ssl setup with tomcat

[Iain Mac Donald <ia...@freeuk.com>]

I am trying to setup a ssl certificate with Ofbiz using Tomcat. I have
been using the "Basic Ofbiz Production Setup" as a guide. I have just
inserted my signed cert (PKCS#7 format) into the keystore and was about
to edit the ofbiz-containers.xml file with the relevant path and
password.

However, I have just noticed that the whole http & https-connector
sections are missing from ofbiz-containers.xml.

How should I proceed?

As I am quite new to Ofbiz I am a little concerned about doing something
wrong with a crucial part of the system.

The guide was for revision 4558 and I am using 5274.
-- 
Regards,
Iain.

RE: ssl setup with tomcat

[Vinay Agarwal <Vi...@hotmail.com>]

Iain,

If you haven't looked at this, it may be a good place to start.
http://ofbizwiki.go-integral.com/Wiki.jsp?page=Mod_jk_config

BTW, your OFBiz version is too old, not sure if that will work. I suggest
the latest from SVN.

Regards,
Vinay Agarwal

-----Original Message-----
From: Iain Mac Donald [mailto:iainjunk@freeuk.com] 
Sent: Thursday, June 29, 2006 12:03 PM
To: ofbiz-user@incubator.apache.org
Subject: Re: ssl setup with tomcat

On Thu, 2006-06-29 at 11:58 -0700, BJ Freeman wrote:
> what version are you using?

I am using ofbiz version 3 revision 5274.



> > 
> > The guide was for revision 4558 and I am using 5274.

-- 
Regards,
Iain.

RE: ssl setup with tomcat

[Andrew Sykes <an...@sykesdevelopment.com>]

Iain,

This version should certainly have a lot of functional code and will
probably be stable enough, but you are a long way out of date, an update
would be a really good idea.

- Andrew

On Thu, 2006-06-29 at 12:09 -0700, Vinay Agarwal wrote:
> Iain,
> 
> If you haven't looked at this, it may be a good place to start.
> http://ofbizwiki.go-integral.com/Wiki.jsp?page=Mod_jk_config
> 
> BTW, your OFBiz version is too old, not sure if that will work. I suggest
> the latest from SVN.
> 
> Regards,
> Vinay Agarwal
> 
> -----Original Message-----
> From: Iain Mac Donald [mailto:iainjunk@freeuk.com] 
> Sent: Thursday, June 29, 2006 12:03 PM
> To: ofbiz-user@incubator.apache.org
> Subject: Re: ssl setup with tomcat
> 
> On Thu, 2006-06-29 at 11:58 -0700, BJ Freeman wrote:
> > what version are you using?
> 
> I am using ofbiz version 3 revision 5274.
> 
> 
> 
> > > 
> > > The guide was for revision 4558 and I am using 5274.
> 
-- 
Kind Regards
Andrew Sykes <an...@sykesdevelopment.com>
Sykes Development Ltd
http://www.sykesdevelopment.com

Re: ssl setup with tomcat

[Iain Mac Donald <ia...@freeuk.com>]

On Thu, 2006-06-29 at 14:57 -0700, BJ Freeman wrote:
> that is where they are in the current versions.
> int the 3.0 version it was
> jetty-container
> after 3.2, i believe it is catalina-container

Well it looks to me like there is both jetty and tomcat and the docs I
have read seem to suggest that is the case too. Everything else is
working perfectly just the certificate bit is missing.

I am using the ofbiz embedded tomcat rather than the one that comes with
my distribution.


> 
> you can do you have a components folder or application and framework?
> 

I don't understand what you mean here?

-- 
Regards,
Iain.

Re: ssl setup with tomcat

[BJ Freeman <bj...@free-man.net>]

that is where they are in the current versions.
int the 3.0 version it was
jetty-container
after 3.2, i believe it is catalina-container

you can do you have a components folder or application and framework?



Iain Mac Donald sent the following on 6/29/2006 2:35 PM:
> Does anyone know if it is possible to just add the http and
> https-connector statements to ofbiz-containers.xml or will that result
> in something dire happening?
> 
> 
> I have also just come across this...
> http://ofbizwiki.go-integral.com/Wiki.jsp?page=ConfiguringSSL
> 
> I take it that isn't true as the PDF document (written in 2005) I was
> following suggested just the approach the wiki article (2004) warns
> about?
> 
> Thank you for all the responses.

