Re: Is cancelled SSL connection bug fixed in Tomcat 4.1.31?
Mike, Having I have had a look at the bug report and the message from Tomcat user and have found the cvs commit that fixes the problem. http://marc.theaimsgroup.com/?l=tomcat-devm=104142933517556w=2 This fix is included in 4.1.19 onwards and all 5.0.x and 5.5.x releases. HTH, Mark Mike Meehan wrote: Hi, Does anyone out there know if the Cancelled SSL connection cause Tomcat to stumble bug is fixed for Tomcat 4.1.31? The bug can be found here: http://issues.apache.org/bugzilla/show_bug.cgi?id=17323 I can reproduce this issue with 4.1.18 but have yet to be able to reproduce it with 4.1.31. I don't want to assume that its fixed simply because I haven't been able to reproduce it. I'm comparing the two versions of Tomcat using the same: physical server, web app, connector settings, keystore. I also saw a mailing list thread (http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg79212.htm l) that suggests the problem is in PoolTcpEndPoint.java. I looked at this source and compared between the two versions. The TcpWorkerThread.runIt() method was significantly reworked since 4.1.18 so I can't tell for sure if the problem has been eliminated. (if this is in fact where the problem existed) If it has not been fixed in 4.1.31, can anyone confirm if this is fixed in 5.0? Thanks, Mike - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Is cancelled SSL connection bug fixed in Tomcat 4.1.31?
Hi, Does anyone out there know if the Cancelled SSL connection cause Tomcat to stumble bug is fixed for Tomcat 4.1.31? The bug can be found here: http://issues.apache.org/bugzilla/show_bug.cgi?id=17323 I can reproduce this issue with 4.1.18 but have yet to be able to reproduce it with 4.1.31. I don't want to assume that its fixed simply because I haven't been able to reproduce it. I'm comparing the two versions of Tomcat using the same: physical server, web app, connector settings, keystore. I also saw a mailing list thread (http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg79212.htm l) that suggests the problem is in PoolTcpEndPoint.java. I looked at this source and compared between the two versions. The TcpWorkerThread.runIt() method was significantly reworked since 4.1.18 so I can't tell for sure if the problem has been eliminated. (if this is in fact where the problem existed) If it has not been fixed in 4.1.31, can anyone confirm if this is fixed in 5.0? Thanks, Mike
Re: Fw: Internet Explorer Bug under SSL Connection
Thank you very much for the information. However, I also had to to change Cache-Control value (no-cache = cache) too. Anyway thank you for your answer On Mon, 18 Oct 2004 15:03:10 +0100, Jon Wingfield [EMAIL PROTECTED] wrote: Tomcat adds (or at least did in the 4.1 branch) certain response headers, directives to clients and proxy caches to not cache the data, when it is to serve something within a security-constraint. (log examples at end of post) [It seems that] When IE downloads something with a mime-type it thinks it can handle (probably via a plug-in) it caches the data and then passes it over to the plug-in. With SSL and the Pragma header set to no-cache this seems to fail with the error message described in the original post. Our entire site is SSL also and we've seen this error (and our hack resolves it) for csv, excel, pdf files. Downloading with the content-type set to application/octet-stream doesn't trigger the error in our experience (we also provide this option on the download pages but users generally want to see the data directly). Jon Examples from my 4.1.29 logs when the RequestDumperValve is commented in: Response for index.jsp (inside security-constraint): authType=null contentLength=-1 contentType=null cookie=JSESSIONID=EB28F372EF5D5FC5C2908C57766010BA; domain=null; path=/ header=Pragma=No-cache header=Cache-Control=no-cache header=Expires=Thu, 01 Jan 1970 00:00:00 GMT header=Set-Cookie=JSESSIONID=EB28F372EF5D5FC5C2908C57766010BA; Path=/ header=Location=http://localhost:8080/login.jsp;jsessionid=EB28F372EF5D5FC5C2908C57766010BA message=null remoteUser=null status=302 Response for bgdot.gif (outside security-constraint): authType=null contentLength=77 contentType=image/gif;charset=ISO-8859-1 header=Server=IMP/4.0.20 header=ETag=W/77-109810668 header=Last-Modified=Mon, 18 Oct 2004 13:38:00 GMT message=null remoteUser=null status=200 David Wall wrote: Our web site is entirely SSL. Most users have IE. Our application is used to securely transfer and digitally sign attached files that must be downloaded. Yet, we've never seen this problem. Who is putting in the Pragma header in the response in the first place that you have to change it this way? And why does the Pragma setting have the negative effect described? Thanks, David - Original Message - From: Jon Wingfield [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, October 15, 2004 9:57 AM Subject: Re: Internet Explorer Bug under SSL Connection Yep. This comes up every so often on the list. Whenever IE downloads content we change the Pragma response header to be public instead of no-cache: String userAgent = request.getHeader(user-agent); if (response.containsHeader(Pragma) userAgent!=null userAgent.toUpperCase().indexOf(MSIE)-1) { response.setHeader(Pragma, public); } HTH, Jon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Fw: Internet Explorer Bug under SSL Connection
Tomcat adds (or at least did in the 4.1 branch) certain response headers, directives to clients and proxy caches to not cache the data, when it is to serve something within a security-constraint. (log examples at end of post) [It seems that] When IE downloads something with a mime-type it thinks it can handle (probably via a plug-in) it caches the data and then passes it over to the plug-in. With SSL and the Pragma header set to no-cache this seems to fail with the error message described in the original post. Our entire site is SSL also and we've seen this error (and our hack resolves it) for csv, excel, pdf files. Downloading with the content-type set to application/octet-stream doesn't trigger the error in our experience (we also provide this option on the download pages but users generally want to see the data directly). Jon Examples from my 4.1.29 logs when the RequestDumperValve is commented in: Response for index.jsp (inside security-constraint): authType=null contentLength=-1 contentType=null cookie=JSESSIONID=EB28F372EF5D5FC5C2908C57766010BA; domain=null; path=/ header=Pragma=No-cache header=Cache-Control=no-cache header=Expires=Thu, 01 Jan 1970 00:00:00 GMT header=Set-Cookie=JSESSIONID=EB28F372EF5D5FC5C2908C57766010BA; Path=/ header=Location=http://localhost:8080/login.jsp;jsessionid=EB28F372EF5D5FC5C2908C57766010BA message=null remoteUser=null status=302 Response for bgdot.gif (outside security-constraint): authType=null contentLength=77 contentType=image/gif;charset=ISO-8859-1 header=Server=IMP/4.0.20 header=ETag=W/77-109810668 header=Last-Modified=Mon, 18 Oct 2004 13:38:00 GMT message=null remoteUser=null status=200 David Wall wrote: Our web site is entirely SSL. Most users have IE. Our application is used to securely transfer and digitally sign attached files that must be downloaded. Yet, we've never seen this problem. Who is putting in the Pragma header in the response in the first place that you have to change it this way? And why does the Pragma setting have the negative effect described? Thanks, David - Original Message - From: Jon Wingfield [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, October 15, 2004 9:57 AM Subject: Re: Internet Explorer Bug under SSL Connection Yep. This comes up every so often on the list. Whenever IE downloads content we change the Pragma response header to be public instead of no-cache: String userAgent = request.getHeader(user-agent); if (response.containsHeader(Pragma) userAgent!=null userAgent.toUpperCase().indexOf(MSIE)-1) { response.setHeader(Pragma, public); } HTH, Jon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Internet Explorer Bug under SSL Connection
