subject:"Is this possibe\? mod_jk ==SSL== AJP\/1.3"

Re: Is this possibe? mod_jk <==SSL==> AJP/1.3

2006-12-09 Thread Martin Gainty

yes. Bill's original statement is accurate
if we reference
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

Option1 (Tomcat container running behind another SSL enabled web-server)
"When running Tomcat primarily as a Servlet/JSP container behind another web 
server, such as Apache or Microsoft IIS, it is usually necessary to configure 
the primary web server to handle the SSL connections from users. Typically, 
this server will negotiate all SSL-related functionality, then pass on any 
requests destined for the Tomcat container only after decrypting those 
requests. Likewise, Tomcat will return cleartext responses, that will be 
encrypted before being returned to the user's browser. In this environment, 
Tomcat knows that communications between the primary web server and the client 
are taking place over a secure connection (because your application needs to be 
able to ask about this), but it does not participate in the encryption or 
decryption itself"

Option2 certificates please referece this link from Certificate provider 
Verisign
http://www.verisign.com/ssl/ssl-information-center/how-ssl-security-works/index.html
where the certificate supplies a public key to decrypt information and also 
supplies a private key used to decipher the key
To quote
"An SSL Certificate consists of a public key and a private key. The public key 
is used to encrypt information and the private key is used to decipher it"

Tomcat container(s) are not doing the encrypting or decrypting in either 
scenario-

HTH,
M-

--- 
This e-mail message (including attachments, if any) is intended for the use of 
the individual or entity to which it is addressed and may contain information 
that is privileged, proprietary , confidential and exempt from disclosure. If 
you are not the intended recipient, you are notified that any dissemination, 
distribution or copying of this communication is strictly prohibited.
--- 
Le présent message électronique (y compris les pièces qui y sont annexées, le 
cas échéant) s'adresse au destinataire indiqué et peut contenir des 
renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le 
destinataire de ce document, nous vous signalons qu'il est strictement interdit 
de le diffuser, de le distribuer ou de le reproduire.
- Original Message - 
From: "dfelicia" <[EMAIL PROTECTED]>
To: 
Sent: Friday, December 08, 2006 11:07 PM
Subject: Re: Is this possibe? mod_jk <==SSL==> AJP/1.3


> 
>>Tomcat currently does not support encryption.
> Huh?  Sure it does.  I think you mean AJP doesn't support encryption.
> -- 
> View this message in context: 
> http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7769280
> Sent from the Tomcat - User mailing list archive at Nabble.com.
> 
> 
> -
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
>

Re: Is this possibe? mod_jk <==SSL==> AJP/1.3

2006-12-08 Thread dfelicia


>Tomcat currently does not support encryption.
Huh?  Sure it does.  I think you mean AJP doesn't support encryption.
-- 
View this message in context: 
http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7769280
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Is this possibe? mod_jk <==SSL==> AJP/1.3

2006-12-08 Thread Bill Barker


"dfelicia" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]
>
>>Not true; see 
>>
>
> Interesting.  I'll need to look into mod_proxy, further.  But what about
> performance?  I've not tested it in a long while, but last I tried it was
> slower that mod_jk.
>
> BTW, does Apache 2.2's new mod_proxy_ajp support encryption?  Is that the
> answer for me?  (Yes, I know I have to RTFM... going there now.)

For the benifit of those searching the archives, what the fine manual says 
is that mod_proxy_ajp does not support encryption.  The reason is that 
Tomcat currently does not support encryption.

> -- 
> View this message in context: 
> http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7763820
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
> -
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
> 




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Is this possibe? mod_jk <==SSL==> AJP/1.3

2006-12-08 Thread dfelicia


>Not true; see 

Interesting.  I'll need to look into mod_proxy, further.  But what about
performance?  I've not tested it in a long while, but last I tried it was
slower that mod_jk.

BTW, does Apache 2.2's new mod_proxy_ajp support encryption?  Is that the
answer for me?  (Yes, I know I have to RTFM... going there now.)
-- 
View this message in context: 
http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7763820
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Is this possibe? mod_jk <==SSL==> AJP/1.3

2006-12-08 Thread fredk2


ooops - I need to spend more time reading the fine manual :-)

tx for the reminder :)


Hassan Schroeder-2 wrote:
> 
> On 12/8/06, fredk2 <[EMAIL PROTECTED]> wrote:
> 
>> although I have not tested this personally, but I was told that mod_proxy
>> (_ajp)  does not have the Auto Flush option that you can set with mod_jk
>> and
>> thus creates problem for streaming applications.
> 
> You might want to look at the "flushpackets" parameter to the ProxyPass
> directive  :-)
> 
> FWIW,
> -- 
> Hassan Schroeder  [EMAIL PROTECTED]
> 
> -
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7760968
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Is this possibe? mod_jk <==SSL==> AJP/1.3

2006-12-08 Thread Hassan Schroeder


On 12/8/06, fredk2 <[EMAIL PROTECTED]> wrote:


although I have not tested this personally, but I was told that mod_proxy
(_ajp)  does not have the Auto Flush option that you can set with mod_jk and
thus creates problem for streaming applications.


You might want to look at the "flushpackets" parameter to the ProxyPass
directive  :-)

FWIW,
--
Hassan Schroeder  [EMAIL PROTECTED]

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Is this possibe? mod_jk <==SSL==> AJP/1.3

2006-12-08 Thread fredk2


Hi,

although I have not tested this personally, but I was told that mod_proxy
(_ajp)  does not have the Auto Flush option that you can set with mod_jk and
thus creates problem for streaming applications.

I wonder if others came accross this problem ?

