Apache Tomcat
This guide provides detailed instructions for integrating Apache Tomcat with Luna HSM. The integration leverages the Java JCE/JCA interface to generate SSL keys directly on the Luna HSM. Additionally, you can use the native library to enable the APR connector, which utilizes OpenSSL for cryptographic operations. By integrating Luna HSMs with Apache Tomcat, you can generate 2048-bit RSA key pairs for SSL encryption, ensuring enhanced security by protecting private keys and certificates within a FIPS 140-2 certified hardware security module.
The key benefits of this integration are:
-
Secure generation, storage, and protection of the identity signing private keys using either FIPS 140-2 or FIPS 140-3 Level 3 validated hardware.
-
Full life cycle management of the keys to ensure their integrity and reliability throughout their usage.
-
Maintenance of a comprehensive HSM audit trail for transparency and accountability in key operations.
-
Significant performance enhancements by offloading cryptographic operations from application servers.
Supported Platforms
This integration is certified with Luna HSM on the following platforms:
| Apache Tomcat Version | Java Version | Platforms |
|---|---|---|
| Apache Tomcat 9.0.79 | Open JDK 11 | Red Hat Enterprise Linux 8 |
| Apache Tomcat 10.0.6 (With Native Library) | Open JDK 11 | Red Hat Enterprise Linux 8 and OpenSSL 1.1.1 |
| Apache Tomcat 9.0.20 (With Native Library) | Open JDK 8 | Solaris 11 and OpenSSL 1.1.1 |
| Apache Tomcat 8.5.57 | Open JDK 11 | Red Hat Enterprise Linux 7 |
| Apache Tomcat 9.0.31 | Open JDK 8 | Red Hat Enterprise Linux 7 |
| Apache Tomcat 8.5.51 | Oracle JDK 8 | Windows Server 2016 Datacenter |
| Apache Tomcat 8.5.40 | Open JDK 8 | Red Hat Enterprise Linux 7 |
| Apache Tomcat 8.5.40 | Oracle JDK 8 | Windows Server 2016 Datacenter |
(a) For JDK 11, Luna Client 10.3.0 or above is required.
(b) Open JDK 11 is supported for Luna Client 10.2.0 also but with patch: DOW0005918. You can download this patch from the Thales Customer Support portal if using Luna Client 10.2.0 with JDK 11.
(c) Lower versions of Luna Client don’t support JDK 11.
Prerequisites
Before proceeding with the integration, ensure the following tasks are completed:
Configure Luna HSM
As the first step to accomplish this integration, you need to set up On-Premise Luna HSM. Follow these steps to configure your on-premise Luna HSM:
Ensure that the HSM is set up, initialized, provisioned, and ready for deployment. For more information, refer to Luna HSM documentation.
Create a partition that will be later on used by Apache Tomcat.
Create and exchange certificate between the Luna Network HSM and client system. Register client and assign partition to create an NTLS connection.
Initialize Crypto Officer and Crypto User roles for the registered partition.
Run the following command to verify that the partition has been successfully registered and configured:
/usr/safenet/lunaclient/bin/lunacm
Upon successful execution, you should observe an output similar to the example provided below:
lunacm (64-bit) v10.4.0-417. Copyright (c) 2021 Thales Group. All rights reserved. Available HSMs: Slot Id -> 0 Label -> TPA01 Serial Number -> 1312109862206 Model -> LunaSA 7.7.1 Firmware Version -> 7.7.1 Bootloader Version -> 1.1.2 Configuration -> Luna User Partition With SO (PW) Key Export With Cloning Mode Slot Description -> Net Token Slot FM HW Status -> Non-FM Current Slot Id: 0
Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.
For proper configuration of a PED-based Luna HSM, it is recommended to activate partition policies 22 and 23, allowing for both activation and auto-activation.
Manage user access to the HSM
By default, access to the HSM device is limited to the root user. If you need to grant access to the HSM for specific non-root users, you can achieve this by including them in the hsmusers group. The hsmusers group is automatically generated during the client software installation process and remains intact even if you uninstall the client software. This design enables you to update your client software without losing your hsmusers group settings.
Add users to the hsmusers group
If you wish to permit non-root users or applications to interact with the HSM device, you must assign these users to the hsmusers group. Make sure that the users you intend to add to the hsmusers group are already established on the client workstation. Only users added to the hsmusers group will be granted access to the HSM device. Follow these steps to add a user to the hsmusers group:
Ensure that you possess sudo privileges on the client workstation.