Re: ssl setup with tomcat

[Iain Mac Donald <ia...@freeuk.com>]

Does anyone know if it is possible to just add the http and
https-connector statements to ofbiz-containers.xml or will that result
in something dire happening?


I have also just come across this...
http://ofbizwiki.go-integral.com/Wiki.jsp?page=ConfiguringSSL

I take it that isn't true as the PDF document (written in 2005) I was
following suggested just the approach the wiki article (2004) warns
about?

Thank you for all the responses.
-- 
Regards,
Iain.

Re: ssl setup with tomcat

[Adrian Crum <ad...@hlmksw.com>]

This is also a good opportunity to stress the importance of keeping 
modifications outside the OFBiz codebase. Of course there will always be a 
handful of files that need to be updated with configuration changes and such, 
but for the most part you should try to put modifications in a separate component.

Example: we created our own component called OFBizEx and put all of our 
modifications in there.


BJ Freeman wrote:

> Si did a terrific job of showing how to create patches on the new 
> incubator pages.
> http://docs.ofbiz.org/display/OFBADMIN/OFBiz+Contributors+Best+Practices
> hope that helps.
> create a new folder for the upgrade so you don't loose your current setup.
> 
> 
> Walter Vaughan sent the following on 6/29/2006 12:49 PM:
> 
>> Iain Mac Donald wrote:
>>
>>> Can't do that really as we have made significant changes to ancillary
>>> systems to squeeze our data into Ofbiz. Using a newer version of Ofbiz
>>> now would break that and put us back to square one.
>>
>>
>> This is the kind of thing that scares the poop out of me. I know less 
>> than nothing when it comes to working with diff's, but could someone 
>> document the steps in running diffs between the version he started 
>> with and his version and the current version. There has to be a recipe 
>> to follow, even if it's manually cutting and pasting.
>>
>> -- 
>> Walter
>>
> 

Re: ssl setup with tomcat

[BJ Freeman <bj...@free-man.net>]

Si did a terrific job of showing how to create patches on the new 
incubator pages.
http://docs.ofbiz.org/display/OFBADMIN/OFBiz+Contributors+Best+Practices
hope that helps.
create a new folder for the upgrade so you don't loose your current setup.


Walter Vaughan sent the following on 6/29/2006 12:49 PM:
> Iain Mac Donald wrote:
>> Can't do that really as we have made significant changes to ancillary
>> systems to squeeze our data into Ofbiz. Using a newer version of Ofbiz
>> now would break that and put us back to square one.
> 
> This is the kind of thing that scares the poop out of me. I know less 
> than nothing when it comes to working with diff's, but could someone 
> document the steps in running diffs between the version he started with 
> and his version and the current version. There has to be a recipe to 
> follow, even if it's manually cutting and pasting.
> 
> -- 
> Walter
> 

Re: ssl setup with tomcat

[Walter Vaughan <wv...@steelerubber.com>]

Iain Mac Donald wrote:
> Can't do that really as we have made significant changes to ancillary
> systems to squeeze our data into Ofbiz. Using a newer version of Ofbiz
> now would break that and put us back to square one.

This is the kind of thing that scares the poop out of me. I know less than 
nothing when it comes to working with diff's, but could someone document the 
steps in running diffs between the version he started with and his version and 
the current version. There has to be a recipe to follow, even if it's manually 
cutting and pasting.

--
Walter

Re: ssl setup with tomcat

[Iain Mac Donald <ia...@freeuk.com>]

On Fri, 2006-06-30 at 10:00 +0100, Ray Barlow wrote:
> 
> If you have Apache 1.3 with mod_jk configured I would use Apache to 
> control http and https with the SSL certificate and disable the http and 
> https hosting configurations from OFBiz and just set it to host and 
> accept ajp13 connections with mod_jk. You can then also let Apache host 
> the static image content which it is supposed to be pretty good at doing.
> 
Currently I have a hybrid setup. I have Apache serving a whole lot of
static content outside of Ofbiz. Ofbiz is then used mostly for
the /ecommerce stuff. It is my intention to run multiple instances of
Ofbiz for different domains. This would be controlled using different
IP/port number combinations.

