Re: SSL Connection Tomcat and Apache
While there seems to be a demand for SSL from Apache-Tomcat, the fact is that it is not currently implemented. Both the Warp Ajp13 protocols send the messages un-encrypted and easily enough decipherable to a sniffer. They are designed around the assumption the your Tomcat Server is in the same DMZ as your Apache/httpd server. Of course, patches are always welcome, if anyone wants to add SSL support to either Warp or Ajp13 ;-). Turner, John [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... With the increase in web services, and different companies working as partners, it's very conceivable (in my mind) that there would be a situation where the initial web request was handled by apache owned by Company A, and for one reason or another, needed to connect to tomcat owned by Company B across the public internet to fulfill the request. Rather than incorporate some sort of separate VPN scenario with software or hardware (or both) it would be nice to be able to create an encrypted tunnel from one server to the other (apache-tomcat) on the fly. I'm definitely interested in hearing from people who have this working, and how they did it. I intend to try setting it up myself as soon as I have the time. John Turner [EMAIL PROTECTED] -Original Message- From: Ralph Einfeldt [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 12:50 PM Subject: AW: SSL Connection Tomcat and Apache Why do you care ? In most cases this traffic is not seen by anybody but yourself. It's a complete different topic if you allow third parties access to systems inside your network and you want to make shure that they don't listen to traffic, that isn't owned by them (E.G if your are an ISP). -Ursprüngliche Nachricht- Von: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Gesendet: Montag, 12. August 2002 22:21 An: '[EMAIL PROTECTED]' Betreff: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
Since apparently this capability is not available, yet, nor a high priority, might I suggest ssh tunneling. We use it here to tunnel MySQL replication through a set of firewalls: ssh -2 -N -T -q -L localport:remote-host:remote-port remote-host Using PKE means that I can run that tunnel as a particular pseudo-user with its own set of keys. I use a daemon to make sure that if the tunnel dies, it comes back. As I said, this technique supports the real-time replication that we've been running for more than two years. I see no reason why I couldn't run an SSH tunnel over which to transparently run Connector protocols, which makes more sense to me than bolting SSL onto them. SSH tunnels not only protect the data, they authenticate the user. If I were Company B, I would not want just anyone connecting to my Tomcat via a Connector! --- Noel -Original Message- From: news [mailto:[EMAIL PROTECTED]]On Behalf Of Bill Barker Sent: Saturday, December 14, 2002 2:19 To: [EMAIL PROTECTED] Subject: Re: SSL Connection Tomcat and Apache While there seems to be a demand for SSL from Apache-Tomcat, the fact is that it is not currently implemented. Both the Warp Ajp13 protocols send the messages un-encrypted and easily enough decipherable to a sniffer. They are designed around the assumption the your Tomcat Server is in the same DMZ as your Apache/httpd server. Of course, patches are always welcome, if anyone wants to add SSL support to either Warp or Ajp13 ;-). Turner, John [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... With the increase in web services, and different companies working as partners, it's very conceivable (in my mind) that there would be a situation where the initial web request was handled by apache owned by Company A, and for one reason or another, needed to connect to tomcat owned by Company B across the public internet to fulfill the request. Rather than incorporate some sort of separate VPN scenario with software or hardware (or both) it would be nice to be able to create an encrypted tunnel from one server to the other (apache-tomcat) on the fly. I'm definitely interested in hearing from people who have this working, and how they did it. I intend to try setting it up myself as soon as I have the time. John Turner [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
i have it working on different machines. Tomcat on one machine and apache on another. SSL will work irrespective of the machines, as long as both of the machines can see each other.(i mean on the same network). -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:38 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? This is all for the intranet. -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host DocumentRoot C:/Apache/htdocs ServerName server_name ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile certificate_location/certificate_name SSLCertificateKeyFile certificate_key_location/certificate_key /VirtualHost you have to generate a CSR file(instructions for creating a CSR can be found at http://www.verisign.com/support/csr/apache/v01.html). Once you create a CSR, you can send it to any of the certificate issuing authorities(verisign, thawte etc) and once you get a certificate, you make the above changes in the httpd.conf. Thanks Manoj. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:21 PM To: '[EMAIL PROTECTED]' Subject: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
