JkLogFile /var/log/apache2/mod_jk.log
  JkLogLevel debug

  JkMount /* jboss
  JkMount / jboss
</VirtualHost>

<VirtualHost demo.primekey.se:443>>
  # We must disable default charset or everything will be ISO-8859-1,
  AddDefaultCharset off
  ServerAdmin webmaster@primekey.se
  ServerName demo.primekey.se
  ServerAlias demo.primekey.se

  SSLEngine on
  
  JkLogFile /var/log/apache2/mod_jk.log
  JkLogLevel debug

  JkMount /* jboss
  JkMount / jboss

  # JkExtractSSL is On by default
  # JkExtractSSL On
</VirtualHost>
-----

# vim /etc/apache2/mods-available/ssl.conf
-----
SSLVerifyClient require
SSLVerifyDepth 3

SSLCACertificateFile /etc/apache2/ssl/apache-CA.pem
SSLCertificateFile /etc/apache2/ssl/apache.pem

SSLOptions +StdEnvVars +ExportCertData
-----

# vim /etc/apache2/mods-available/jk.load
-----
LoadModule jk_module /usr/lib/apache2/modules/mod_jk.so
JkWorkersFile /etc/libapache2-mod-jk/workers.properties
-----

Now enable ssl.load and ssl.conf in /etc/apache2/mods-enabled.

Finally restart Apache and go to http://demo.primekey.se/ (or https). Note that the same security considerations as for using proxy applies.

To enable an AJP connector in JBoss 7 / EAP 6, run the following command:

/subsystem=web/connector=ajp:add(socket-binding=ajp, protocol="AJP/1.3", enabled=true, scheme="http")

If you are using External OCSP Responders, ensure that the following line is included in the file apache2.conf:

KeepAlive Off

If not, Apache will hang.

It is also recommended to add the following lines to the Virtual Host configuration, to enable specifying only the server name instead of the full URL:

RewriteEngine on
  RewriteRule .* /ejbca/publicweb/status/ocsp [PT]

  JkMount /ejbca/publicweb/status/ocsp/* ocsp_worker
  JkMount /ejbca/publicweb/status/ocsp ocsp_worker