Hi, I am using a servlet that open an excel file from an output stream which is working very well. However, I want to use it under SSL connection which looks to be quite easy. I made the change in tomcat and it is working very well. However when I try to open my excel file using Internet Explorer under SSL connection, I am having a strange error: impossible to open: https://myURL I am using exactley the same URL with non SSL connection and it is working fine. But the funniest thing is that it is really well working using FireFox or Opera explorer. It makes me crazy. So if somebody as already see encounter this problem or know what to do. PLEASE HELP ME Thank you very Much regards Edouard - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Internet Explorer Bug under SSL Connection
Yep. This comes up every so often on the list. Whenever IE downloads content we change the Pragma response header to be public instead of no-cache: String userAgent = request.getHeader(user-agent); if (response.containsHeader(Pragma) userAgent!=null userAgent.toUpperCase().indexOf(MSIE)-1) { response.setHeader(Pragma, public); } HTH, Jon Edouard Dalla-Costa wrote: Hi, I am using a servlet that open an excel file from an output stream which is working very well. However, I want to use it under SSL connection which looks to be quite easy. I made the change in tomcat and it is working very well. However when I try to open my excel file using Internet Explorer under SSL connection, I am having a strange error: impossible to open: https://myURL I am using exactley the same URL with non SSL connection and it is working fine. But the funniest thing is that it is really well working using FireFox or Opera explorer. It makes me crazy. So if somebody as already see encounter this problem or know what to do. PLEASE HELP ME Thank you very Much regards Edouard - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Fw: Internet Explorer Bug under SSL Connection
Our web site is entirely SSL. Most users have IE. Our application is used to securely transfer and digitally sign attached files that must be downloaded. Yet, we've never seen this problem. Who is putting in the Pragma header in the response in the first place that you have to change it this way? And why does the Pragma setting have the negative effect described? Thanks, David - Original Message - From: Jon Wingfield [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, October 15, 2004 9:57 AM Subject: Re: Internet Explorer Bug under SSL Connection Yep. This comes up every so often on the list. Whenever IE downloads content we change the Pragma response header to be public instead of no-cache: String userAgent = request.getHeader(user-agent); if (response.containsHeader(Pragma) userAgent!=null userAgent.toUpperCase().indexOf(MSIE)-1) { response.setHeader(Pragma, public); } HTH, Jon Edouard Dalla-Costa wrote: Hi, I am using a servlet that open an excel file from an output stream which is working very well. However, I want to use it under SSL connection which looks to be quite easy. I made the change in tomcat and it is working very well. However when I try to open my excel file using Internet Explorer under SSL connection, I am having a strange error: impossible to open: https://myURL I am using exactley the same URL with non SSL connection and it is working fine. But the funniest thing is that it is really well working using FireFox or Opera explorer. It makes me crazy. So if somebody as already see encounter this problem or know what to do. PLEASE HELP ME Thank you very Much regards Edouard - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL connection
Hi, I have a question of configuration. I am trying to use SSL connection with tomcat 5.0.28. But it does not work, I am having a FileNotFound exception when I am adding the className SSLServerSocketFactory to the server.xml file. If I don't add the className variable, the Secure connection looks to be working using internet explorer but not with Firefox or Opera navigator. Thank you very much - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Stop Tomcat over non-SSL connection with Apache2/JK2
I'm setting up a simple Apache 2/Tomcat4 configuration with Mod_JK2 and SSL. Without using SSL, I got going pretty quickly with Apache 2/Tomcat 4/JK2. i.e. I could go to http://hostname/gwise/blah (where gwise was a tomcat webapp) and that worked fine. I then introduced SSL, and I could then go to https://hostname/gwise/blah fine as well. The problem, is that I do *NOT* want the webapp available over the non-SSL connection. In the VirtualHost section in Apache 2 where I defined the SSL VirtualHost, I put a JkUriSet command, but the tomcat apps were still available over port 80 (non-SSL) - even though there was no other mention of tomcat elsewhere in the Apache config - or anything in workers2.properties. What do I need to do to only have tomcat apps available over SSL ? I'm using Apache v2.0.49, mod_ssl v2.0.49, mod_jk2 v2.04 and tomcat v4.1.29 Thanks, GTG Gordon Ross, Network Manager/Rheolwr Rhydwaith Countryside Council for Wales/Cyngor Cefn Gwlad Cymru - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Stop Tomcat over non-SSL connection with Apache2/JK2
Gordon Ross wrote: The problem, is that I do *NOT* want the webapp available over the non-SSL connection. In the VirtualHost section in Apache 2 where I defined the SSL VirtualHost, I put a JkUriSet command, but the tomcat apps were still available over port 80 (non-SSL) - even though there was no other mention of tomcat elsewhere in the Apache config - or anything in workers2.properties. I had the same problem. Guess the virtual host support is not as good in connection with JkUriSet as we thought. I also tried to put some Mappings in http vhost only, some only https vhost. But JkUriSet seemed to ignore that. What do I need to do to only have tomcat apps available over SSL ? The solution is that you explicitly deny the UriMappings in your http vhost as Apache will block them before mod_jk comes in. e.g. something like Location ... Order Deny,Allow Deny from All /Location but check the Apache documentation for details. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Keystore SSL Connection Tomcat 4