Add a user to the hsmusers group using the command:
sudo gpasswd --add <username> hsmusers
Replace username with the actual username you want to include in the hsmusers group.
Remove users from the hsmusers group
If you need to withdraw a user's authorization to access the HSM device, you can remove them from the hsmusers group. Carry out the following steps to remove a user from the hsmusers group:
Confirm that you hold sudo privileges on the client workstation.
Eliminate a user from the hsmusers group using the command:
sudo gpasswd --add <username> hsmusers
Replace username with the specific username you want to exclude from the hsmusers group. To observe the changes, you will need to log in again.
Any user you remove will retain access to the HSM device until the client workstation is rebooted.
Set up Luna HSM High-Availability Group
Refer to Luna HSM documentation for HA steps and details regarding configuring and setting up two or more HSM boxes on host systems. You must enable the HAOnly setting in HA for failover to work so that if the primary goes down due to any reason, all calls get automatically routed to the secondary until the primary recovers and starts up.
Install Java Development Kit
Ensure you have the Java Development Kit (JDK) installed, as Apache Tomcat relies on Java. It's crucial to have the correct JDK version. Verify that JAVA_HOME points to your JDK installation directory.
Set up Gem Engine Toolkit
For enhanced security via native libraries and the APR connector, consider using the Gem Engine toolkit from Thales Customer Support. This toolkit uses the OpenSSL engine for advanced cryptographic operations. Familiarize yourself with OpenSSL by consulting the OpenSSL documentation.
Set up Apache Tomcat
To begin using Apache Tomcat, you need to set it up on your target machines. Follow the detailed instructions available on the Apache Tomcat website.
A compatible JDK version must be installed before installing Apache Tomcat. Refer to the Apache Tomcat documentation for specific JDK version requirements.
To ensure that Apache Tomcat is up and running after installation, access either of the following URLs: http://[hostname]:8080/ or http://[IP address]:8080/. Accessing these URLs will display the Apache Tomcat welcome page, confirming that your installation was successful.
Integrate Apache Tomcat using JDK 11
To integrate Apache Tomcat using JDK 11, follow these steps:
Configure Java for Luna HSM
Apache Tomcat utilizes Java JSSE for SSL/TLS support. To enable support for the Luna Provider, which Apache Tomcat will use for securing SSL keys and certificates on the Luna HSM, follow these steps:
Log on to the Apache Tomcat server as the root user or another user with administrative privileges.
Ensure that the JAVA_HOME and PATH variables are properly configured. If not, set the JAVA_HOME and PATH variables:
export JAVA_HOME=[JDK_installation_directory] export PATH=$JAVA_HOME/bin:$PATH
Note for Windows Users: To set the JAVA_HOME and PATH system variables on Windows, navigate to System > Advanced system settings > Environment Variables... and add/edit the respective variables.
Edit the Java security configuration file java.security, located in the directory [JDK_installation_directory]/conf/security, and add the Luna Provider to the java.security file. Here's an example of how to add the Luna Provider:
security.provider.1=SUN security.provider.2=com.safenetinc.luna.provider.LunaProvider security.provider.3=SunRsaSign security.provider.4=SunEC security.provider.5=SunJSSE security.provider.6=SunJCE security.provider.7=SunJGSS security.provider.8=SunSASL security.provider.9=XMLDSig security.provider.10=SunPCSC security.provider.11=JdkLDAP security.provider.12=JdkSASL security.provider.13=SunPKCS11
Generate key materials on Luna HSM
When integrating Java with the Luna Provider, you can establish keys and certificates in the keystore linked to a Luna HSM partition. Follow these steps to create keys and certificates in the Luna HSM:
Create a keystore configuration file named lunastore and include the following entry:
tokenlabel:[partition_label]
Replace [partition_label] with the label of your Luna HSM partition.
Save the file in the [Tomcat_Installation]/conf directory.