Thanks for your post with the configuration in it...SSL between apache and tomcat is something I have been wanting to research for awhile now, and your info will make it easier to do that. That said, I'm curious to know how you are verifying that SSL is working between apache and tomcat on different machines. How do you know the datastream is truly encrypted? I'm not questioning your setup, I'm asking how I will know the same thing for sure once I set it up myself. Having SSL setup on both machines is no guarantee that the datastream is encrypted. John Turner [EMAIL PROTECTED] -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 11:27 AM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache i have it working on different machines. Tomcat on one machine and apache on another. SSL will work irrespective of the machines, as long as both of the machines can see each other.(i mean on the same network). -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:38 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? This is all for the intranet. -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host DocumentRoot C:/Apache/htdocs ServerName server_name ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile certificate_location/certificate_name SSLCertificateKeyFile certificate_key_location/certificate_key /VirtualHost you have to generate a CSR file(instructions for creating a CSR can be found at http://www.verisign.com/support/csr/apache/v01.html). Once you create a CSR, you can send it to any of the certificate issuing authorities(verisign, thawte etc) and once you get a certificate, you make the above changes in the httpd.conf. Thanks Manoj. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:21 PM To: '[EMAIL PROTECTED]' Subject: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
How is this set up then? -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 10:27 AM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache i have it working on different machines. Tomcat on one machine and apache on another. SSL will work irrespective of the machines, as long as both of the machines can see each other.(i mean on the same network). -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:38 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? This is all for the intranet. -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host DocumentRoot C:/Apache/htdocs ServerName server_name ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile certificate_location/certificate_name SSLCertificateKeyFile certificate_key_location/certificate_key /VirtualHost you have to generate a CSR file(instructions for creating a CSR can be found at http://www.verisign.com/support/csr/apache/v01.html). Once you create a CSR, you can send it to any of the certificate issuing authorities(verisign, thawte etc) and once you get a certificate, you make the above changes in the httpd.conf. Thanks Manoj. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:21 PM To: '[EMAIL PROTECTED]' Subject: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: SSL Connection Tomcat and Apache
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:38 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? On Tue, Aug 13, 2002 at 11:27:21AM -0400, Pooleery, Manoj wrote: i have it working on different machines. Tomcat on one machine and apache on another. SSL will work irrespective of the machines, as long as both of the machines can see each other.(i mean on the same network). i'm not sure this answers the question. i am also interested in this. let me draw a picture: client - talks on 443 ssl to - apache - talks ??? on port 8009 - tomcat the problem being that if the webser gets encrypted stuff and then passes it to tomcat in the clear, someone could get the unencrypted info from the second conversation. - -- Peter Abplanalp Email: [EMAIL PROTECTED] PGP: pgp.mit.edu -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9WTV2ggA8sH0iRXQRAkilAKCKx8C0vWcqoumcfNTvzDuJlxIq1gCgrgmG d2jhrrg8fU6GXKVNuL2osnk= =v/fr -END PGP SIGNATURE- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
On Tue, 13 Aug 2002, Pooleery, Manoj wrote: i have it working on different machines. Tomcat on one machine and apache on another. SSL will work irrespective of the machines, as long as both of the machines can see each other.(i mean on the same network). Are you sure you are understanding the question? That is, it doesn't have to do with Apache handling SSL on the front end (or even Tomcat, if/when it's running standalone), but rather the communication between Apache and Tomcat using SSL in the middle. So we're not talking about secure HTTP (HTTPS) communication, but rather secure whatever protocol is being used to communicate between Apache and Tomcat (e.g. AJP, WARP). Frankly, I have seen this question come up before -- it is a very reasonable one, what is the point of having security on the front end, if there is no security in the middle or the back end, after all -- but I don't think I've ever seen an answer saying it can be done. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:38 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? This is all for the intranet. -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host DocumentRoot C:/Apache/htdocs ServerName server_name ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile certificate_location/certificate_name SSLCertificateKeyFile certificate_key_location/certificate_key /VirtualHost you have to generate a CSR file(instructions for creating a CSR can be found at http://www.verisign.com/support/csr/apache/v01.html). Once you create a CSR, you can send it to any of the certificate issuing authorities(verisign, thawte etc) and once you get a certificate, you make the above changes in the httpd.conf. Thanks Manoj. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:21 PM To: '[EMAIL PROTECTED]' Subject: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] Milt Epstein Research Programmer Systems and Technology Services (STS) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