Hi: I am running tomcat 4.0.6 with SSL and though my certificate is valid when I log on to the site the window which pops up says: The Security Certificate has expired or is not yet valid... any suggestions on why it might be doing it..(the certificate has not expired for sure- the date is valid for 360 days)... Thanks Ravi - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat hangs under SSL connection, Clarification of Problem I have been experiencing, really need help
Hi there I am having a reall problem with Tomcat. These are my specs Tomcat 4.1.18LE for JDK 1.4 (Also have a problem with 4.1.18 standard) Struts 1.1-b2 and naturally JDK 1.4.1 My application seems to work, without a hitch, until I implement the SSLext for Struts 1.1-b2 Then things go bad. You canbe using the webapp for any length of time, and then, all of a sudden it will hangs. The problem it hits is in the commons.logging area org.apache.commons.logging.LogConfigurationException: org.apache.commons.logging.LogConfigurationException: org.apache.commons.logging.LogConfigurationException: Class org.apache.commons.logging.impl.Jdk14Logger does not implement Caused by: org.apache.commons.logging.LogConfigurationException: org.apache.commons.logging.LogConfigurationException: Class org.apache.commons.logging.impl.Jdk14Logger does not implement Log Caused by: org.apache.commons.logging.LogConfigurationException: Class org.apache.commons.logging.impl.Jdk14Logger does not implement Log I have tried commenting out the Logger tags in server.xml, so that all the logging goes directly to the console. THinking htis may be a Log4j problem, I switched to JDK 1.4 logging. None of this has helps, the only thing that stops the container from hanging, is if I remove all SSL connection from the app. I have posted with a few messages, but now have worked out under what circumstances it happens. Can anyone help me This is really frustrating Thanks in advance Steve Vanspall -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: SSL Connection Tomcat and Apache
While there seems to be a demand for SSL from Apache-Tomcat, the fact is that it is not currently implemented. Both the Warp Ajp13 protocols send the messages un-encrypted and easily enough decipherable to a sniffer. They are designed around the assumption the your Tomcat Server is in the same DMZ as your Apache/httpd server. Of course, patches are always welcome, if anyone wants to add SSL support to either Warp or Ajp13 ;-). Turner, John [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... With the increase in web services, and different companies working as partners, it's very conceivable (in my mind) that there would be a situation where the initial web request was handled by apache owned by Company A, and for one reason or another, needed to connect to tomcat owned by Company B across the public internet to fulfill the request. Rather than incorporate some sort of separate VPN scenario with software or hardware (or both) it would be nice to be able to create an encrypted tunnel from one server to the other (apache-tomcat) on the fly. I'm definitely interested in hearing from people who have this working, and how they did it. I intend to try setting it up myself as soon as I have the time. John Turner [EMAIL PROTECTED] -Original Message- From: Ralph Einfeldt [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 12:50 PM Subject: AW: SSL Connection Tomcat and Apache Why do you care ? In most cases this traffic is not seen by anybody but yourself. It's a complete different topic if you allow third parties access to systems inside your network and you want to make shure that they don't listen to traffic, that isn't owned by them (E.G if your are an ISP). -Ursprüngliche Nachricht- Von: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Gesendet: Montag, 12. August 2002 22:21 An: '[EMAIL PROTECTED]' Betreff: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
Since apparently this capability is not available, yet, nor a high priority, might I suggest ssh tunneling. We use it here to tunnel MySQL replication through a set of firewalls: ssh -2 -N -T -q -L localport:remote-host:remote-port remote-host Using PKE means that I can run that tunnel as a particular pseudo-user with its own set of keys. I use a daemon to make sure that if the tunnel dies, it comes back. As I said, this technique supports the real-time replication that we've been running for more than two years. I see no reason why I couldn't run an SSH tunnel over which to transparently run Connector protocols, which makes more sense to me than bolting SSL onto them. SSH tunnels not only protect the data, they authenticate the user. If I were Company B, I would not want just anyone connecting to my Tomcat via a Connector! --- Noel -Original Message- From: news [mailto:[EMAIL PROTECTED]]On Behalf Of Bill Barker Sent: Saturday, December 14, 2002 2:19 To: [EMAIL PROTECTED] Subject: Re: SSL Connection Tomcat and Apache While there seems to be a demand for SSL from Apache-Tomcat, the fact is that it is not currently implemented. Both the Warp Ajp13 protocols send the messages un-encrypted and easily enough decipherable to a sniffer. They are designed around the assumption the your Tomcat Server is in the same DMZ as your Apache/httpd server. Of course, patches are always welcome, if anyone wants to add SSL support to either Warp or Ajp13 ;-). Turner, John [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... With the increase in web services, and different companies working as partners, it's very conceivable (in my mind) that there would be a situation where the initial web request was handled by apache owned by Company A, and for one reason or another, needed to connect to tomcat owned by Company B across the public internet to fulfill the request. Rather than incorporate some sort of separate VPN scenario with software or hardware (or both) it would be nice to be able to create an encrypted tunnel from one server to the other (apache-tomcat) on the fly. I'm definitely interested in hearing from people who have this working, and how they did it. I intend to try setting it up myself as soon as I have the time. John Turner [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
i have it working on different machines. Tomcat on one machine and apache on another. SSL will work irrespective of the machines, as long as both of the machines can see each other.(i mean on the same network). -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:38 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? This is all for the intranet. -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host DocumentRoot C:/Apache/htdocs ServerName server_name ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile certificate_location/certificate_name SSLCertificateKeyFile certificate_key_location/certificate_key /VirtualHost you have to generate a CSR file(instructions for creating a CSR can be found at http://www.verisign.com/support/csr/apache/v01.html). Once you create a CSR, you can send it to any of the certificate issuing authorities(verisign, thawte etc) and once you get a certificate, you make the above changes in the httpd.conf. Thanks Manoj. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:21 PM To: '[EMAIL PROTECTED]' Subject: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
