SSL between apache and JBoss

I assume you would like to have this setup up and running:

clients <-- SSL --> balancer <-- SSL --> AS7 workers

and that you are aware of severe performance drawback of its

balancer <-- SSL --> AS7 workers

part. The following setup works, yet one must be aware of the fact that connection between client and AS7 worker is not transparent and that the balancer acts more or less like a man-in-the-middle. If clients trust the balancer, balancer trusts the workers and workers trust the balancer, it's all good.

Here you go bro:

Apache HTTP Server with mod_cluster

MemManagerFile "/opt/httpd/cache/mod_cluster"
ServerName 10.16.94.122:2181

<IfModule manager_module>
  Listen 10.16.94.122:8847
  # As soon as it works, remove/change this...
  LogLevel debug
  <VirtualHost 10.16.94.122:8847>
    ServerName 10.16.94.122:8847
    <Directory />
      Order deny,allow
      Deny from all
      # Obviously, testing purposes...
      Allow from all
    </Directory>
    KeepAliveTimeout 60
    MaxKeepAliveRequests 0
    ServerAdvertise on
    AdvertiseFrequency 5
    ManagerBalancerName qacluster
    AdvertiseGroup 224.0.5.188:23364
    EnableMCPMReceive
    SSLEngine on
    SSLCipherSuite AES128-SHA:ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL
    SSLCertificateFile /opt/ssl/proper/server.crt
    SSLCertificateKeyFile /opt/ssl/proper/server.key
    SSLCACertificateFile /opt/ssl/proper/myca.crt
    #SSLVerifyClient require
    #SSLProxyVerify require
    SSLProxyEngine On
    SSLVerifyDepth 10
    <Location /mcm>
      SetHandler mod_cluster-manager
      Order deny,allow
      Deny from all
      # Obviously, testing purposes...
      Allow from all
    </Location>
  </VirtualHost>
</IfModule>

AS7 worker, standalone-ha.xml, could be applied to a proper in domain as well:

AS7 worker

+++
</extensions>
<system-properties>
<property name="javax.net.ssl.trustStore" value="/opt/ssl/proper/client-cert-key.jks"/>
<property name="javax.net.ssl.trustStorePassword" value="you-shall-never-know"/>
</system-properties>
<management>
+++
</management>
<profile>
+++
<subsystem xmlns="urn:jboss:domain:modcluster:1.1">
<mod-cluster-config advertise-socket="modcluster" connector="https">
<dynamic-load-provider>
<load-metric type="busyness"/>
</dynamic-load-provider>
<ssl key-alias="javaclient" password="you-shall-never-know" certificate-key-file="/opt/ssl/proper/client-cert-key.jks"
     cipher-suite="AES128-SHA:ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL" ca-certificate-file="/opt/ssl/proper/ca-cert.jks"/>
</mod-cluster-config>
</subsystem>
+++
<subsystem xmlns="urn:jboss:domain:web:1.5" native="false">
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true" enabled="true">
<ssl name="https" key-alias="javaclient" password="you-shall-never-know" certificate-key-file="/opt/ssl/proper/client-cert-key.jks"
     cipher-suite="AES128-SHA:ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL" protocol="TLS" verify-client="false"
     certificate-file="/opt/ssl/proper/client-cert-key.jks" ca-certificate-file="/opt/ssl/proper/ca-cert.jks"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
+++
</profile>
<interfaces>
+++
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+++
<socket-binding name="https" port="8443"/>
+++
<socket-binding name="modcluster" port="0" multicast-address="224.0.5.188" multicast-port="23364"/>
+++

Let us know if it works for you. In future, you might actually target the JBoss mod_cluster forums directly :-)

Have you a sample configuration for standalone (not clustered) ?