This is exactly what I am wondering about. -Original Message- From: Peter T. Abplanalp -Original Message- From: Wills, Mike N. (TC) What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? On Tue, Aug 13, 2002 at 11:27:21AM -0400, Pooleery, Manoj wrote: i have it working on different machines. Tomcat on one machine and apache on another. SSL will work irrespective of the machines, as long as both of the machines can see each other.(i mean on the same network). i'm not sure this answers the question. i am also interested in this. let me draw a picture: client - talks on 443 ssl to - apache - talks ??? on port 8009 - tomcat the problem being that if the webser gets encrypted stuff and then passes it to tomcat in the clear, someone could get the unencrypted info from the second conversation. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
I think the setup within apache's httpd.conf will enable encryption between the client browsers and the webserver only, but not between apache and tomcat. You might use ssh to do that, since you can build an encrypted tunnel to forward the connections to a remote port. Suppose your apache machine was on ip 192.168.0.1 and your tomcat machine was on ip 192.168.0.2. Further suppose your ajp connector is configured to use port 8009. You could start a port forwarding tunnel on your apache machine with ssl -L 8009:192.168.0.2:8009 [EMAIL PROTECTED] Any connection to port 192.168.0.1:8009 will be forwarded to 192.168.0.2 via the encrypted connection established by ssh. Of course this requires ssh to be installed on both machines, i.e. the server component on the tomcat-machine and the client component on the apache-machine. (You could do it the other way around using the -R switch). Note that the connection will only be forwarded if it is coming from the local machine (i.e. the apache-machine in this example), unless you also state -g to enable other machines to connect. (You might wish to read up on this in a suitable ssh documentation). You would then have to modify back your workers.properties file to look something like this (on the apache machine): # Definition for Ajp13 worker # worker.ajp13.port=8009 worker.ajp13.host=localhost worker.ajp13.type=ajp13 Note that it is localhost again instead of 192.168.0.2 (the ip of the tomcat-machine). I have not tested this procedure, and have not given it much thought if this will cause additional security problems. I have also not explored in which way the ssh connection has to be set up to be available to apache (I would presume you would have to do it using nohup ssl -L 8009:192.168.0.2:8009 [EMAIL PROTECTED] just before starting apache, but that could cause problems with the password you would have to enter, and may force you to use client authentication with public/private keys instead). The best solution of course would be to place your tomcat worker-machines physically behind your apache webserver, using a second network interface card on the apache machine and a switch/hub to connect it to potentially quite a lot of tomcat-machines, which would not be reachable by any other machines if you set up the apache-machine correctly. Please let me (let us all) know if you manage to successfully set up such a configuration using ssh. greetings Andreas Mohrig -Original Message- From: Turner, John [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 5:49 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache Thanks for your post with the configuration in it...SSL between apache and tomcat is something I have been wanting to research for awhile now, and your info will make it easier to do that. That said, I'm curious to know how you are verifying that SSL is working between apache and tomcat on different machines. How do you know the datastream is truly encrypted? I'm not questioning your setup, I'm asking how I will know the same thing for sure once I set it up myself. Having SSL setup on both machines is no guarantee that the datastream is encrypted. John Turner [EMAIL PROTECTED] -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 11:27 AM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache i have it working on different machines. Tomcat on one machine and apache on another. SSL will work irrespective of the machines, as long as both of the machines can see each other.(i mean on the same network). -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:38 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? This is all for the intranet. -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host DocumentRoot C:/Apache/htdocs ServerName server_name ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile certificate_location/certificate_name SSLCertificateKeyFile certificate_key_location/certificate_key /VirtualHost you have to generate a CSR file(instructions for creating a CSR can be found at http://www.verisign.com/support/csr/apache/v01.html). Once you create a CSR