Thanks for your post with the configuration in it...SSL between apache and tomcat is something I have been wanting to research for awhile now, and your info will make it easier to do that. That said, I'm curious to know how you are verifying that SSL is working between apache and tomcat on different machines. How do you know the datastream is truly encrypted? I'm not questioning your setup, I'm asking how I will know the same thing for sure once I set it up myself. Having SSL setup on both machines is no guarantee that the datastream is encrypted. John Turner [EMAIL PROTECTED] -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 11:27 AM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache i have it working on different machines. Tomcat on one machine and apache on another. SSL will work irrespective of the machines, as long as both of the machines can see each other.(i mean on the same network). -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:38 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? This is all for the intranet. -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host DocumentRoot C:/Apache/htdocs ServerName server_name ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile certificate_location/certificate_name SSLCertificateKeyFile certificate_key_location/certificate_key /VirtualHost you have to generate a CSR file(instructions for creating a CSR can be found at http://www.verisign.com/support/csr/apache/v01.html). Once you create a CSR, you can send it to any of the certificate issuing authorities(verisign, thawte etc) and once you get a certificate, you make the above changes in the httpd.conf. Thanks Manoj. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:21 PM To: '[EMAIL PROTECTED]' Subject: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
How is this set up then? -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 10:27 AM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache i have it working on different machines. Tomcat on one machine and apache on another. SSL will work irrespective of the machines, as long as both of the machines can see each other.(i mean on the same network). -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:38 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? This is all for the intranet. -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host DocumentRoot C:/Apache/htdocs ServerName server_name ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile certificate_location/certificate_name SSLCertificateKeyFile certificate_key_location/certificate_key /VirtualHost you have to generate a CSR file(instructions for creating a CSR can be found at http://www.verisign.com/support/csr/apache/v01.html). Once you create a CSR, you can send it to any of the certificate issuing authorities(verisign, thawte etc) and once you get a certificate, you make the above changes in the httpd.conf. Thanks Manoj. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:21 PM To: '[EMAIL PROTECTED]' Subject: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: SSL Connection Tomcat and Apache
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:38 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? On Tue, Aug 13, 2002 at 11:27:21AM -0400, Pooleery, Manoj wrote: i have it working on different machines. Tomcat on one machine and apache on another. SSL will work irrespective of the machines, as long as both of the machines can see each other.(i mean on the same network). i'm not sure this answers the question. i am also interested in this. let me draw a picture: client - talks on 443 ssl to - apache - talks ??? on port 8009 - tomcat the problem being that if the webser gets encrypted stuff and then passes it to tomcat in the clear, someone could get the unencrypted info from the second conversation. - -- Peter Abplanalp Email: [EMAIL PROTECTED] PGP: pgp.mit.edu -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9WTV2ggA8sH0iRXQRAkilAKCKx8C0vWcqoumcfNTvzDuJlxIq1gCgrgmG d2jhrrg8fU6GXKVNuL2osnk= =v/fr -END PGP SIGNATURE- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
On Tue, 13 Aug 2002, Pooleery, Manoj wrote: i have it working on different machines. Tomcat on one machine and apache on another. SSL will work irrespective of the machines, as long as both of the machines can see each other.(i mean on the same network). Are you sure you are understanding the question? That is, it doesn't have to do with Apache handling SSL on the front end (or even Tomcat, if/when it's running standalone), but rather the communication between Apache and Tomcat using SSL in the middle. So we're not talking about secure HTTP (HTTPS) communication, but rather secure whatever protocol is being used to communicate between Apache and Tomcat (e.g. AJP, WARP). Frankly, I have seen this question come up before -- it is a very reasonable one, what is the point of having security on the front end, if there is no security in the middle or the back end, after all -- but I don't think I've ever seen an answer saying it can be done. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:38 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? This is all for the intranet. -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host DocumentRoot C:/Apache/htdocs ServerName server_name ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile certificate_location/certificate_name SSLCertificateKeyFile certificate_key_location/certificate_key /VirtualHost you have to generate a CSR file(instructions for creating a CSR can be found at http://www.verisign.com/support/csr/apache/v01.html). Once you create a CSR, you can send it to any of the certificate issuing authorities(verisign, thawte etc) and once you get a certificate, you make the above changes in the httpd.conf. Thanks Manoj. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:21 PM To: '[EMAIL PROTECTED]' Subject: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] Milt Epstein Research Programmer Systems and Technology Services (STS) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
AW: SSL Connection Tomcat and Apache
Why do you care ? In most cases this traffic is not seen by anybody but yourself. It's a complete different topic if you allow third parties access to systems inside your network and you want to make shure that they don't listen to traffic, that isn't owned by them (E.G if your are an ISP). -Ursprüngliche Nachricht- Von: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Gesendet: Montag, 12. August 2002 22:21 An: '[EMAIL PROTECTED]' Betreff: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