Use the Java keytool utility to generate a key pair in the keystore. The key pair will be generated on the registered partition of the Luna HSM.
keytool -genkeypair -alias [key_label] -keyalg [key_algorithm] -keysize [key_size] -sigalg [signing_algorithm] -keypass [key_password] -keystore lunastore -storetype Luna -storepass [partition_password] -providerpath "[luna_provider_jar_file]" -providerclass com.safenetinc.luna.provider.LunaProvider -J-Djava.library.path=[luna_JSP_lib_path] -J-cp -J[luna_provider_jar_file]
Replace the placeholders with appropriate values. When prompted, enter the details to generate the key and certificate. The key pair and certificate will be generated on the Luna HSM.
Use the following command to view the generated key materials and provide the keystore password:
keytool -list -v -keystore lunastore -storetype Luna -providerpath "[luna_provider_jar_file]" -providerclass com.safenetinc.luna.provider.LunaProvider -J-Djava.library.path=[luna_JSP_lib_path] -J-cp -J[luna_provider_jar_file]
Replace the placeholders with appropriate values. Enter the keystore password when prompted.
Generate a certificate request from a key in the keystore. The system will prompt you for the keystore password.
keytool -certreq -alias [key_alias] -sigalg SHA256withRSA -file [certreq_file] -keystore lunastore -storetype Luna -providerpath "[luna_provider_jar_file]" -providerclass com.safenetinc.luna.provider.LunaProvider -J-Djava.library.path=[luna_JSP_lib_path] -J-cp -J[luna_provider_jar_file]
Enter the keystore password when prompted. The certreq_file will be generated in the current directory.
Submit the CSR file to your Certification Authority (CA). The CA will authenticate the request and return a signed certificate or a certificate chain. Save the reply and the root certificate of the CA in the current working directory.
Import the CA's Root Certificate and Signed Certificate:
- To import the CA's Root certificate, execute the following command:
sh keytool -trustcacerts -importcert -alias rootca -file root.cer -keystore lunastore -storetype Luna -providerpath "[luna_provider_jar_file]" -providerclass com.safenetinc.luna.provider.LunaProvider -J-Djava.library.path=[luna_JSP_lib_path] -J-cp -J[luna_provider_jar_file] - To import the signed certificate reply or certificate chain, execute the following command:
keytool -trustcacerts -importcert -alias lunakey -file certchain.p7b -keystore lunastore -storetype Luna -providerpath "[luna_provider_jar_file]" -providerclass com.safenetinc.luna.provider.LunaProvider -J-Djava.library.path=[luna_JSP_lib_path] -J-cp -J[luna_provider_jar_file]
Enter the keystore password when prompted. Here, root.cer and certchain.p7b are the CA Root Certificate and Signed Certificate Chain, respectively.
Edit the Java security configuration file java.security, located in the directory [JDK_installation_directory]/conf/security, and add the Luna Provider to the java.security file:
security.provider.1=SUN security.provider.2=SunEC security.provider.3=SunJSSE security.provider.4=SunJCE security.provider.5=SunJGSS security.provider.6=SunSASL security.provider.7=XMLDSig security.provider.8=SunPCSC security.provider.9=JdkLDAP security.provider.10=JdkSASL security.provider.11=SunPKCS11 security.provider.12=com.safenetinc.luna.provider.LunaProvider security.provider.13=SunRsaSign
Ensure that the Luna Provider (com.safenetinc.luna.provider.LunaProvider) is added as shown.
Configure SSL for Apache Tomcat
Configuring SSL for Apache Tomcat involves setting up the SSL key and certificate stored in the keystore for secure communication. Follow these steps to configure SSL in the server.xml file located in the [Tomcat_installation_directory]/conf directory:
Stop the Apache Tomcat Server: If the server is running, execute the shutdown.bat (for Windows) or shutdown.sh (for Unix) script found in the bin folder of your Tomcat installation directory.
Open the server.xml file of the Tomcat server. You can either uncomment the existing connector and update it, or add the following code snippet as a new connector configuration without modifying the existing one:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" maxThreads="150" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keystoreType="Luna" keystoreFile="conf/lunastore" keyAlias="lunakey" keystorePass="userpin1" />
Save the server.xml file and close the text editor. Ensure that the keystore settings match your environment specifications accurately.
Create a file named setenv.sh in the $CATALINA_HOME/bin folder with the following entries:
#!/bin/sh export CLASSPATH=/usr/safenet/lunaclient/jsp/lib/LunaProvider.jar export CATALINA_OPTS="-Djava.library.path=/usr/safenet/lunaclient/jsp/lib/"
Start the Tomcat server using the batch file startup.bat (for Windows) or startup.sh (for UNIX) located under the bin directory of [Tomcat_installation_directory].
