Installation and Configuration of a secure web application using MySQL, OpenSA Web Server, Tomcat and OpenSSL
on a NT4.0 or w2k box
Today more and more applications are only accessible via internet. The main advantage for the customer is, that there is no need for complicatied and complex installation procedures. All the customer has to have is an internet connection and a modern browser. All the work is done on serverside where all logical components reside. This offers the most reliable security settings and configuration possibilities that are completely independent from client-sides' configurations.
As it is often not clear how to set up such a web deployment environment, I wrote this tutorial for my own. But I think, that it could be quite useful for others. Comments are highly appreciated and I will take some time to answer every eMail I get. If there are any hints, please feel free to contact me: nikolas.rathert@igd.fhg.de
Please note that I used specific software versions for this Step-by-Step-Tutorial. If you want to use other software than this, feel free to comment if there are topics that are not covered by this tutorial and send those to me.
- MySQL 3.23.51
- Tomcat 4.0.3
- OpenSA Web Server 1.0.1 (based on Apache 1.3.23)
- OpenSSL 0.9.6b
In this section you will learn
|
MySQL is one of the famous open source database projects. It is a stable and reliable database that cost nothing due to the fact that it is licenced via GPL. MySQL is this stable because the company that develops MySQL is still improving the software and additionally some freaks that are interested in porting the source to other platforms or adding some additional functionality that is not yet covered by the existing version.
Obtaining MySQL
In this section you will learn
|
You could get the newest binaries of MySQL from this site: http://www.mysql.com/downloads/index.html. But there is also a version of MySQL with this CD-ROM.
So download the file to your hard drive or copy the provided file somewhere on your harddisk, unpack it an proceed to the next chapter.
Installation of MySQL
In this section you will learn
|
After unpacking the .zip-archive you now should doubleclick the setup.exe and follow the on screen messages. The installation process should not be complicated. The time it takes depend on the hardware you use. In most cases it is recommended to install MySQL in the root directory of your server. Do not use names with german "Umlaute" (e.g. ?,?,ü,?) oder spaces.
Configuration of MySQL
In this section you will learn
|
This is the most interesting chapter ;-). But it is not that complicated as it seems to be. To get MySQL running on your server you have to modify one small configuration file and have a look at the settings in another small file.
The configuration files could be found in the root directory of your MySQL installation folder.
They may look like this:
- my-huge.cnf
- my-large.cnf
- my-medium.cnf
- my-small.cnf
# Example mysql config file for medium systems.
#
# This is for a system with little memory (32M - 64M) where MySQL plays
# a important part and systems up to 128M where MySQL is used together with
# other programs (like a web server)
#
# You can copy this file to
# my.cnf to set global options,
# mysql-data-dir/my.cnf to set server-specific options (in this
# installation this directory is /usr/local/mysql/var) or
# ~/.my.cnf to set user-specific options.
#
# One can in this file use all long options that the program supports.
# If you want to know which options a program support, run the program
# with --help option.
# The following options will be passed to all MySQL clients
[client]
password = root
port = 3306
socket = /tmp/mysql.sock
# The MySQL server
[mysqld]
port = 3306
socket = /tmp/mysql.sock
skip-locking
set-variable = key_buffer=16M
set-variable = max_allowed_packet=1M
set-variable = table_cache=64
set-variable = sort_buffer=512K
set-variable = net_buffer_length=8K
set-variable = myisam_sort_buffer_size=8M
log-bin
server-id = 1
#point those path to the base (root) directory and
#the directory where your data is stored
basedir=D:/Programme/mysql/
datadir=D:/Programme/mysql/data/
[mysqldump]
quick
set-variable = max_allowed_packet=16M
[mysql]
no-auto-rehash
# Remove the next comment character if you are not familiar with SQL
#safe-updates
[isamchk]
set-variable = key_buffer=20M
set-variable = sort_buffer=20M
set-variable = read_buffer=2M
set-variable = write_buffer=2M
[myisamchk]
set-variable = key_buffer=20M
set-variable = sort_buffer=20M
set-variable = read_buffer=2M
set-variable = write_buffer=2M
[mysqlhotcopy]
interactive-timeout
# End of configuration-file
########################################################################
Now you should save your file named my.conf in the root directory of your system (often C:/my.conf). This is important if you installed MySQL not on your system hard drive. In case that MySQL has been installed on your system hard drive, the configuration information will be read from my.ini which is located in the Windoze system root directory.
The configuration files will be read in this order:
- C:/WINNT/my.ini
- C:/my.conf
- {path/to/your/mysql/installation-directory}/bin
- mysqld --install
You are ready to run MySQL now.
