If everything is on the same server, all you need to do is set up SSL in Apache - you make sure mod_ssl is installed and pretty much use the default config style to make it run. The Apache <=> JBoss communication will happen internally on the same server as usual and be unencrypted.
Given a standard linux (CentOS, e.g.) box with the mod_ssl package installed:
# SSL Basics
LoadModule ssl_module modules/mod_ssl.so
Listen 443
NameVirtualHost *:443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
...config stuff...
ServerName intranet.mycompany.com
ProxyPreserveHost On
ProxyPass / balancer://jbosscluster/
ProxyPassReverse / http://127.0.0.1:8080
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /path/to/server.pem
SSLCertificateKeyFile /path/to/server.pem
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
...more config stuff...
</VirtualHost>
The file server.pem contains both the unencrypted server key and the server cert returned from the upstream authority.
/usr/bin/openssl genrsa -des3 1024 > server.key.encrypted
/usr/bin/openssl rsa -in server.key.encrypted -out server.key
/usr/bin/openssl req -new -key server.key -out server.csr
cat server.key > server.pem
cat server.crt >> server.pem
That's the basic idea -- server.crt is the file given back to you from Thawte, etc. after you gave them the server.csr file (and money).