This is exactly what I am wondering about. -Original Message- From: Peter T. Abplanalp -Original Message- From: Wills, Mike N. (TC) What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? On Tue, Aug 13, 2002 at 11:27:21AM -0400, Pooleery, Manoj wrote: i have it working on different machines. Tomcat on one machine and apache on another. SSL will work irrespective of the machines, as long as both of the machines can see each other.(i mean on the same network). i'm not sure this answers the question. i am also interested in this. let me draw a picture: client - talks on 443 ssl to - apache - talks ??? on port 8009 - tomcat the problem being that if the webser gets encrypted stuff and then passes it to tomcat in the clear, someone could get the unencrypted info from the second conversation. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
I think the setup within apache's httpd.conf will enable encryption between the client browsers and the webserver only, but not between apache and tomcat. You might use ssh to do that, since you can build an encrypted tunnel to forward the connections to a remote port. Suppose your apache machine was on ip 192.168.0.1 and your tomcat machine was on ip 192.168.0.2. Further suppose your ajp connector is configured to use port 8009. You could start a port forwarding tunnel on your apache machine with ssl -L 8009:192.168.0.2:8009 [EMAIL PROTECTED] Any connection to port 192.168.0.1:8009 will be forwarded to 192.168.0.2 via the encrypted connection established by ssh. Of course this requires ssh to be installed on both machines, i.e. the server component on the tomcat-machine and the client component on the apache-machine. (You could do it the other way around using the -R switch). Note that the connection will only be forwarded if it is coming from the local machine (i.e. the apache-machine in this example), unless you also state -g to enable other machines to connect. (You might wish to read up on this in a suitable ssh documentation). You would then have to modify back your workers.properties file to look something like this (on the apache machine): # Definition for Ajp13 worker # worker.ajp13.port=8009 worker.ajp13.host=localhost worker.ajp13.type=ajp13 Note that it is localhost again instead of 192.168.0.2 (the ip of the tomcat-machine). I have not tested this procedure, and have not given it much thought if this will cause additional security problems. I have also not explored in which way the ssh connection has to be set up to be available to apache (I would presume you would have to do it using nohup ssl -L 8009:192.168.0.2:8009 [EMAIL PROTECTED] just before starting apache, but that could cause problems with the password you would have to enter, and may force you to use client authentication with public/private keys instead). The best solution of course would be to place your tomcat worker-machines physically behind your apache webserver, using a second network interface card on the apache machine and a switch/hub to connect it to potentially quite a lot of tomcat-machines, which would not be reachable by any other machines if you set up the apache-machine correctly. Please let me (let us all) know if you manage to successfully set up such a configuration using ssh. greetings Andreas Mohrig -Original Message- From: Turner, John [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 5:49 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache Thanks for your post with the configuration in it...SSL between apache and tomcat is something I have been wanting to research for awhile now, and your info will make it easier to do that. That said, I'm curious to know how you are verifying that SSL is working between apache and tomcat on different machines. How do you know the datastream is truly encrypted? I'm not questioning your setup, I'm asking how I will know the same thing for sure once I set it up myself. Having SSL setup on both machines is no guarantee that the datastream is encrypted. John Turner [EMAIL PROTECTED] -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 11:27 AM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache i have it working on different machines. Tomcat on one machine and apache on another. SSL will work irrespective of the machines, as long as both of the machines can see each other.(i mean on the same network). -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:38 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? This is all for the intranet. -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host DocumentRoot C:/Apache/htdocs ServerName server_name ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile certificate_location/certificate_name SSLCertificateKeyFile certificate_key_location/certificate_key /VirtualHost you have to generate a CSR file(instructions for creating a CSR can be found at http://www.verisign.com/support/csr/apache/v01.html). Once you create a CSR
RE: SSL Connection Tomcat and Apache
Please correct my typo: It has to be ssh instead of ssl (of course) in the command used to start the secure shell!!! And one mor thought: I have no idea how this might affect performance. - I think the setup within apache's httpd.conf will enable encryption between the client browsers and the webserver only, but not between apache and tomcat. You might use ssh to do that, since you can build an encrypted tunnel to forward the connections to a remote port. Suppose your apache machine was on ip 192.168.0.1 and your tomcat machine was on ip 192.168.0.2. Further suppose your ajp connector is configured to use port 8009. You could start a port forwarding tunnel on your apache machine with ssh -L 8009:192.168.0.2:8009 [EMAIL PROTECTED] Any connection to port 192.168.0.1:8009 will be forwarded to 192.168.0.2 via the encrypted connection established by ssh. Of course this requires ssh to be installed on both machines, i.e. the server component on the tomcat-machine and the client component on the apache-machine. (You could do it the other way around using the -R switch). Note that the connection will only be forwarded if it is coming from the local machine (i.e. the apache-machine in this example), unless you also state -g to enable other machines to connect. (You might wish to read up on this in a suitable ssh documentation). You would then have to modify back your workers.properties file to look something like this (on the apache machine): # Definition for Ajp13 worker # worker.ajp13.port=8009 worker.ajp13.host=localhost worker.ajp13.type=ajp13 Note that it is localhost again instead of 192.168.0.2 (the ip of the tomcat-machine). I have not tested this procedure, and have not given it much thought if this will cause additional security problems. I have also not explored in which way the ssh connection has to be set up to be available to apache (I would presume you would have to do it using nohup ssh -L 8009:192.168.0.2:8009 [EMAIL PROTECTED] just before starting apache, but that could cause problems with the password you would have to enter, and may force you to use client authentication with public/private keys instead). The best solution of course would be to place your tomcat worker-machines physically behind your apache webserver, using a second network interface card on the apache machine and a switch/hub to connect it to potentially quite a lot of tomcat-machines, which would not be reachable by any other machines if you set up the apache-machine correctly. Please let me (let us all) know if you manage to successfully set up such a configuration