Running MySQL
In this section you will learn
|
Running the MySQL Server is quite easy. As you have properly installed the software and spend some effort to configure it rightyou now should switch to the services control panel.
If your operating system either is NT4.0 or w2k,
- you have to open the control panel,
- browse to services and doubleclick on it,
- then look for the MySQL service and start it by clicking on "Start"..
- Optional you could configure the service that it will start automatically with the system start
- and place a shortcut on your desktop for easier access (and less clicking).
- In order to stop the service you have to use the button "Stop",
Managing MySQL
In this section you will learn
|
The management of your installed and running MySQL server is easy and could be done via console or via a GUI called "winmysqladmin".
If you want to use the console you have to
- open a DOS-box,
- browse to {path/to/your/mysql/installation-directory},
- switch to the /bin folder
- and type: mysqladmin --user=root --password=[whatever_your_password_is] command
- all possible commands are displayed by typing mysqladmin
If you want to use an administration GUI because you think that it is easier to handle,
- browse to {path/to/your/mysql/installation-directory}by the help of the explorer,
- switch to the /bin folder,
- and doubleclick on winmysqladmin.exe. Then a window pops up and minimizes to the systray.
- Right click (or left click) on the traffic lights icon and choose "Show me". The window will permanently be visible now.
- Otherwise you could invoke this window by typing winmysqladmin in a DOS-box (if the prompt is in {installation_directory_of_MySQL}/bin).
- MySQL-Front: http://anse.de/mysqlfront/
- MyCC: http://www.mysql.com/downloads/gui-mycc.html
In this section you will learn
|
- JavaServer Pages (JSP) Specification, Version 1.2: http://java.sun.com/products/jsp/download.html
- Servlet API Specification, Version 2.3: http://java.sun.com/products/servlet/download.html
- Java2 Enterprise Edition (J2EE)
Obtaining Tomcat
In this section you will learn
|
You could get the newest binaries of Tomcat from this site: http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.4/. But there is also a version 4.0.4 of Tomcat with this CD-ROM.So download the file to your hard drive or copy the included file somewhere to your hard drive, unpack it an proceed to the next chapter.
Installation of Tomcat
In this section you will learn
|
The installation process of Tomcat is as easy as it could be because there is none. :-)
All you have to do is to unzip the downloaded file and move the folder to a place where you want to have Tomcat on your computer. I created a folder where I placed all of the server related stuff and moved the Tomcat folder to that new directory.
Configuration of Tomcat
In this section you will learn
|
After unpacking and accordingly moving of the Tomcat folder to the right place on your computer you should now configure the manager application. With the manager application you have the possibility to maintain the webapps within your webapp directory.
To edit tomcat-users.xml, you have to complete the following steps:
- browse to your {path/to/you/tomcat/installation-directory}/conf,
- open tomcat-users.xml in any editor,
- add the following line after the other users:
<user name="myname" password="mypassword" roles="manager" />
- save the document.
This is how you get along with this task on a w2k machine:
- open control panel
- doubleclick on System
- click on the tab Advanced
- click on Environment Settings
- and add the following for name: CATALINA_HOME
- add the following for value: {path/to/your/tomcat/installation-directory}
Running Tomcat
In this section you will learn
|
Starting and stopping Tomcat is as easy as the installation procedure.
All you have to do is:
- browse to {path/to/your/tomcat/installation-directory}/bin,
- look for startup.bat and doubleclick it: a DOS-box will show up and say something like this:
Apache Tomcat/4.0.3
Starting service Tomcat-Apache
Apache Tomcat/4.0.3
If the DOS-box disappears after a few milli-seconds there might be a problem with your CATALINA_HOME environmental variable: either you did not set it at all or there is a misconfiguration. Go back to the previous section and have a close look at how to configure it correctly. If the DOS-box will not disappear but show those lines your server is running.
What you have to do to proof if Tomcat is running is the following:
- open your favourite web browser
- point it to http://your-domain:8080/
But you do not know that it is configured properly. To assure that everything is correct,
- point your browser to http://your-domain:8080/examples/jsp/index.html
- choose one of the examples
If you get an error
- confirm that you have set the JAVA_HOME variable
- confirm that you have the J2SDK and not only the JRE installed
Maintaining Tomcat
In this section you will learn
|
Normally you want to prevent anybody from viewing the files in your directories that you put on the server. To do so you just need to edit your server.xml within the conf directory of your Tomcat installation in a way that the directory listing is no longer available.