Verify the SSL Configuration: If the Tomcat starts successfully, you should be able to see the default page of Tomcat on the browser using HTTPS and port 8443:
https://[hostname_or_IP_Address]:8443/
The SSL certificate will be the same as the one that you generated and stored in the Luna Keystore.
Integrate Apache Tomcat using JDK 8
To integrate Apache Tomcat with JDK 8, choose one of the following use cases based on your requirements:
-
Integrate Apache Tomcat by Generating a New SSL Certificate and Key on Luna HSM
-
Integrate Apache Tomcat by Migrating an Existing SSL Certificate and Key to Luna HSM
Integrate Apache Tomcat by generating a new SSL certificate and key on Luna HSM
For integrating JDK 8 compatible Apache Tomcat through the generation of a new SSL certificate and key, you need to:
Configure Java for Luna HSM
Apache Tomcat uses Java JSSE for SSL/TLS support. You need to configure Java to add support for the Luna Provider, which will be used by Apache Tomcat to secure SSL keys and certificates on the Luna HSM. To configure the Luna Provider in Java 8, follow these steps:
Log on to the Apache Tomcat server as root or another user with administrative privileges. Ensure that the JAVA_HOME and PATH variables are set. If not, set them using the following commands:
export JAVA_HOME=[JDK_installation_directory] export PATH=$JAVA_HOME/bin:$PATH
Note for Windows users: Set the JAVA_HOME and PATH system variables by navigating to System > Advanced system settings > Environment Variables….
Edit the Java Security Configuration file java.security located in the [JDK_installation_directory]/jre/lib/security directory. Add the Luna Provider to the java.security file as shown in the example below:
security.provider.1=sun.security.provider.Sun security.provider.2=sun.security.rsa.SunRsaSign security.provider.3=sun.security.ec.SunEC security.provider.4=com.sun.net.ssl.internal.ssl.Provider security.provider.5=com.sun.crypto.provider.SunJCE security.provider.6=com.safenetinc.luna.provider.LunaProvider security.provider.7=sun.security.jgss.SunProvider security.provider.8=com.sun.security.sasl.Provider security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI security.provider.10=sun.security.smartcardio.SunPCSC security.provider.11=sun.security.mscapi.SunMSCAPI
Copy the LunaAPI.dll (Windows) or libLunaAPI.so (UNIX) and LunaProvider.jar files from the [Luna_installation_directory]/jsp/lib folder to the [JDK_installation_directory]/jre/lib/ext directory.
Generate key materials on Luna HSM
When Java is configured to use Luna Provider, you can create the keys and certificate in the keystore pointing to the Luna HSM partition. Follow these steps to create keys and a certificate on Luna HSM:
Create a keystore configuration file named lunastore and add the following entry where [partition_label] is your Luna HSM partition label:
tokenlabel:
Save the file, preferably in the <Tomcat_Installation>/conf directory.
Use the Java keytool utility to generate a key pair. The key pair will be generated on the registered partition of Luna HSM.
keytool -genkeypair -alias [key_label] -keyalg [key_algorithm] -keysize [key_size] -sigalg [signing_algorithm] -keypass [partition_password] -keystore [keystore_name] -storepass [partition_password] -storetype luna
For example:
keytool -genkeypair -alias lunakey -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -keypass userpin1 -keystore lunastore -storepass userpin1 -storetype luna
Enter the details to generate the key and certificate in the Luna HSM and keystore in the current directory.
To display the generated key materials, use the following command:
keytool -list -v -storetype luna -keystore lunastore
To generate a certificate request from a key in the keystore, use the command below. You will be prompted to enter the keystore password.
keytool -certreq -alias lunakey -sigalg SHA256withRSA -file certreq_file -storetype luna -keystore lunastore
Enter the keystore password when prompted. This command will generate a file named certreq_file in the current directory.
Submit the certreq_file (CSR file) to your CA. The CA will authenticate the request and return a signed certificate or a certificate chain. Save the reply and the root certificate of the CA in the current working directory.
