Re: SSl Query-- please help
Thanks André for such a elaborate reply. Just want to check another thing, is it possible to setup SSL at tomcat level using mod_proxy module.. But i think it does not work in load balancing case. Does my understanding is correct?? Thanks for your support, Vicky On Oct 20, 2012, at 7:21 PM, André Warnier a...@ice-sa.com wrote: vivek aggarwal wrote: Hello All, I need to setup the SSL over my tomcat ,which i am able to do it by generating Self signed certificate using Keytool But when i am redirecting the request form apache using mod_jk module its not working. I am not sure how to make Apache Tomcat work in SSL when using Mod_jk module as i need load balancing Can someone please share the steps for doing ssl setup when apache is used along with Tomcat A simplified graphical view of the recommended setup : browser - HTTPS - Apache + mod_jk - AJP - Tomcat-1 (AJP Connector) - AJP - Tomcat-2 (AJP Connector) ... - AJP - Tomcat-n (AJP Connector) In other words, you should handle the HTTPS/SSL at the front-end Apache httpd level, not at the Tomcat level. (This is also sometimes called terminating SSL at the Apache level). The reason is that the AJP protocol does not support HTTPS/SSL (so, there is no way to set up the AJP Connector in Tomcat for SSL) (and no way to set up mod_jk to talk SSL to Tomcat). What the Apache/mod_jk combination can do however, is pass on all the required SSL headers of the original requests to Tomcat, over the AJP connection, so that a Tomcat application could make use of them. To see how to set up Apache for SSL, check the Apache httpd on-line documentation. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSl Query-- please help
Hello, Terminating SSL at the Apache level assumes all tomcat servers behind Apache are on a secure, externally inaccessible, network. But In cloud-based, hosted systems, there is no guarantee someone isn't listening. Does this make a case for securing Apache-tomcat communication? On Oct 21, 2012, at 6:09 AM, vicky007aggar...@yahoo.co.in vicky007aggar...@yahoo.co.in wrote: Thanks André for such a elaborate reply. Just want to check another thing, is it possible to setup SSL at tomcat level using mod_proxy module.. But i think it does not work in load balancing case. Does my understanding is correct?? Thanks for your support, Vicky On Oct 20, 2012, at 7:21 PM, André Warnier a...@ice-sa.com wrote: vivek aggarwal wrote: Hello All, I need to setup the SSL over my tomcat ,which i am able to do it by generating Self signed certificate using Keytool But when i am redirecting the request form apache using mod_jk module its not working. I am not sure how to make Apache Tomcat work in SSL when using Mod_jk module as i need load balancing Can someone please share the steps for doing ssl setup when apache is used along with Tomcat A simplified graphical view of the recommended setup : browser - HTTPS - Apache + mod_jk - AJP - Tomcat-1 (AJP Connector) - AJP - Tomcat-2 (AJP Connector) ... - AJP - Tomcat-n (AJP Connector) In other words, you should handle the HTTPS/SSL at the front-end Apache httpd level, not at the Tomcat level. (This is also sometimes called terminating SSL at the Apache level). The reason is that the AJP protocol does not support HTTPS/SSL (so, there is no way to set up the AJP Connector in Tomcat for SSL) (and no way to set up mod_jk to talk SSL to Tomcat). What the Apache/mod_jk combination can do however, is pass on all the required SSL headers of the original requests to Tomcat, over the AJP connection, so that a Tomcat application could make use of them. To see how to set up Apache for SSL, check the Apache httpd on-line documentation. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSl Query-- please help
Aladin Dajani wrote: Hello, Terminating SSL at the Apache level assumes all tomcat servers behind Apache are on a secure, externally inaccessible, network. My response assumed that, and assumed that the OP wanted to continue using mod_jk for whatever reason. But In cloud-based, hosted systems, there is no guarantee someone isn't listening. Does this make a case for securing Apache-tomcat communication? One could easily argue that if those servers are on different cloud-based, hosted systems, any thought of a high level of security is a bit of a stretch anyway. And that anyone who manages to usefully listen on those links, is probably already so deep inside your cloud infrastructure that this is not the worst they're doing. Or that the risk of ditto, compared to the risk constituted by umpteen buggy and virus-infected user workstations, pales into insignificance. In an absolute sense though, you are right. If you want to really secure the Apache-Tomcats link, then you will have to re-encrypt the data at the Apache level and decrypt it at the Tomcat level. You could probably do this using mod_proxy_http instead of mod_jk (and a HTTPS Connector in Tomcat). But you should then also accept the overhead. Or you could set up SSL tunnel connections for AJP between Apache and Tomcat, but the overhead would still be there. On Oct 21, 2012, at 6:09 AM, vicky007aggar...