using ssh. greetings Andreas Mohrig -Original Message- From: Turner, John [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 5:49 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache Thanks for your post with the configuration in it...SSL between apache and tomcat is something I have been wanting to research for awhile now, and your info will make it easier to do that. That said, I'm curious to know how you are verifying that SSL is working between apache and tomcat on different machines. How do you know the datastream is truly encrypted? I'm not questioning your setup, I'm asking how I will know the same thing for sure once I set it up myself. Having SSL setup on both machines is no guarantee that the datastream is encrypted. John Turner [EMAIL PROTECTED] -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 11:27 AM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache i have it working on different machines. Tomcat on one machine and apache on another. SSL will work irrespective of the machines, as long as both of the machines can see each other.(i mean on the same network). -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:38 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? This is all for the intranet. -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host DocumentRoot C:/Apache/htdocs ServerName server_name ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile certificate_location/certificate_name SSLCertificateKeyFile certificate_key_location/certificate_key
RE: SSL Connection Tomcat and Apache
With the increase in web services, and different companies working as partners, it's very conceivable (in my mind) that there would be a situation where the initial web request was handled by apache owned by Company A, and for one reason or another, needed to connect to tomcat owned by Company B across the public internet to fulfill the request. Rather than incorporate some sort of separate VPN scenario with software or hardware (or both) it would be nice to be able to create an encrypted tunnel from one server to the other (apache-tomcat) on the fly. I'm definitely interested in hearing from people who have this working, and how they did it. I intend to try setting it up myself as soon as I have the time. John Turner [EMAIL PROTECTED] -Original Message- From: Ralph Einfeldt [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 12:50 PM To: Tomcat Users List Subject: AW: SSL Connection Tomcat and Apache Why do you care ? In most cases this traffic is not seen by anybody but yourself. It's a complete different topic if you allow third parties access to systems inside your network and you want to make shure that they don't listen to traffic, that isn't owned by them (E.G if your are an ISP). -Ursprüngliche Nachricht- Von: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Gesendet: Montag, 12. August 2002 22:21 An: '[EMAIL PROTECTED]' Betreff: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
...and one more thought. My concern is that, for me, this is on an IBM iSeries (AS400) not Linux/Unix/Win so that solution my not work for me. -Original Message- From: Andreas Mohrig [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 12:04 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache Please correct my typo: It has to be ssh instead of ssl (of course) in the command used to start the secure shell!!! And one mor thought: I have no idea how this might affect performance. - I think the setup within apache's httpd.conf will enable encryption between the client browsers and the webserver only, but not between apache and tomcat. You might use ssh to do that, since you can build an encrypted tunnel to forward the connections to a remote port. Suppose your apache machine was on ip 192.168.0.1 and your tomcat machine was on ip 192.168.0.2. Further suppose your ajp connector is configured to use port 8009. You could start a port forwarding tunnel on your apache machine with ssh -L 8009:192.168.0.2:8009 [EMAIL PROTECTED] Any connection to port 192.168.0.1:8009 will be forwarded to 192.168.0.2 via the encrypted connection established by ssh. Of course this requires ssh to be installed on both machines, i.e. the server component on the tomcat-machine and the client component on the apache-machine. (You could do it the other way around using the -R switch). Note that the connection will only be forwarded if it is coming from the local machine (i.e. the apache-machine in this example), unless you also state -g to enable other machines to connect. (You might wish to read up on this in a suitable ssh documentation). You would then have to modify back your workers.properties file to look something like this (on the apache machine): # Definition for Ajp13 worker # worker.ajp13.port=8009 worker.ajp13.host=localhost worker.ajp13.type=ajp13 Note that it is localhost again instead of 192.168.0.2 (the ip of the tomcat-machine). I have not tested this procedure, and have not given it much thought if this will cause additional security problems. I have also not explored in which way the ssh connection has to be set up to be available to apache (I would presume you would have to do it using nohup ssh -L 8009:192.168.0.2:8009 [EMAIL PROTECTED] just before starting apache, but that could cause problems with the password you would have to enter, and may force you to use client authentication with public/private keys instead). The best solution of course would be to place your tomcat worker-machines physically behind your apache webserver, using a second network interface card on the apache machine and a switch/hub to connect it to potentially quite a lot of tomcat-machines, which would not be reachable by any other machines if you set up the apache-machine correctly. Please let me (let us all) know if you manage to successfully set up such a configuration using ssh. greetings Andreas Mohrig -Original Message- From: Turner, John [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 5:49 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache Thanks for your post with the configuration in it...SSL between apache and tomcat is something I have been wanting to research for awhile now, and your info will make it easier to do that. That said, I'm curious to know how you are verifying that SSL is working between apache and tomcat on different machines. How do you know the datastream is truly encrypted? I'm not questioning your setup, I'm asking how I will know the same thing for sure once I set it up myself. Having SSL setup on both machines is no guarantee that the datastream is encrypted. John Turner [EMAIL PROTECTED] -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 11:27 AM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache i have it working on different machines. Tomcat on one machine and apache on another. SSL will work irrespective of the machines, as long as both of the machines can see each other.(i mean on the same network). -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:38 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? This is all for the intranet. -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host