Import the CA’s root certificate and signed certificate or certificate chain into the keystore:
- To import the CA root certificate, execute the following command:
keytool -trustcacerts -importcert -alias rootca -file root.cer -keystore lunastore -storetype luna
- To import the signed certificate reply or certificate chain, execute the following command:
keytool -trustcacerts -importcert -alias lunakey -file certchain.p7b -keystore lunastore -storetype luna
Here, root.cer and certchain.p7b are the CA root certificate and signed certificate chain, respectively.
Configure SSL for Apache Tomcat
To enable SSL communication in Apache Tomcat, you'll need to configure the SSL key and certificate stored in the keystore. The configuration is done in the server.xml file located in the [Tomcat_installation_directory]/conf directory. Follow these steps to set up SSL for Apache Tomcat:
Stop the Tomcat server: If the Tomcat server is currently running, stop it by executing the appropriate script found in the bin folder of your Tomcat installation directory:
-
For Windows:
shutdown.bat -
For UNIX:
shutdown.sh
Open the server.xml file of your Tomcat server. You can either uncomment and update the existing SSL connector configuration or add the following snippet as a new connector configuration without modifying the existing one:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
maxThreads="150" scheme="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS"
keystoreType="Luna" keystoreFile="conf/lunastore" keyAlias="lunakey"
keystorePass="userpin1" />
Save the changes to the server.xml file and close the text editor. Make sure the keystore settings, such as keystoreType, keystoreFile, keyAlias, and keystorePass, accurately reflect your environment's specifications.
Start the Tomcat server by running the appropriate startup script found in the bin directory of your Tomcat installation directory:
-
For Windows:
startup.bat -
For UNIX/Linux:
startup.sh
Verify SSL Configuration: Once the Tomcat server is running successfully, open a web browser and enter the following URL: https://[hostname or IP Address]:8443/.
(a) Replace [hostname or IP Address] with the actual hostname or IP address of your server.
(b) This URL will allow you to access the default page of Tomcat using the HTTPS (secure) protocol on port 8443.
(c) The SSL certificate used for the connection will be the one you generated and stored in the Luna Keystore.
Integrate Apache Tomcat by migrating an existing SSL certificate and key to Luna HSM
To integrate Apache Tomcat (compatible with JDK 8) by migrating an existing SSL certificate and key to a Luna HSM, follow these steps:
Ensure Apache Tomcat is installed and SSL is configured using the key and certificate in the Java Keystore (JKS).
Configure Java for Luna HSM
To secure SSL keys and certificates on Luna HSM with Apache Tomcat, configure Java for Luna HSM by following the steps outlined in the Configure Java for Luna HSM section.
Migrate key materials from JKS to Luna Keystore
To seamlessly migrate key materials from a Java Keystore (JKS) to a Luna Keystore, proceed as follows after configuring Java to utilize the Luna Provider:
Begin by crafting a keystore configuration file named lunastore. Within this file, include the following entry, substituting <Partition Name> with the designated label of your Luna HSM partition:
tokenlabel:[partition_label]
Store this file meticulously, preferably within the [Tomcat_Installation]/conf directory.
Employ the keytool utility to orchestrate the migration of the Java keystore to the Luna keystore, incorporating the SSL certificate and key. This process relocates the certificate and key to the registered partition of the Luna HSM.
keytool -importkeystore -srckeystore [source_keystore_name] -srcstorepass [source_keystore_password] -srcalias [source_key_label] -destalias [destination_key_label] –destkeystore [destination_keystore_name] -deststorepass [partition_password] -deststoretype [luna_keystore]
Example:
keytool -importkeystore -srckeystore mykeystore.jks -srcstorepass changeit -srcalias tomcat_key -destalias tomcat_migrated_key –destkeystore lunastore –deststorepass userpin1 -deststoretype luna
Ensure prompt response to any requests for the partition password.
Validate the successful generation of key materials by executing the subsequent command:
keytool -list -v –alias tomcat_migrated_key -storetype luna -keystore lunastore
Again, supply the partition password if prompted.
It is strongly advised to eradicate the Java keystore post-migration to the Luna Keystore. Retaining the SSL key within a software keystore could potentially jeopardize security measures.
Reconfigure SSL for Apache Tomcat
Following the successful migration of the JKS keystore to lunastore, it's essential to reconfigure the SSL settings in Apache Tomcat's server.xml file to utilize the SSL certificate and key from lunastore. Follow these steps for seamless reconfiguration:
Stop the Apache Tomcat Server: If the server is currently running, halt its operation. Execute the shutdown.bat (for Windows) or shutdown.sh (for Unix/Linux) script found in the bin folder of your Apache Tomcat installation directory.