- browse to {path/to/you/tomcat/installation-directory}/conf
- open server.xml with your favourite text editor
- move to
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param> - and change
<param-value>true</param-value> to
<param-value>false</param-value>
To use the manager application you first have to edit tomcat-user.xml (if you have not already done so). For adding a user please read Configuring Tomcat once more and follow the steps.
If you have already added a user with "manager" role
- open your favourite webbrowser
- point it to http://your-domain:8080/manager/list
If it pops up enter the correct values (those included in tomcat-users.xml) and the browser window will display something like that:
OK - Listed applications for virtual host localhostThe manager application offers the possibility to maintain the server content that is served to the internet community. I just wanted to give an overview over the manager application in this section.To learn more about all the feature that come with that application point your favourite browser to http://jakarta.apache.org/tomcat/tomcat-4.0-doc/manager-howto.html.
/manager:running:0
/kamcomtest:running:0
/login:running:0
/examples:running:1
/testremote:running:0
/tomcat-docs:running:0
/webdav:running:0
/portal_jsp:running:0
/test2:running:0
/test:running:0
/:running:0
Publishing Posssibilities of Tomcat
In this section you will learn
|
Before we get deep into the different publishing possibilities we first should have a look at the folder structure of a web application. This is important because Tomcat as a servlet container expects web applications to be organised according the J2EE standard. This standard requires web applications to follow a certain folder structure. Mainly there are two possibilities how the web application could be placed underneath the webapp folder:
- the web application could be presented in an "unpacked" form
- the web application could be presented in a "packed" file format: .war (for Web ARchive)
The "document root" for web applications is located here:
- {path/to/your/tomcat/installation-directory}/webapp/
- /myProject - name of the project and folder on top level
- /myProject/WEB-INF/web.xml - this file contains information about servlets and other components of your web application. It is often called Web Application Deployment Descriptor. The structure of this file is described in a special DTD that could be found here: http://java.sun.com/dtd/web-app_2_3.dtd
- /myProject/WEB-INF/classes - this folder contains all Java classes and associated resources, mainly servlets and non-servlet classes, that are not combined in a .jar-file. Java classes that are not packed must reflect the folder hierarchy they are put in like e.g. org.later.myPackage.myServlet have to be put in the /classes directory like this: /classes/org/later/myPackage/
- /myProject/WEB-INF/lib - this directory contains .jar-files that consist of Java classes and associated resources of third-party companies. Often the JDBC drivers (for databases) are to be found here.
- {path/to/your/tomcat/installation-directory}/conf/server.xml is the file that contains the <context path> entries. These are necessary for the webserver in order to publish the web application.
|--1--| Adding a <context path> entry in server.xml is the first publishing possibility I want to show here. This is an easy way because you know already the relevant file that has to be edited: server.xml.
To add an entry you have to
- browse to {path/to/your/tomcat/installation-directory}/conf/server.xml,
- open that file by doubleclicking and look for <!--Tomcat Root Context-->
- the file could be displayed like the following:
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
...
<!--Tomcat Root Context-->
<context path="/examples" docBase="examples" debug="0"/>
<context path="/manager" docBase="manager" debug="0"/>
...
</web-app>
- insert <context path="/[your-project]" docBase="[/path/to/your-project]" debug="0"/> after the other projects,
- restart Tomcat,
- test your new entry by pointing your favourite browser to http://your-domain:8080/your-project/
|--2--|The next possible publishing process could be done by using the manager application. If you had not already created a user with the "manager" role you should do this now (read the appropriate section). Otherwise you could not use the manager application.
This application is called via browser.
You just have to
- start Tomcat,
- type in your browsers navigation bar: http://[my-domain]:8080/manager,
- provide username and password when the popup pops up.
The syntax for the manager application looks like this:
- http://[your-domain]:8080/manager/[command]?[parameter(s)]
- http://[your-domain]:8080/manager/list
OK - Listed applications for virtual host localhostTo deploy a new web application that is unpacked, you have to type
/manager:running:0
/kamcomtest:running:0
/login:running:0
/examples:running:0
/testremote:running:0
/gateway-webapp:running:0
/tomcat-docs:running:0
/webdav:running:0
/portal_jsp:running:0
/test2:running:0
/test:running:0
/:running:0
-
syntax http://[your-domain]:8080/manager/install?path=/[your-project]&war=file:/path/to/[your-project]
-
example http://localhost/manager/install?path=/nick&war=file:D:/Programme/Server/jakarta-tomcat-4.0.3/webapps
-
OK - Installed application at context path /nick
-
syntax http://[your-domain]:8080/manager/install?path=/[your-project]&war=jar:file:/path/to/[your-project].war!/
-
example http://localhost/manager/install?path=/nick&war=jar:file:D:/Programme/Server/jakarta-tomcat-4.0.3/webapps/nick.war!/
-
OK - Installed application at context path /gateway-webapp
- Application already exists at path /gateway-webapp
The context paths for all currently running web applications must be unique. Therefore, you must either undeploy the existing web application using this context path, or choose a different context path for the new one.