RE: SSL Connection Tomcat and Apache
Please correct my typo: It has to be ssh instead of ssl (of course) in the command used to start the secure shell!!! And one mor thought: I have no idea how this might affect performance. - I think the setup within apache's httpd.conf will enable encryption between the client browsers and the webserver only, but not between apache and tomcat. You might use ssh to do that, since you can build an encrypted tunnel to forward the connections to a remote port. Suppose your apache machine was on ip 192.168.0.1 and your tomcat machine was on ip 192.168.0.2. Further suppose your ajp connector is configured to use port 8009. You could start a port forwarding tunnel on your apache machine with ssh -L 8009:192.168.0.2:8009 [EMAIL PROTECTED] Any connection to port 192.168.0.1:8009 will be forwarded to 192.168.0.2 via the encrypted connection established by ssh. Of course this requires ssh to be installed on both machines, i.e. the server component on the tomcat-machine and the client component on the apache-machine. (You could do it the other way around using the -R switch). Note that the connection will only be forwarded if it is coming from the local machine (i.e. the apache-machine in this example), unless you also state -g to enable other machines to connect. (You might wish to read up on this in a suitable ssh documentation). You would then have to modify back your workers.properties file to look something like this (on the apache machine): # Definition for Ajp13 worker # worker.ajp13.port=8009 worker.ajp13.host=localhost worker.ajp13.type=ajp13 Note that it is localhost again instead of 192.168.0.2 (the ip of the tomcat-machine). I have not tested this procedure, and have not given it much thought if this will cause additional security problems. I have also not explored in which way the ssh connection has to be set up to be available to apache (I would presume you would have to do it using nohup ssh -L 8009:192.168.0.2:8009 [EMAIL PROTECTED] just before starting apache, but that could cause problems with the password you would have to enter, and may force you to use client authentication with public/private keys instead). The best solution of course would be to place your tomcat worker-machines physically behind your apache webserver, using a second network interface card on the apache machine and a switch/hub to connect it to potentially quite a lot of tomcat-machines, which would not be reachable by any other machines if you set up the apache-machine correctly. Please let me (let us all) know if you manage to successfully set up such a configuration using ssh. greetings Andreas Mohrig -Original Message- From: Turner, John [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 5:49 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache Thanks for your post with the configuration in it...SSL between apache and tomcat is something I have been wanting to research for awhile now, and your info will make it easier to do that. That said, I'm curious to know how you are verifying that SSL is working between apache and tomcat on different machines. How do you know the datastream is truly encrypted? I'm not questioning your setup, I'm asking how I will know the same thing for sure once I set it up myself. Having SSL setup on both machines is no guarantee that the datastream is encrypted. John Turner [EMAIL PROTECTED] -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 11:27 AM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache i have it working on different machines. Tomcat on one machine and apache on another. SSL will work irrespective of the machines, as long as both of the machines can see each other.(i mean on the same network). -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:38 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? This is all for the intranet. -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host DocumentRoot C:/Apache/htdocs ServerName server_name ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile certificate_location/certificate_name SSLCertificateKeyFile certificate_key_location/certificate_key
RE: SSL Connection Tomcat and Apache
With the increase in web services, and different companies working as partners, it's very conceivable (in my mind) that there would be a situation where the initial web request was handled by apache owned by Company A, and for one reason or another, needed to connect to tomcat owned by Company B across the public internet to fulfill the request. Rather than incorporate some sort of separate VPN scenario with software or hardware (or both) it would be nice to be able to create an encrypted tunnel from one server to the other (apache-tomcat) on the fly. I'm definitely interested in hearing from people who have this working, and how they did it. I intend to try setting it up myself as soon as I have the time. John Turner [EMAIL PROTECTED] -Original Message- From: Ralph Einfeldt [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 12:50 PM To: Tomcat Users List Subject: AW: SSL Connection Tomcat and Apache Why do you care ? In most cases this traffic is not seen by anybody but yourself. It's a complete different topic if you allow third parties access to systems inside your network and you want to make shure that they don't listen to traffic, that isn't owned by them (E.G if your are an ISP). -Ursprüngliche Nachricht- Von: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Gesendet: Montag, 12. August 2002 22:21 An: '[EMAIL PROTECTED]' Betreff: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