RE: SSL Connection Tomcat and Apache
client - talks on 443 ssl to - apache - talks ??? on port 8009 - tomcat I would think apache talks AJP protocol on port 8009 to tomcat. The ssl between client and port 443 on apache is http over ssl. Since I don't know of something like ajp over ssl I would presume it is not encrypted. Again: Correct my if I'm wrong, since I have not tested it with a packet-sniffer (or something like that). greetings Andreas Mohrig -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 6:54 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache This is exactly what I am wondering about. -Original Message- From: Peter T. Abplanalp -Original Message- From: Wills, Mike N. (TC) What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? On Tue, Aug 13, 2002 at 11:27:21AM -0400, Pooleery, Manoj wrote: i have it working on different machines. Tomcat on one machine and apache on another. SSL will work irrespective of the machines, as long as both of the machines can see each other.(i mean on the same network). i'm not sure this answers the question. i am also interested in this. let me draw a picture: client - talks on 443 ssl to - apache - talks ??? on port 8009 - tomcat the problem being that if the webser gets encrypted stuff and then passes it to tomcat in the clear, someone could get the unencrypted info from the second conversation. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
SSL Connection Tomcat and Apache
I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host DocumentRoot C:/Apache/htdocs ServerName server_name ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile certificate_location/certificate_name SSLCertificateKeyFile certificate_key_location/certificate_key /VirtualHost you have to generate a CSR file(instructions for creating a CSR can be found at http://www.verisign.com/support/csr/apache/v01.html). Once you create a CSR, you can send it to any of the certificate issuing authorities(verisign, thawte etc) and once you get a certificate, you make the above changes in the httpd.conf. Thanks Manoj. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:21 PM To: '[EMAIL PROTECTED]' Subject: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? This is all for the intranet. -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host DocumentRoot C:/Apache/htdocs ServerName server_name ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile certificate_location/certificate_name SSLCertificateKeyFile certificate_key_location/certificate_key /VirtualHost you have to generate a CSR file(instructions for creating a CSR can be found at http://www.verisign.com/support/csr/apache/v01.html). Once you create a CSR, you can send it to any of the certificate issuing authorities(verisign, thawte etc) and once you get a certificate, you make the above changes in the httpd.conf. Thanks Manoj. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:21 PM To: '[EMAIL PROTECTED]' Subject: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
Will this work for Tomcat 4.1.x and Apache 2.0.x? -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: August 12, 2002 1:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host DocumentRoot C:/Apache/htdocs ServerName server_name ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile certificate_location/certificate_name SSLCertificateKeyFile certificate_key_location/certificate_key /VirtualHost you have to generate a CSR file(instructions for creating a CSR can be found at http://www.verisign.com/support/csr/apache/v01.html). Once you create a CSR, you can send it to any of the certificate issuing authorities(verisign, thawte etc) and once you get a certificate, you make the above changes in the httpd.conf. Thanks Manoj. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:21 PM To: '[EMAIL PROTECTED]' Subject: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
Oh BTW. This is Apache 2.0.?? on IBM iSeries (AS/400) but that shouldn't matter much. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:38 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? This is all for the intranet. -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host DocumentRoot C:/Apache/htdocs ServerName server_name ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile certificate_location/certificate_name SSLCertificateKeyFile certificate_key_location/certificate_key /VirtualHost you have to generate a CSR file(instructions for creating a CSR can be found at http://www.verisign.com/support/csr/apache/v01.html). Once you create a CSR, you can send it to any of the certificate issuing authorities(verisign, thawte etc) and once you get a certificate, you make the above changes in the httpd.conf. Thanks Manoj. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:21 PM To: '[EMAIL PROTECTED]' Subject: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
Does anyone else have any ideas on this? -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:41 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache Oh BTW. This is Apache 2.0.?? on IBM iSeries (AS/400) but that shouldn't matter much. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:38 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? This is all for the intranet. -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host DocumentRoot C:/Apache/htdocs ServerName server_name ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile certificate_location/certificate_name SSLCertificateKeyFile certificate_key_location/certificate_key /VirtualHost you have to generate a CSR file(instructions for creating a CSR can be found at http://www.verisign.com/support/csr/apache/v01.html). Once you create a CSR, you can send it to any of the certificate issuing authorities(verisign, thawte etc) and once you get a certificate, you make the above changes in the httpd.conf. Thanks Manoj. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:21 PM To: '[EMAIL PROTECTED]' Subject: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
FW: SSL Connection between Apache and Tomcat
How can I set a secure connection between Apache and Tomcat? As I see the Ajp connetor is not SSL enabled. Then how secure will be a system if Tomcat runs in different machine from Apache? Somebody said there is your firewall. But 90% of attackers come from inside thus it is not a good answer. Has anybody something idea? Thanks, Zsolt -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: SSL Connection between Apache and Tomcat
Hi To start with you will need to build apache so that the mod_ssl module is installed and working. See the apache websites for details ... Regards Pete [END] -Original Message- From: Sasvari, Zsolt [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 06, 2002 1:11 PM To: 'Tomcat Users List' (E-mail) Subject: SSL Connection between Apache and Tomcat How can I set a secure connection between Apache and Tomcat? As I see the Ajp connetor is not SSL enabled. Then how secure will be a system if Tomcat runs in different machine from Apache? I looked through the mailing list archive and didn't find any answers. Has anybody something idea? Thanks, Zsolt -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com **
