Re: Securing SSL from IIS to Tomcat
Antonio, Nice demonstration. I only miss the seriously part, which is covered partially by the term expensive ;-) Right. :) I wanted only to add IPSEC as another possible scenario. It has less (no) TCP overhead than a SSL tunnel. And it works without even changing your config files. Now that's an idea. I don't even know how IPSEC works. However, I think it might be a UNIX-only thang (and he's on win32). However, the point you make about VPNs is a good one. I think you can't 'avoid' the TCP overhead, though, since this stuff runs over something which has to have some kind of error-correcting and delivery guarentees like TCP does (even if it's not actually implemented using TCP). At any rate, you could tunnel your JDBC connections through some other kind of secure connection. -chris signature.asc Description: OpenPGP digital signature
RE: Securing SSL from IIS to Tomcat
IPSec is available under windows. (We are using it to build up linux/windows vpn's ) Some other solutions: http://openvpn.sourceforge.net/ http://tinc.nl.linux.org/ http://sites.inka.de/sites/bigred/devel/cipe.html -Original Message- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 3:40 PM To: Tomcat Users List Subject: Re: Securing SSL from IIS to Tomcat I don't even know how IPSEC works. However, I think it might be a UNIX-only thang (and he's on win32). However, the point you make about VPNs is a good one. At any rate, you could tunnel your JDBC connections through some other kind of secure connection. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Securing SSL from IIS to Tomcat
John MccLain wrote: Since IIS decrypts the request and passes it unencrypted to Tomcat, How do I encrypt the request so that all communication from IIS with Tomcat is secure??? Do you really need it? It would probably affect your performance seriously. (No, I cannot prove that statement...) Other than that, I cannot be of much help. I'm sure I have read something about a certain AJP 1.4 which could accomplish your needs. Latest reference I've been able to google for is from Tomcat 4.1 JK connector (deprecated). But I have not searched a lot. Hope you can go on searching further with this little bit of info. Antonio Fiol smime.p7s Description: S/MIME Cryptographic Signature
RE: Securing SSL from IIS to Tomcat
I doubt any has that kind of need. If that is the case, then everyone will pull their brains out. If we are worried about the IIS having SSL with Tomcat, then how about SSL between database and Tomcat. How about query tools used in database ( secured query tool? , I dont know who has like this). I would not worry, if the Tomcat behind firwall, and behind the IIS (SSL). -Original Message- From: Antonio Fiol Bonnín [mailto:[EMAIL PROTECTED] Sent: Monday, March 01, 2004 2:32 PM To: Tomcat Users List Subject: Re: Securing SSL from IIS to Tomcat John MccLain wrote: Since IIS decrypts the request and passes it unencrypted to Tomcat, How do I encrypt the request so that all communication from IIS with Tomcat is secure??? Do you really need it? It would probably affect your performance seriously. (No, I cannot prove that statement...) Other than that, I cannot be of much help. I'm sure I have read something about a certain AJP 1.4 which could accomplish your needs. Latest reference I've been able to google for is from Tomcat 4.1 JK connector (deprecated). But I have not searched a lot. Hope you can go on searching further with this little bit of info. Antonio Fiol - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Securing SSL from IIS to Tomcat
Antonio, Since IIS decrypts the request and passes it unencrypted to Tomcat, How do I encrypt the request so that all communication from IIS with Tomcat is secure??? Do you really need it? It would probably affect your performance seriously. (No, I cannot prove that statement...) I can prove this statement. :) Connection latency = network transfer time + 2 * (TCP overhead + encryption/decryption) (Twice since both clients have these overheads). When the encryption/decryption term becomes zero (removal of SSL), performance increases. The assertion that encryption/decryption takes more than zero time is left as an exercise to the reader. (Oh, and SSL acceleration hardware is expensive, which would seem silly if the ops were trivial). Latest reference I've been able to google for is from Tomcat 4.1 JK connector (deprecated). But I have not searched a lot. I don't think that the JK mod is deprecated. In fact, it's suggested for production installations with Apache 1.3 and 2.0 (and IIS, I guess). (From the other followup post): I doubt any has that kind of need. If that is the case, then everyone will pull their brains out. Often, there's a need. What if you don't trust your own network? If