...and one more thought. My concern is that, for me, this is on an IBM iSeries (AS400) not Linux/Unix/Win so that solution my not work for me. -Original Message- From: Andreas Mohrig [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 12:04 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache Please correct my typo: It has to be ssh instead of ssl (of course) in the command used to start the secure shell!!! And one mor thought: I have no idea how this might affect performance. - I think the setup within apache's httpd.conf will enable encryption between the client browsers and the webserver only, but not between apache and tomcat. You might use ssh to do that, since you can build an encrypted tunnel to forward the connections to a remote port. Suppose your apache machine was on ip 192.168.0.1 and your tomcat machine was on ip 192.168.0.2. Further suppose your ajp connector is configured to use port 8009. You could start a port forwarding tunnel on your apache machine with ssh -L 8009:192.168.0.2:8009 [EMAIL PROTECTED] Any connection to port 192.168.0.1:8009 will be forwarded to 192.168.0.2 via the encrypted connection established by ssh. Of course this requires ssh to be installed on both machines, i.e. the server component on the tomcat-machine and the client component on the apache-machine. (You could do it the other way around using the -R switch). Note that the connection will only be forwarded if it is coming from the local machine (i.e. the apache-machine in this example), unless you also state -g to enable other machines to connect. (You might wish to read up on this in a suitable ssh documentation). You would then have to modify back your workers.properties file to look something like this (on the apache machine): # Definition for Ajp13 worker # worker.ajp13.port=8009 worker.ajp13.host=localhost worker.ajp13.type=ajp13 Note that it is localhost again instead of 192.168.0.2 (the ip of the tomcat-machine). I have not tested this procedure, and have not given it much thought if this will cause additional security problems. I have also not explored in which way the ssh connection has to be set up to be available to apache (I would presume you would have to do it using nohup ssh -L 8009:192.168.0.2:8009 [EMAIL PROTECTED] just before starting apache, but that could cause problems with the password you would have to enter, and may force you to use client authentication with public/private keys instead). The best solution of course would be to place your tomcat worker-machines physically behind your apache webserver, using a second network interface card on the apache machine and a switch/hub to connect it to potentially quite a lot of tomcat-machines, which would not be reachable by any other machines if you set up the apache-machine correctly. Please let me (let us all) know if you manage to successfully set up such a configuration using ssh. greetings Andreas Mohrig -Original Message- From: Turner, John [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 5:49 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache Thanks for your post with the configuration in it...SSL between apache and tomcat is something I have been wanting to research for awhile now, and your info will make it easier to do that. That said, I'm curious to know how you are verifying that SSL is working between apache and tomcat on different machines. How do you know the datastream is truly encrypted? I'm not questioning your setup, I'm asking how I will know the same thing for sure once I set it up myself. Having SSL setup on both machines is no guarantee that the datastream is encrypted. John Turner [EMAIL PROTECTED] -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 11:27 AM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache i have it working on different machines. Tomcat on one machine and apache on another. SSL will work irrespective of the machines, as long as both of the machines can see each other.(i mean on the same network). -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:38 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? This is all for the intranet. -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host
RE: SSL Connection Tomcat and Apache