Navigate to the server.xml file located within the Tomcat server configuration directory. Modify the [Connector] element as shown below:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" maxThreads="150" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keystoreType="Luna" keystoreFile="conf/lunastore" keyAlias="tomcat_migrated_key" keystorePass="userpin1" />
Ensure that the keystoreFile, keyAlias, and keystorePass attributes are correctly configured based on your environment.
Launch the Tomcat server by executing the startup.bat (for Windows) or startup.sh (for UNIX/Linux) script located in the bin directory of your Apache Tomcat installation. Upon successful startup, you should be able to access the default Tomcat page via HTTPS on port 8443:
https://[hostname or IP Address]:8443/
The SSL certificate presented will mirror the one migrated and stored in the Luna Keystore.
Integrate Luna HSM with Apache Tomcat using native library
This section contains detailed instructions and procedures to integrate Luna HSM with Apache Tomcat using native library and APR connector. This integration contains the following topics:
Install Gem Engine and OpenSSL
Follow these steps to install the Gem Engine and OpenSSL:
Install required packages: Ensure that the make and gcc compiler packages are installed on your system.
Create a directory to store all the necessary files for the installation:
mkdir -p /export/home
Download the OpenSSL tarball and save it in the directory you just created. Use wget for this task:
wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz
For using the HSM in Non-FIPS mode, OpenSSL version 1.1.1x is suitable. For FIPS mode HSM, use OpenSSL version 1.0.2x with the FIPS module.
Extract the Gem Engine toolkit in the /export/home directory:
tar xf 610-012987-004_SW_OPENSSL_TOOLKIT_GemEngine_v1.4_RevA.tar -C /export/home
Rename the extracted gemengine-1.4 directory to gemengine:
mv /export/home/gemengine-1.4 /export/home/gemengine
Extract the OpenSSL source files from the downloaded tarball:
tar xvfz /export/home/openssl-1.1.1k.tar.gz -C /export/home
Rename the extracted openssl-1.1.1k directory to openssl:
mv /export/home/openssl-1.1.1k /export/home/openssl
Change to the gemengine directory:
cd /export/home/gemengine/
Configure the Gem Engine with the specified options:
./gembuild config --openssl-source=/export/home/openssl --prefix=/usr/local --config-bits=64
If you are using OpenSSL version 1.0.2x, add the --compat-102 option to the above command.
Use the following command to build the OpenSSL libraries:
./gembuild openssl-build
If you are using OpenSSL version 1.0.2x, you must build and install the OpenSSL FIPS module before running this step. Refer to the gemengine/docs/README-GEMBUILD file for detailed instructions.
Install the OpenSSL libraries using this command:
./gembuild openssl-install
Update the PATH and LD_LIBRARY_PATH environment variables to include the directories where the OpenSSL binaries and libraries are installed:
export PATH=/usr/local/ssl/bin:$PATH export LD_LIBRARY_PATH=/usr/local/ssl/lib:$LD_LIBRARY_PATH
Confirm that the OpenSSL installation was successful by verifying the installed version:
openssl version -a
Compile the Gem dynamic engine with the following command:
./gembuild engine-build
Use the following command to install the Gem dynamic engine:
./gembuild engine-install
Run the command below to verify that the GemEngine is correctly installed:
openssl engine gem -v
The expected output should be:
(gem) Gem engine support enginearg, openSession, closeSession, login, logout, engineinit, CONF_PATH, ENGINE_INIT, ENGINE2_INIT, engine2init, DisableCheckFinalize, SO_PATH, GET_HA_STATE, SET_FINALIZE_PENDING, SKIP_C_INITIALIZE, IntermediateProcesses
Open the /etc/Chrystoki.conf file and add the following GemEngine section. Replace <slot_label> with the appropriate partition label:
GemEngine = {
LibPath64 = /opt/safenet/lunaclient/lib/libCryptoki2_64.so;
LibPath = /opt/safenet/lunaclient/lib/libCryptoki2_64.so;
EnableDsaGenKeyPair = 1;
EnableRsaGenKeyPair = 1;
DisablePublicCrypto = 1;
EnableRsaSignVerify = 1;
EnableLoadPubKey = 1;
EnableLoadPrivKey = 1;
DisableCheckFinalize = 1;
IntermediateProcesses = 0;
DisableEcdsa = 1;
DisableDsa = 0;
DisableRand = 0;
DisableSessionCache = 0;
EngineInit = "[slot_label]":0:0:passfile=/tmp/passfile;
EnableLoginInit = 1;
}
Create a text file and store the partition password in it:
echo [partition_password] > /tmp/passfile
Run the following command to test the Gem engine:
openssl engine gem -t
The output should indicate that the Gem engine is available.