@yahoo.co.in vicky007aggar...@yahoo.co.in wrote: Thanks André for such a elaborate reply. Just want to check another thing, is it possible to setup SSL at tomcat level using mod_proxy module.. But i think it does not work in load balancing case. Does my understanding is correct?? Thanks for your support, Vicky On Oct 20, 2012, at 7:21 PM, André Warnier a...@ice-sa.com wrote: vivek aggarwal wrote: Hello All, I need to setup the SSL over my tomcat ,which i am able to do it by generating Self signed certificate using Keytool But when i am redirecting the request form apache using mod_jk module its not working. I am not sure how to make Apache Tomcat work in SSL when using Mod_jk module as i need load balancing Can someone please share the steps for doing ssl setup when apache is used along with Tomcat A simplified graphical view of the recommended setup : browser - HTTPS - Apache + mod_jk - AJP - Tomcat-1 (AJP Connector) - AJP - Tomcat-2 (AJP Connector) ... - AJP - Tomcat-n (AJP Connector) In other words, you should handle the HTTPS/SSL at the front-end Apache httpd level, not at the Tomcat level. (This is also sometimes called terminating SSL at the Apache level). The reason is that the AJP protocol does not support HTTPS/SSL (so, there is no way to set up the AJP Connector in Tomcat for SSL) (and no way to set up mod_jk to talk SSL to Tomcat). What the Apache/mod_jk combination can do however, is pass on all the required SSL headers of the original requests to Tomcat, over the AJP connection, so that a Tomcat application could make use of them. To see how to set up Apache for SSL, check the Apache httpd on-line documentation. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSl Query-- please help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vivek, On 10/20/12 2:22 AM, vivek aggarwal wrote: I need to setup the SSL over my tomcat ,which i am able to do it by generating Self signed certificate using Keytool Good. But when i am redirecting the request form apache using mod_jk module its not working. What part doesn't work? I am not sure how to make Apache Tomcat work in SSL when using Mod_jk module as i need load balancing mod_jk does not support SSL communication between httpd - Tomcat: you'll have to terminate SSL at the httpd level. If you want to encrypt the traffic between httpd and Tomcat, you'll need to use a VPN, ssh tunnel or stunnel (which is just an automated ssh tunnel). Can someone please share the steps for doing ssl setup when apache is used along with Tomcat Have you been able to get httpd working with SSL? Once you do that, everything else should be straightforward (not that getting httpd working with SSL is at all difficult). Just be aware that httpd doesn't use Java keystores, so you'll need to create your keys and certificates using 'openssl' from the command-line instead of working with 'keytool'. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCEVHMACgkQ9CaO5/Lv0PAlIACeIxE9lgHiZaDpiPszUFBD5hiF lNIAn2MseZynznuQ94/6xitYHJZb05lb =PUqf -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSl Query-- please help
All/Andre, You could probably do this using mod_proxy_http instead of mod_jk (and a HTTPS Connector in Tomcat). But you should then also accept the overhead. Queries : 1. Based on above comment does that mean i can use mod_proxy module in order to have ssl communication between apache tomcat.??? 2. Load balancing wont work using mod _proxy , correct ?? 3. What overhead you're talking in setting up in setting up mod_proxy for ssl communication between apache tomcat Thanks, Vicky On Oct 22, 2012, at 1:30 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vivek, On 10/20/12 2:22 AM, vivek aggarwal wrote: I need to setup the SSL over my tomcat ,which i am able to do it by generating Self signed certificate using Keytool Good. But when i am redirecting the request form apache using mod_jk module its not working. What part doesn't work? I am not sure how to make Apache Tomcat work in SSL when using Mod_jk module as i need load balancing mod_jk does not support SSL communication between httpd - Tomcat: you'll have to terminate SSL at the httpd level. If you want to encrypt the traffic between httpd and Tomcat, you'll need to use a VPN, ssh tunnel or stunnel (which is just an automated ssh tunnel). Can someone please share the steps for doing ssl setup when apache is used along with Tomcat Have you been able to get httpd working with SSL? Once you do that, everything else should be straightforward (not that getting httpd working with SSL is at all difficult). Just be aware that httpd doesn't use Java keystores, so you'll need to create your keys and certificates using 'openssl' from the command-line instead of working with 'keytool'. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCEVHMACgkQ9CaO5/Lv0PAlIACeIxE9lgHiZaDpiPszUFBD5hiF lNIAn2MseZynznuQ94/6xitYHJZb05lb =PUqf -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org