To Enable SSL Between the mod_jk Load Balancer and Enterprise Server

Before You Begin

The self-signed certificate must be configured.

1. Perform the steps in To Enable mod_jk.

2. Start another Enterprise Server with at least one web application deployed.

   In order for the mod_jk–enabled network listener to start listening for requests, the web container must be started. Normally, this is achieved by deploying a web application.

3. Follow instructions from To Configure an HTTP Listener for SSL on the mod_jk connector.

   Use the following format:

   asadmin> create-ssl --type http-listener --certname sampleCert new-listener

4. Add the following directives in the httpd.conf file under the /etc/apache2/conf.d directory:

   # Should mod_jk send SSL information (default is On)
   JkExtractSSL On
   # What is the indicator for SSL (default is HTTPS)
   JkHTTPSIndicator HTTPS
   # What is the indicator for SSL session (default is SSL_SESSION_ID)
   JkSESSIONIndicator SSL_SESSION_ID
   # What is the indicator for client SSL cipher suit (default is SSL_CIPHER)
   JkCIPHERIndicator SSL_CIPHER
   # What is the indicator for the client SSL certificated? (default is SSL_CLIENT_CERT)
   JkCERTSIndicator SSL_CLIENT_CERT

5. (Optional) To support both SSL and non-SSL connection, create two mod_jk–enabled network listeners and workers.

   Example workers.properties file:

   #This example shows a worker.properties worker.list=ajp13unsecure, ajp13secure worker.ajp13secure.type=ajp13 worker.ajp13secure.host=localhost worker.ajp13secure.port=8009 worker.ajp13unsecure.type=ajp13 worker.ajp13unsecure.host=localhost worker.ajp13unsecure.port=8010

   Secure and unsecure HTTP listeners with ports 8009 and 8010 are created and enabled for mod_jk. For instructions, see To Enable mod_jk.

6. To apply your changes, restart Apache HTTP Server and Enterprise Server.