Install Apache Tomcat
To install Apache Tomcat, follow these steps:
Download and install the supported Java version for Tomcat.
Export the JAVA_HOME environment variable:
export JAVA_HOME=/export/home/jdk1.8.0_152/
Create a group for Tomcat:
groupadd tomcat
Create a user for Tomcat and set its password:
useradd -s /bin/bash -g tomcat -m tomcat passwd tomcat
Create a directory for the Tomcat installation:
mkdir /usr/local/tomcat9
Change to the newly created Tomcat installation directory:
cd /usr/local/tomcat9/
Download the Apache Tomcat tarball:
wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.20/bin/apache-tomcat-9.0.20.tar.gz
Extract the downloaded tarball:
tar -xf apache-tomcat-9.0.20.tar.gz
Change the ownership of the Tomcat installation directory to the Tomcat user and group:
chown -R tomcat:tomcat /usr/local/tomcat9/
Export the CATALINA_HOME and CATALINA_BASE environment variables:
export CATALINA_HOME="/usr/local/tomcat9" export CATALINA_BASE="/usr/local/tomcat9"
Install Apr and Apr-Util
To install APR (Apache Portable Runtime) and APR-Util, follow these steps:
Change to the /export/home/ directory:
cd /export/home/
Download the APR tarball using wget:
wget https://apachemirror.wuchna.com/apr/apr-1.7.0.tar.bz2
Extract the tarball:
tar -xjvf apr-1.7.0.tar.bz2
Change to the apr-1.7.0 directory:
cd apr-1.7.0/
Create an empty file named libtoolT:
touch libtoolT
Configure the build environment. Use the appropriate command based on your operating system:
- On RHEL 7/8:
./configure
- On Solaris 11:
CFLAGS="-m64" ./configure
Run make to compile and make install to install APR:
make make install
Change back to the /export/home/ directory:
cd /export/home/
Download the APR-Util tarball using wget:
wget https://apachemirror.wuchna.com/apr/apr-util-1.6.1.tar.gz
Extract the APR-Util tarball:
tar -zxvf apr-util-1.6.1.tar.gz
Configure the build environment for APR-Util. Use the appropriate command based on your operating system:
- On RHEL 7/8:
./configure --with-apr=/usr/local/apr
- On Solaris 11:
CFLAGS="-m64" ./configure --with-apr=/usr/local/apr
Run make to compile and make install to install APR-Util:
make make install
Update the LD_LIBRARY_PATH environment variable to include the directory where APR libraries are installed:
export LD_LIBRARY_PATH=/usr/local/apr/lib:$LD_LIBRARY_PATH
Install Tomcat Native
To install Tomcat Native, follow these steps:
Change to the /usr/local/tomcat9/bin directory:
cd /usr/local/tomcat9/bin
Download the tomcat-native-1.2.28-src tarball if it is not already present:
wget https://archive.apache.org/dist/tomcat/tomcat-connectors/native/1.2.28/source/tomcat-native-1.2.28-src.tar.gz
Extract the tarball:
tar -zxvf tomcat-native-1.2.28-src.tar.gz
Change to the tomcat-native-1.2.28-src/native/ directory:
cd tomcat-native-1.2.28-src/native/
Configure the build environment. Use the appropriate command based on your operating system:
- On RHEL 7/8:
./configure --with-apr=/usr/local/apr --with-java-home=/export/home/jdk1.8.0_152/ --with-ssl=/usr/local/ssl/
- On Solaris 11:
CFLAGS="-m64" ./configure --with-apr=/usr/local/apr --with-java-home=/export/home/jdk1.8.0_152/ --with-ssl=/usr/local/ssl/
Run make to compile and make install to install Tomcat Native:
make make install
Create a file named setenv.sh in the /usr/local/tomcat9/bin directory and add the following line to it:
echo 'export LD_LIBRARY_PATH=/usr/local/ssl/lib:/usr/local/apr/lib:/usr/local/tomcat9/lib:$LD_LIBRARY_PATH' > /usr/local/tomcat9/bin/setenv.sh
Configure SSL in Apache Tomcat
Follow these steps to configure SSL in Apache Tomcat:
Execute the following command to generate keys. This will also save the certificate request and key reference:
openssl req -engine gem -new -newkey rsa:2048 -nodes -sha256 -keyout server.key -out server.csr
Run the following command to verify the generated key pair. You’ll be prompted to enter the partition password:
/opt/safenet/lunaclient/bin/cmu list
Submit the CSR file (server.csr) to a CA. Once authenticated, the CA will provide a signed certificate or certificate chain. Save the CA-signed certificate as servercert.cer in the system directory.