RE: SSL Connection between Apache and Tomcat
I have done it. The SSL connection between the browser and Apache works. But what about the connection between Apache and Tomcat? Regards, Zsolt -Original Message- From: Hitchman, Peter [mailto:[EMAIL PROTECTED]] Sent: Monday, February 11, 2002 11:56 AM To: 'Tomcat Users List' Subject: RE: SSL Connection between Apache and Tomcat Hi To start with you will need to build apache so that the mod_ssl module is installed and working. See the apache websites for details ... Regards Pete [END] -Original Message- From: Sasvari, Zsolt [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 06, 2002 1:11 PM To: 'Tomcat Users List' (E-mail) Subject: SSL Connection between Apache and Tomcat How can I set a secure connection between Apache and Tomcat? As I see the Ajp connetor is not SSL enabled. Then how secure will be a system if Tomcat runs in different machine from Apache? I looked through the mailing list archive and didn't find any answers. Has anybody something idea? Thanks, Zsolt -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ** -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: SSL Connection between Apache and Tomcat
Hi, -Original Message- From: Sasvari, Zsolt [mailto:[EMAIL PROTECTED]] Sent: Monday, February 11, 2002 12:52 PM To: 'Tomcat Users List' (E-mail) Subject: FW: SSL Connection between Apache and Tomcat How can I set a secure connection between Apache and Tomcat? As I see the Ajp connetor is not SSL enabled. Then how secure will be a system if Tomcat runs in different machine from Apache? Somebody said there is your firewall. But 90% of attackers come from inside thus it is not a good answer. Has anybody something idea? Don't like firewalls? ;) Some more suggestions: VPN, IPSec? Thanks, Zsolt Anton -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
SSL Connection between Apache and Tomcat
How can I set a secure connection between Apache and Tomcat? As I see the Ajp connetor is not SSL enabled. Then how secure will be a system if Tomcat runs in different machine from Apache? I looked through the mailing list archive and didn't find any answers. Has anybody something idea? Thanks, Zsolt -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Reg. Multiple Server certificates at one Webserver for SSL connection
Hi, This ques. is Reg. to Multiple Server certificate support at one Webserver for SSL connection. How can l map different multiple server Certificates to one webserver? Impossible my friend, you could only have ONE SSL Server certificate by IP adress. My req.is , one webserver should work on behalf of many other servers. The client should feel that he is contacting to correct server, where this server cert is configured to the actual webserver. Use instead one Apache HTTP server running the SSL and use reverse proxy to real HTTP servers -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: SSL Connection problem through jsp
I think I've seen this problem when trying to use ldaps with JNDI. I found that you still have to use ldap, not, ldaps. Then, you tell it to use the SSL port. In the case of LDAPS, it's 636. For HTTPS, it's 443. I think if you leave the s off the end it will probably work. At least that's the way it works with JNDI. Jon - Original Message - From: Lomesh Contractor [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 20, 2001 4:54 AM Subject: SSL Connection problem through jsp Hi , I am facing one very strange problem for SSL connectivity from JSP page. I have one java application( one class file ) that make SSL connection to any secure server, if I run that application independently. But,when i use the same class file from my JSP page, to make SSL connection to other server, it shows, MalFormedURLConnection exception https unknown protocol. Well, the JSP file compiles successfully. This error occurres only at run time. I have included all the required jar files in the classpath. The same url is working fine, if i run it at java application.. ANY IDEA... Regards, Lomesh.
SSL Connection problem through jsp
Hi , I am facing one very strange problem for SSL connectivity from JSP page. I have one java application( one class file ) that make SSL connection to any secure server, if I run that application independently. But,when i use the same class file from my JSP page, to make SSL connection to other server, it shows, MalFormedURLConnection exception https unknown protocol. Well, the JSP file compiles successfully. This error occurres only at run time. I have included all the required jar files in the classpath. The same url is working fine, if i run it at java application.. ANY IDEA... Regards, Lomesh.
RE: SSL Connection problem through jsp
You have to register SSL driver which ssl package do u use? Rams -Original Message- From: Lomesh Contractor [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 20, 2001 3:25 PM To: [EMAIL PROTECTED] Subject: SSL Connection problem through jsp Hi , I am facing one very strange problem for SSL connectivity from JSP page. I have one java application( one class file ) that make SSL connection to any secure server, if I run that application independently. But,when i use the same class file from my JSP page, to make SSL connection to other server, it shows, MalFormedURLConnection exception https unknown protocol. Well, the JSP file compiles successfully. This error occurres only at run time. I have included all the required jar files in the classpath. The same url is working fine, if i run it at java application.. ANY IDEA... Regards, Lomesh.
RE: SSL Connection problem through jsp - Rams
Hi Rams, Thank you for your reply... I m using sun's SSL package, also i have set required properties in the servlet's init method as below System.setProperty(java.protocol.handler.pkgs, com.sun.net.ssl.internal.www.protocol); Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider()); I have also registered com.sun.net.ssl.internal.ssl.Provider class in the web.xml Now, what I have to register ? I am using tomcat to run jsp and servltes.. Waiting for your reply eagerly... Regards, Lomesh. -Original Message- From: Rams [mailto:[EMAIL PROTECTED]] Sent: Friday, September 21, 2001 7:57 AM To: [EMAIL PROTECTED] Subject: RE: SSL Connection problem through jsp You have to register SSL driver which ssl package do u use? Rams -Original Message- From: Lomesh Contractor [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 20, 2001 3:25 PM To: [EMAIL PROTECTED] Subject: SSL Connection problem through jsp Hi , I am facing one very strange problem for SSL connectivity from JSP page. I have one java application( one class file ) that make SSL connection to any secure server, if I run that application independently. But,when i use the same class file from my JSP page, to make SSL connection to other server, it shows, MalFormedURLConnection exception https unknown protocol. Well, the JSP file compiles successfully. This error occurres only at run time. I have included all the required jar files in the classpath. The same url is working fine, if i run it at java application.. ANY IDEA... Regards, Lomesh.