client - talks on 443 ssl to - apache - talks ??? on port 8009 - tomcat I would think apache talks AJP protocol on port 8009 to tomcat. The ssl between client and port 443 on apache is http over ssl. Since I don't know of something like ajp over ssl I would presume it is not encrypted. Again: Correct my if I'm wrong, since I have not tested it with a packet-sniffer (or something like that). greetings Andreas Mohrig -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 6:54 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache This is exactly what I am wondering about. -Original Message- From: Peter T. Abplanalp -Original Message- From: Wills, Mike N. (TC) What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? On Tue, Aug 13, 2002 at 11:27:21AM -0400, Pooleery, Manoj wrote: i have it working on different machines. Tomcat on one machine and apache on another. SSL will work irrespective of the machines, as long as both of the machines can see each other.(i mean on the same network). i'm not sure this answers the question. i am also interested in this. let me draw a picture: client - talks on 443 ssl to - apache - talks ??? on port 8009 - tomcat the problem being that if the webser gets encrypted stuff and then passes it to tomcat in the clear, someone could get the unencrypted info from the second conversation. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host DocumentRoot C:/Apache/htdocs ServerName server_name ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile certificate_location/certificate_name SSLCertificateKeyFile certificate_key_location/certificate_key /VirtualHost you have to generate a CSR file(instructions for creating a CSR can be found at http://www.verisign.com/support/csr/apache/v01.html). Once you create a CSR, you can send it to any of the certificate issuing authorities(verisign, thawte etc) and once you get a certificate, you make the above changes in the httpd.conf. Thanks Manoj. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:21 PM To: '[EMAIL PROTECTED]' Subject: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? This is all for the intranet. -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host DocumentRoot C:/Apache/htdocs ServerName server_name ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile certificate_location/certificate_name SSLCertificateKeyFile certificate_key_location/certificate_key /VirtualHost you have to generate a CSR file(instructions for creating a CSR can be found at http://www.verisign.com/support/csr/apache/v01.html). Once you create a CSR, you can send it to any of the certificate issuing authorities(verisign, thawte etc) and once you get a certificate, you make the above changes in the httpd.conf. Thanks Manoj. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:21 PM To: '[EMAIL PROTECTED]' Subject: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
Will this work for Tomcat 4.1.x and Apache 2.0.x? -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: August 12, 2002 1:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host DocumentRoot C:/Apache/htdocs ServerName server_name ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile certificate_location/certificate_name SSLCertificateKeyFile certificate_key_location/certificate_key /VirtualHost you have to generate a CSR file(instructions for creating a CSR can be found at http://www.verisign.com/support/csr/apache/v01.html). Once you create a CSR, you can send it to any of the certificate issuing authorities(verisign, thawte etc) and once you get a certificate, you make the above changes in the httpd.conf. Thanks Manoj. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:21 PM To: '[EMAIL PROTECTED]' Subject: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
Oh BTW. This is Apache 2.0.?? on IBM iSeries (AS/400) but that shouldn't matter much. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:38 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? This is all for the intranet. -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host DocumentRoot C:/Apache/htdocs ServerName server_name ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile certificate_location/certificate_name SSLCertificateKeyFile certificate_key_location/certificate_key /VirtualHost you have to generate a CSR file(instructions for creating a CSR can be found at http://www.verisign.com/support/csr/apache/v01.html). Once you create a CSR, you can send it to any of the certificate issuing authorities(verisign, thawte etc) and once you get a certificate, you make the above changes in the httpd.conf. Thanks Manoj. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:21 PM To: '[EMAIL PROTECTED]' Subject: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL Connection Tomcat and Apache
Does anyone else have any ideas on this? -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:41 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache Oh BTW. This is Apache 2.0.?? on IBM iSeries (AS/400) but that shouldn't matter much. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:38 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? This is all for the intranet. -Original Message- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## VirtualHost server_name:443 # General setup for the virtual host DocumentRoot C:/Apache/htdocs ServerName server_name ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile certificate_location/certificate_name SSLCertificateKeyFile certificate_key_location/certificate_key /VirtualHost you have to generate a CSR file(instructions for creating a CSR can be found at http://www.verisign.com/support/csr/apache/v01.html). Once you create a CSR, you can send it to any of the certificate issuing authorities(verisign, thawte etc) and once you get a certificate, you make the above changes in the httpd.conf. Thanks Manoj. -Original Message- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:21 PM To: '[EMAIL PROTECTED]' Subject: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