For demonstration, create a self-signed certificate servercert.cer using a test key server.key:
openssl genrsa -engine gem -out server.key 2048 openssl req -engine gem -new -x509 -days 365 -key server.key -out servercert.cer
This integration uses self-signed certificates in a test environment only. For a production environment, we recommend using a more secure method such as a certificate authority to issue the certificate.
Copy the generated server.key and servercert.cer files to the Tomcat configuration directory:
cp server.key /usr/local/tomcat9/conf/ cp servercert.cer /usr/local/tomcat9/conf/
Open the /usr/local/tomcat9/conf/server.xml file and make the following changes:
a. Locate the AprLifecycleListener and add SSLEngine="gem":
b. Add the following configuration to enable SSL support:
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443"
maxThreads="150"
SSLEnabled="true">
<SSLHostConfig>
<Certificate
certificateKeyFile="/usr/local/tomcat9/conf/server.key"
certificateFile="/usr/local/tomcat9/conf/servercert.cer"
type="RSA"/>
</SSLHostConfig>
</Connector>
Change the ownership of the /usr/local/tomcat9/ directory to the tomcat user and group:
chown -R tomcat:tomcat /usr/local/tomcat9/
Start the Tomcat service:
/usr/local/tomcat9/bin/catalina.sh start
Open any web browser and access the Tomcat server over SSL:
https://[apache_tomcat_server_ip]:8443
Run Apache Tomcat with non-root user
Follow these steps to run Apache Tomcat with a non-root user:
If the Apache Tomcat server is running, stop it using the following command:
/usr/local/tomcat9/bin/catalina.sh stop
Log in as the tomcat user.
Set the necessary environment variables for Java and Tomcat:
export JAVA_HOME=/export/home/jdk1.8.0_152 export CATALINA_HOME="/usr/local/tomcat9" export CATALINA_BASE="/usr/local/tomcat9" export PATH=/export/home/jdk1.8.0_152/bin:/usr/local/ssl/bin:$PATH export LD_LIBRARY_PATH=/usr/local/ssl/lib:/usr/local/apr/lib:/usr/local/tomcat9/lib:$LD_LIBRARY_PATH
Start the Tomcat service using the following command:
/usr/local/tomcat9/bin/catalina.sh start
Open any web browser and access the Tomcat server over SSL:
https://[apache_tomcat_server_ip]:8443
Troubleshooting
Problem 1: cc: not found error on Solaris 11
Error Message:
After running /gembuild openssl-build on Solaris 11, you may encounter the following error:
sh: line 1: cc: not found *** Error code 127
Solution:
To resolve this issue:
Navigate to the gemengine directory and open the gembuild file.
cd /path/to/gemengine vi gembuild
Go to line number 339 and make the following changes:
LUNA_CFG_TGT=solaris64-sparcv9-cc LUNA_CFG_TGT=solaris64-sparcv9-gcc
Problem 2: unrecognized option '-KPIC' error on Solaris 11
Error Message:
After running ./gembuild openssl-build on Solaris 11, you may encounter the following error:
sh unrecognized option '-KPIC'
Solution:
To resolve this issue:
Open the configure file located in the gemengine/engine directory.
cd /path/to/gemengine/engine vi configure
Go to line number 51 and make the following changes:
CFLAGS1="-xarch=v9 -fpic" LDFLAGS1="-xarch=v9 -G -h $LDSO -fpic"