we are worried about the IIS having SSL with Tomcat, then how about SSL between database and Tomcat. How about query tools used in database ( secured query tool? , I dont know who has like this). Some people need this type of stuff. Let's say that your database server is on another network, and you need confidential transfers? I would not worry, if the Tomcat behind firwall, and behind the IIS (SSL). I would still worry. For example, all of our hardware is hosted by a data center. We get all kinds of M$ virus crap spewing into our syslogs every single day. We get SMB traffic logs. We get all kinds of crap. There's nothing stopping me from running a packet sniffer on my machines, which would compromise the entire network if SSL were not being used. (Fortunately, each app is small enough that we can runn both the app and db on the same machine and avoid those security concerns). The JK documentation says nothing about SSL (other than forwarding SSL information from thr web server to Tomcat). I assert that you have two options: 1. Use Tomcat standalone (why not? do you have a huge amount of non-dynamic content? If not, consider Tomcat standalone) 2. Set up an SSL tunnel using your favorite ssh software. OpenSSH is available for win32 (at least through cygwin). You can punch through pretty much any network and firewall (as long as they allow SSH). All the data is encrypted. Most ssh clients/servers also support compression as well, which /might/ help offset the performance penalty of encryption (due to lower network transfer times). Good luck. -chris signature.asc Description: OpenPGP digital signature
Re: Securing SSL from IIS to Tomcat
Hi, Nice demonstration. I only miss the seriously part, which is covered partially by the term expensive ;-) I wanted only to add IPSEC as another possible scenario. It has less (no) TCP overhead than a SSL tunnel. And it works without even changing your config files. Antonio Fiol Christopher Schultz wrote: Antonio, Since IIS decrypts the request and passes it unencrypted to Tomcat, How do I encrypt the request so that all communication from IIS with Tomcat is secure??? Do you really need it? It would probably affect your performance seriously. (No, I cannot prove that statement...) I can prove this statement. :) Connection latency = network transfer time + 2 * (TCP overhead + encryption/decryption) (Twice since both clients have these overheads). When the encryption/decryption term becomes zero (removal of SSL), performance increases. The assertion that encryption/decryption takes more than zero time is left as an exercise to the reader. (Oh, and SSL acceleration hardware is expensive, which would seem silly if the ops were trivial). Latest reference I've been able to google for is from Tomcat 4.1 JK connector (deprecated). But I have not searched a lot. I don't think that the JK mod is deprecated. In fact, it's suggested for production installations with Apache 1.3 and 2.0 (and IIS, I guess). (From the other followup post): I doubt any has that kind of need. If that is the case, then everyone will pull their brains out. Often, there's a need. What if you don't trust your own network? If we are worried about the IIS having SSL with Tomcat, then how about SSL between database and Tomcat. How about query tools used in database ( secured query tool? , I dont know who has like this). Some people need this type of stuff. Let's say that your database server is on another network, and you need confidential transfers? I would not worry, if the Tomcat behind firwall, and behind the IIS (SSL). I would still worry. For example, all of our hardware is hosted by a data center. We get all kinds of M$ virus crap spewing into our syslogs every single day. We get SMB traffic logs. We get all kinds of crap. There's nothing stopping me from running a packet sniffer on my machines, which would compromise the entire network if SSL were not being used. (Fortunately, each app is small enough that we can runn both the app and db on the same machine and avoid those security concerns). The JK documentation says nothing about SSL (other than forwarding SSL information from thr web server to Tomcat). I assert that you have two options: 1. Use Tomcat standalone (why not? do you have a huge amount of non-dynamic content? If not, consider Tomcat standalone) 2. Set up an SSL tunnel using your favorite ssh software. OpenSSH is available for win32 (at least through cygwin). You can punch through pretty much any network and firewall (as long as they allow SSH). All the data is encrypted. Most ssh clients/servers also support compression as well, which /might/ help offset the performance penalty of encryption (due to lower network transfer times). Good luck. -chris smime.p7s Description: S/MIME Cryptographic Signature