How to protect a Tomcat web application using Siteminder.

Document ID : KB000053831
Last Modified Date : 14/02/2018
Show Technical Document Details

Description

This document details how to protect a Tomcat web application using Siteminder.

The document assumes the reader is already experienced in the setup and configuration of webagents.

The method described in this document involves using an Apache Web server and Tomcat connector to serve as a proxy for tomcat.

Solution

  1. Install the Apache Web Server 2.0 (or other supported version)

    Apache web server will act as a proxy for Tomcat protecting the tomcat application.

  2. Download the Tomcat connector.

    This can be downloaded from http://tomcat.apache.org/connectors-doc/

    Ensure you download the correct version for your webserver

  3. Install the Tomcat connector.

    Copy the DLL (or .so) file downloaded as the connector to your Apache modules folder.
    On a windows system this is often C:\Program Files\Apache Group\Apache2\modules

    Create a mod_jk.conf file file

    In Tomcat 6.0\conf folder create (or edit) a mod_jk.conf file.

    Enter the following information into the file

    LoadModule jk_module " [Full path and name of the tomcat connector] "

    JkWorkersFile "[Root folder of tomcat installation] /conf/workers.properties"

    JkLogFile " [Full path and name of the logfile you wish to use] "

    JkLogLevel info

    JkLogStampFormat "[%a %b %d %H:%M:%S %Y]"

    JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories

    JkRequestLogFormat "%w %V %T"

    Finally add the line:

    JkMount / [your application name] smworker
    JkMount / [your application name] /* smworker

    This will redirect everything sent to the application name you specify to tomcat, For example:

    JkMount /example smworker

    JkMount /example/* smworker

    will send all requests received by apache on http://myserver.ca.com/example to be redirected to tomcat.

    Edit the webservers httpd.conf file.

    On a windows system this is commonly located in C:\Program Files\Apache Group\Apache2\conf

    At the end of this file add the line:
    include " [tomcat install folder] /conf/mod_jk.conf"

    Where [tomcat install folder] is the location of your tomcat installation.

    Create a worker.properties file in [Tomcat root folder] /conf

    Paste the following information into this file:

    # Define 1 real worker named smworker
    worker.list=smworker

    # Set properties for worker named smworker to use ajp13 protocol,
    # and run on port 8009
    worker.ajp13.type=ajp13
    worker.ajp13.host=localhost
    worker.ajp13.port=8009
    worker.ajp13.lbfactor=50
    worker.ajp13.cachesize=10
    worker.ajp13.cache_timeout=600
    worker.ajp13.socket_keepalive=1
    worker.ajp13.socket_timeout=300

    In the server.xml file (located in [Tomcat root folder] /conf) ensure the have the following line uncommented.

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

    Start apache with the new module using these commands:

    apache -k install
    apache -k start

    Finally start the tomcat server.

  4. Install the Siteminder Apache Webagent.

    Install the Siteminder Apache webagent using the installation wizard as you would normally.

  5. Protect the application.

    using the Siteminder administrative interface create a realm with the appropriate resource filter to protect the application mounted with the jkmount command earlier.

    Then create rules. policies and responses to protect the application as you would normally.

  6. Configure the Siteminder Apache Webagent.
    Use the webagent configuration wizard to configure the Apache2 agent as you would normally.

  7. Restart the Apache HTTP server.

  8. Test the install.

    The tomcat application is now protected using Apache webserver webagent.

    You should be prompted by Siteminder to provide credentials when accessing the application.