- Document base does not exist or is not a readable directory
The URL specified by the
war
parameter must identify a directory on this server that contains the "unpacked" version of a web application, or the absolute URL of a web application archive (WAR) file that contains this application. Correct the value specified by thewar
parameter. - Encountered exception
An exception was encountered trying to start the new web application. Check the Tomcat 4 logs for the details, but likely explanations include problems parsing your
/WEB-INF/web.xml
file, or missing classes encountered when initializing application event listeners and filters. - Invalid application URL was specified
The URL for the directory or web application that you specified was not valid. Such URLs must start with
file:
, and URLs for a WAR file must end in ".war". - Invalid context path was specified
The context path must start with a slash character, unless you are referencing the ROOT web application -- in which case the context path must be a zero-length string.
- No context path was specified
The
path
parameter is required.
-
http://[your-domain]:8080/manager/remove?path=/[your-project]
If you want to do so type
-
http://[your-domain]:8080/manager/reload?path=/[your-project]
Starting a web application is done by typing
-
http://[your-domain]:8080/manager/start?path=/[your-project]
-
http://[your-domain]:8080/manager/remove?path=/[your-project]
|--3--| The next possibility to publish a project on your tomcat server is to copy the generated .war-file to your /webapps directory. This requires the server to be restarted. During the restart process Tomcat will expand the .war-file and create a folder hierarchy similar to the hierarchy before transforming it into web archive file. Note that in case of an update of the web application both the .war-file and the unpacked folders have to be removed. Then Tomcat has to be restarted. But now you could copy the new and updated .war-file to the /webapps directory. Now you have to restart Tomcat again or use the manager application.
|--4--| The fourth possibility to publish web applications with Tomcat ist quite similar to No.3: copy the unpacked folders of your web application to the /webapps directory and restart Tomcat or use the manager application.
That's it. Now you are ready to use Tomcat for production and publishing issues.
In this section you will read
|
The OpenSA Web Server is an Apache 1.3.26-based server distribution with builtin SSL-encryption. In addition to that the installation packages contains OpenSSL that is useful for generating keys and certificates. But OpenSA Web Server is available for Windoze systems only. Using this distribution prevents you from searching for the right Apache module (like mod_ssl) or compiling it from the source. Compiling any source code under Windoze is complicated as you must have a compiler installed (for example that one that is integrated into Visual C++). I decided to use this server+ssl distribution because it is easy to install, easy to configure and easy to run.
Obtaining OpenSA Web Server
In this section you will learn
|
You could get the newest binaries of OpenSA Web Server from this site: http://www.opensa.org/download/. But there is also a version of OpenSA Web Server with this CD-ROM.
So download the file to your hard drive or copy the provided file somewhere on your harddisk, unpack it an proceed to the next chapter.
Installing OpenSA Web Server
In this section you will learn
|
The installation procedure is quite simpple. All you have to do is doubliclick the installer.exe and follow the on-screen instructions.
Configuring OpenSA Web Server
In this section you will learn
|
All you had to configure to get OpenSA Web Server going was done by you during the installation process. You have been asked to provide information about where the installer should place the different applications that come along with the installer package. So, right now there is nothing to configure except some lines within httpd.conf.
To do this,
- browse to {path/to/you/opensa_web_server/installation-directory}/Apache/conf
- change ServerAdmin to your settings (around line 255)
- uncomment ServerName and give your server a name (around line 273)
- change DocumentRoot to your document root - if you do not want to use the default /htdocs (around line 281)
Running OpenSA Web Server
In this section you will learn
|
Running OpenSA Web Server is simple. During the installation process a group in the start menu/program files will be created. There you find any of the control commands. Note that the installed service doesn't seem to be SSL-enabled. So I think it is better to run and stop the server by using this menu. That's it. Now you have a web server running with builtin SSL-encryption. You are now able to establish secure connections.