I have read elsewhere, in agreement with what you are saying, that
getting Apache to deal with the ssl stuff provides better performance.
However, previously I didn't have opportunity to test this.

If I were to move over to using Apache, as you suggest, can I use the
description here...
http://ofbizwiki.go-integral.com/Wiki.jsp?page=Mod_jk_config
or is that Apache 2.0 specific.

Of course that would also mean having to get my signed certs converted
from PKCS#7 format (and I can't remember if I can do that with openssl) 
-- 
Regards,
Iain.

Re: ssl setup with tomcat

[Ray Barlow <ra...@makeyour-point.com>]

I used to use Apache 1.3 with mod_jk linked up to OFBiz. In fact as long 
as you have mod_jk installed and configured for Apache then the 
destination web application server does not really care or know if it is 
Apache 1.3 or 2 routing the requests.

If you have Apache 1.3 with mod_jk configured I would use Apache to 
control http and https with the SSL certificate and disable the http and 
https hosting configurations from OFBiz and just set it to host and 
accept ajp13 connections with mod_jk. You can then also let Apache host 
the static image content which it is supposed to be pretty good at doing.

Ray


Iain Mac Donald wrote:
> On Thu, 2006-06-29 at 20:26 +0100, Iain Mac Donald wrote:
>
>   
>>  as I am using apache 1.3 and wasn't using the
>> mod_jk method.
>>     
>
> Sorry. Brain to fingers problem. 
>
> What I meant to type was I am not using the Apache 2 with mod_jk method.
> I am using mod_jk with Apache 1.3.
>
>   

RE: ssl setup with tomcat

[Iain Mac Donald <ia...@freeuk.com>]

On Thu, 2006-06-29 at 20:26 +0100, Iain Mac Donald wrote:

>  as I am using apache 1.3 and wasn't using the
> mod_jk method.

Sorry. Brain to fingers problem. 

What I meant to type was I am not using the Apache 2 with mod_jk method.
I am using mod_jk with Apache 1.3.

-- 
Regards,
Iain.

RE: ssl setup with tomcat

[Iain Mac Donald <ia...@freeuk.com>]

On Thu, 2006-06-29 at 12:09 -0700, Vinay Agarwal wrote:

> 
> If you haven't looked at this, it may be a good place to start.
> http://ofbizwiki.go-integral.com/Wiki.jsp?page=Mod_jk_config

Thanks. I had seen this before plus some other guides in the wiki. I had
discounted this method as I am using apache 1.3 and wasn't using the
mod_jk method.

Are you saying that the method described in the PDF guide won't work? I
was hoping that it might just be a case of inserting the relevant
sections and I would be finished.

> 
> BTW, your OFBiz version is too old, not sure if that will work. I suggest
> the latest from SVN.
> 

Can't do that really as we have made significant changes to ancillary
systems to squeeze our data into Ofbiz. Using a newer version of Ofbiz
now would break that and put us back to square one.


-- 
Regards,
Iain.

Re: ssl setup with tomcat

[Iain Mac Donald <ia...@freeuk.com>]

On Thu, 2006-06-29 at 11:58 -0700, BJ Freeman wrote:
> what version are you using?

I am using ofbiz version 3 revision 5274.



> > 
> > The guide was for revision 4558 and I am using 5274.

-- 
Regards,
Iain.

Re: ssl setup with tomcat

[BJ Freeman <bj...@free-man.net>]

what version are you using?


Iain Mac Donald sent the following on 6/29/2006 11:55 AM:
> I am trying to setup a ssl certificate with Ofbiz using Tomcat. I have
> been using the "Basic Ofbiz Production Setup" as a guide. I have just
> inserted my signed cert (PKCS#7 format) into the keystore and was about
> to edit the ofbiz-containers.xml file with the relevant path and
> password.
> 
> However, I have just noticed that the whole http & https-connector
> sections are missing from ofbiz-containers.xml.
> 
> How should I proceed?
> 
> As I am quite new to Ofbiz I am a little concerned about doing something
> wrong with a crucial part of the system.
> 
> The guide was for revision 4558 and I am using 5274.