Multiple Information Internet Services (IIS) Implementations
Ongoing     Case # 10015     Affiliated Job:  All Job History
Opened:  Unknown     Closed:  N/A
Total Hit Count:  36036     Last Hit:  Tuesday, May 28, 2024 10:41:16 PM
Unique Hit Count:  7087     Last Unique Hit:  Tuesday, May 28, 2024 6:37:19 PM
Case Type(s):  Server, Client Project, Development
Case Notes(s):  All cases are posted for review purposes only. Any implementations should be performed at your own risk.

Across multiple clients, both internal and outsourced, I have worked with Information Internet Services (IIS) to some extent. Since Windows NT v4.0 to present day IIS 7.0, one of my many roles in nearly every company has been to manage and administer these services to host, manage performance, develop and review the logs for a number of clients.

I have integrated Tomcat for ISAPI proxy of JSP deployment, PHP integrated code, asp & code, Coldfusion integration, log reporting through Web Trends & Web Expert, development in all the above languages and assisted the web development staff with their site container needs. While at ASCI we had a shared web server that hosted over 100 web sites all over a single IP shared among them by separating them out via their host headers. I have also, by using a wildcard/SAN SSL certificate, setup multiple site containers, sharing a single IP while each using a SSL certificate. Administration of the underlying configurations dependent on each site is much easier now in IIS version 7.0 and while with New Trier have configured and consolidated the IIS infrastructure as well as migrated to the IIS 7.0 platform.

Action(s) Performed:
Total Action(s): 3
Action # Recorded Date Type Hit(s) User Expand Details
10057 2/12/2010 12:04:14 PM Server 3176 One issue I occasionally find is installing IIS on a DC, this occurs many t  More ...
10056 2/12/2010 11:13:56 AM Server 3198 Setting Tomcat up on either Windows 2003 or 2008 under IIS is well document  Collapse ...
Last Hit: Tuesday, May 28, 2024 12:52:23 AM

Setting Tomcat up on either Windows 2003 or 2008 under IIS is well documented. Associating an SSL is a bit more of a struggle. If you use the proxy to pass a path to the Tomcat service, then the associated SSL to the IIS site container is sufficient; however, if you use Tomcat alone the below is a method I used to deploy a locally CA created wildcard/SAN certificate to the Tomcat server.

-   Export SSL Cert from Windows with Private Key as PFX File, this can be achieved through the MMC for Certificates, selecting the local computer, Personal container, selecting the certificate and exporting it (this assumes you have created a certificate that allows the private key to be exported)
-   Export out the CA's root certificate as root.cer
-   Goto:
   o   Convert PKCS#12 (PFX file) to PEM (certificate.crt)
-   Use openssl, JAVA "ImportKey" .java & .class to perform the following on the PEM file
   o   openssl pkcs8 -topk8 -nocrypt -in certificate.crt -inform PEM -out key.der -outform DER
   o   openssl x509 -in certificate.crt -inform PEM -out cert.der -outform DER
   o   java ImportKey key.der cert.der
   o   rename the resulting importkey.keystore to ssl.keystore (this will likely be found in your windows profile folder)
-   Use the JAVA keytool to finish up the rest
   o   keytool -import -alias root -keystore ssl.keystore -trustcacerts -file root.cer
   o   keytool -keyclone -keystore ssl.keystore -alias importkey -dest tomcat
   o   keytool -delete -alias importkey -keystore ssl.keystore
   o   keytool -storepasswd -new password -keystore ssl.keystore
   o   keytool -list -keystore ssl.keystore

Update the server.xml in Tomcat to reflect:

<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keyAlias="tomcat" />

The, importkey.class & openssl are all available via the web, simply run a search through Google.

I found the ImportKey's [Here]
And found OpenSSL [Here].

If you have Tomcat, you should also have the keytool & java runtime installed, so long as the bin folder is in your path, they should execute.
10055 2/12/2010 10:30:02 AM Server 3288 An example Multi-SSL Single IP configuration under IIS 6.0 can easily be ac  More ...

Profile IMG: Footer Left Profile IMG: Footer Right