Connecting Tomcat and Apache
In this section you will learn
|
Each of those servers will be used according to its specific tasks: Apache will be used as web server and Tomcat as application server. The connection between them must be established in order to serve dynamic content via port 80 (the default port for web servers). If you connect both, *.jsp-files as well as servlets will be passed on to Tomcat and handled by it. Apache is therefore only the arbitrator. Of course all static content will be sent through Apache to the clients.Basically there are two possibilities to connect Apache and Tomcat on a Windoze-based OS:
- mod_webapp
- mod_jk
Obtaining necessary components
In this section you will learn
|
You get the binary version of mod_jk by pointing your browser to the following URL:
- http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.2.4/bin/win32/i386/ (Apache up to version 1.3)
- http://www.acg-gmbh.de/mod_jk/ (Apache from 2.0 and higher)
In this section you will learn
|
If you are now going to edit important config files for both servers be sure that your configuration so far is working properly. If you are not able to start and stop both servers and the examples are not displayed properly do not continue here. Try first to fix the problems in case there are any.
If there are no problems with the configuration so far - just go ahead.
First we have to edit server.xml
- browse to the directory where you installed Tomcat
- change to folder conf
- open server.xml in your favourite texteditor
- scroll to the line where <Server port="8005" ...> is stated and add the following line:
- <Listener className="org.apache.ajp.tomcat4.config.ApacheConfig" modJk= "D:/Programme/Server/Apache/modules" />
- then go on to the line where <Service name="Tomcat-Standalone"> is written and add:
- <!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector className="org.apache.ajp.tomcat4.Ajp13Connector" port="8009" minProcessors="5" maxProcessors="75" acceptCount="10" debug="0"/>
- <!-- Define an AJP 1.3 Connector on port 8009 -->
- browse to your /bin directory of your Tomcat installation directory
- create a new directory called jk in the your /bin directory
- create a new text file and save it as workers.properties, then
- copy the following code and paste it into your workers.properties file
- # Setup for Windows system
#
workers.catalina_home="D:/Programme/Server/jakarta-tomcat-4.0.3"
workers.java_home="D:/Programme/Java/j2sdk1.4.0_01"
# Linux uses fwd slashes
#ps=/
# Windows uses back slashes
ps=/
worker.list= ajp13
# Definition for Ajp13 worker
#
worker.ajp13.port=8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13
- # Setup for Windows system
- modify the path given in there and save the document.
after LoadModules Section:
#--------------------------------------------------------------------#
- <IfModule !mod_jk.c>
LoadModule jk_module modules/mod_jk.dll
</IfModule>
#--------------------------------------------------------------------#
and additionally at the end of your httpd.conf file:
<IfModule !mod_jk.c>
LoadModule jk_module "D:/Programme/Server/OpenSA/Apache/modules/mod_jk.dll"
</IfModule>
JkWorkersFile "D:/Programme/Server/jakarta-tomcat-4.0.3/conf/jk/workers.properties"
JkLogFile "D:/Programme/Server/jakarta-tomcat-4.0.3/logs/jk_log.txt"
JkLogLevel debug
JKMount /servlet/* ajp13
JkMount /*.jsp ajp13
JkMount /examples/* ajp13
JkMount /manager/* ajp13
JkMount /tomcat-docs/* ajp13
JkMount /webdav/* ajp13
JkMount /login/* ajp13
#-----------------------------------------------------------------------------------#
Do not forget to copy mod_jk.dll into the module folder of your Apache Web Server. Having done so, configuration is over and you are ready to run Tomcat through Apache. Apache then is serving the static content, the dynamic content is handled by Tomcat.
Resources
Further informtaion and all about mod_jk could be found here.
Some Tutorials and instructions for the Installation of mod_webapps and mod_jk could be found there.
Hints to merge different versions of Apache and Tomcat could be found there.
In this section you will learn
|
In order to secure your data transfer between client and server you are encouraged to use Secure Socket Layer Technology (SSL). What I am going to explain in this section is how you could create your own certificates by use of OpenSSL for Windows. Certificates are useful because you will be able to identify your hosts correctly by adding certificates. So, your customers will see that the computer they are sending a request is really that one they want to reach via internet protocol. You also could create special certificates the client browser must have pre-installed in order to connect to your server. That has more security than other opportunities but of course that way could only be used if you know your customers, i.e. you know those folks that will access your secured server.
Becoming Certificate Authority (CA)
In this section you will learn
|
It is possible that you ever heard about so-called Certificate Authorities. You will have recognised that VeriSign, Thawte and other names have something to do with certificates, keys and security stuff like that. The truth is that all of those mentioned companies are certificate authorities. That means that they are trusted and offer as a service the certification of your certificates. But that costs money. So if you have to set up a SSL connection that is for prototype or testing purposes and you want to show that you are able to generate your own certificates you have to become your own certificate authority in order to sign your created certificates.
Obtaining the necessary software
In this section you will learn
|
[TO BE DONE]
Trackback: http://tb.blog.csdn.net/TrackBack.aspx?PostId=31756