Rgds - Fred


Hassan Schroeder-2 wrote:
> 
> On 12/7/06, dfelicia <[EMAIL PROTECTED]> wrote:
> 
>> mod_proxy is ...  It also doesn't offer
>> load-balancing,
> 
> Not true; see
> 
> 
> I've used this recently (with mod_proxy_ajp) and it worked fine. :-)
> 
> FWIW,
> -- 
> Hassan Schroeder  [EMAIL PROTECTED]
> 
> -
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7758513
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Is this possibe? mod_jk <==SSL==> AJP/1.3

2006-12-07 Thread Hassan Schroeder


On 12/7/06, dfelicia <[EMAIL PROTECTED]> wrote:


mod_proxy is ...  It also doesn't offer
load-balancing,


Not true; see 

I've used this recently (with mod_proxy_ajp) and it worked fine. :-)

FWIW,
--
Hassan Schroeder  [EMAIL PROTECTED]

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Is this possibe? mod_jk <==SSL==> AJP/1.3

2006-12-07 Thread dfelicia


>As far as have seen there is no SSL support for AJP/1.3 - the trafic is in
clear between the Apache and tomcat using >mod_jk.
>
>I guess with apache 2 you can use mod_proxy and ssl to a tomcat using the
http connector with ssl.

Thanks for the reply, Fred.  I feared that was the answer.  The problem with
mod_proxy is that it doesn't perform as well.  It also doesn't offer
load-balancing, connection pooling, etc.
-- 
View this message in context: 
http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7750917
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Is this possibe? mod_jk <==SSL==> AJP/1.3

2006-12-07 Thread fredk2


hi:

As far as have seen there is no SSL support for AJP/1.3 - the trafic is in
clear between the Apache and tomcat using mod_jk.

I guess with apache 2 you can use mod_proxy and ssl to a tomcat using the
http connector with ssl.

If you have apache and tomcat on separate servers you might have to look at
stunnel to encrypt the traffic.

Fred


Martin Gainty wrote:
> 
> unless of course the Cert is self-signed with keytool
> I would remove all the certs from classpath and start with a 'True
> Certificate' signed by Verisign or Thawte
> 
> M-
> - Original Message - 
> From: "dfelicia" <[EMAIL PROTECTED]>
> To: 
> Sent: Thursday, December 07, 2006 2:46 PM
> Subject: Is this possibe? mod_jk <==SSL==> AJP/1.3
> 
> 
>> 
>> Can traffic between mod_jk and Tomcat's AJP connector be encrypted
>> (without
>> using ssh/stunnel)?
>> 
>> I see SSL mentioned in the doc for AJP, but it's clear as mud: 
>> http://tomcat.apache.org/tomcat-5.5-doc/config/ajp.html
>> 
>> So, in Apache, I am using SSL and mod_jk.  I set these parameters per the
>> mod_jk doc:
>> 
>> # JkOptions indicate to send SSL KEY SIZE,
>> JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
>> JkExtractSSL On
>> # What is the indicator for SSL (default is HTTPS)
>> JkHTTPSIndicator HTTPS
>> # What is the indicator for SSL session (default is SSL_SESSION_ID)
>> JkSESSIONIndicator SSL_SESSION_ID
>> # What is the indicator for client SSL cipher suit (default is
>> SSL_CIPHER)
>> JkCIPHERIndicator SSL_CIPHER
>> # What is the indicator for the client SSL certificated (default is
>> SSL_CLIENT_CERT)
>> JkCERTSIndicator SSL_CLIENT_CERT
>> 
>> In Tomcat's server.xml, I have define an AJP/1.3 connector like so:
>> 
>> >   scheme="https" secure="true" clientAuth="false">
>> 
>> (mod_jk worker uses this connection)
>> 
>> It works whether I set scheme and secure or not.  Is the communication
>> encrypted?  (If so, I'd wonder how since Tomcat knows nothing of my CA's
>> public key or my keystore.)
>> 
>> What am I missing?
>> -- 
>> View this message in context:
>> http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7746284
>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>> 
>> 
>> -
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>> 
>>
> 

-- 
View this message in context: 
http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7747753
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Is this possibe? mod_jk <==SSL==> AJP/1.3

2006-12-07 Thread Martin Gainty

unless of course the Cert is self-signed with keytool
I would remove all the certs from classpath and start with a 'True Certificate' 
signed by Verisign or Thawte

M-
--- 
This e-mail message (including attachments, if any) is intended for the use of 
the individual or entity to which it is addressed and may contain information 
that is privileged, proprietary , confidential and exempt from disclosure. If 
you are not the intended recipient, you are notified that any dissemination, 
distribution or copying of this communication is strictly prohibited.
--- 
Le présent message électronique (y compris les pièces qui y sont annexées, le 
cas échéant) s'adresse au destinataire indiqué et peut contenir des 
renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le 
destinataire de ce document, nous vous signalons qu'il est strictement interdit 
de le diffuser, de le distribuer ou de le reproduire.
- Original Message - 
From: "dfelicia" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, December 07, 2006 2:46 PM
Subject: Is this possibe? mod_jk <==SSL==> AJP/1.3


> 
> Can traffic between mod_jk and Tomcat's AJP connector be encrypted (without
> using ssh/stunnel)?
> 
> I see SSL mentioned in the doc for AJP, but it's clear as mud: 
> http://tomcat.apache.org/tomcat-5.5-doc/config/ajp.html
> 
> So, in Apache, I am using SSL and mod_jk.  I set these parameters per the
> mod_jk doc:
> 
> # JkOptions indicate to send SSL KEY SIZE,
> JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
> JkExtractSSL On
> # What is the indicator for SSL (default is HTTPS)
> JkHTTPSIndicator HTTPS
> # What is the indicator for SSL session (default is SSL_SESSION_ID)
> JkSESSIONIndicator SSL_SESSION_ID
> # What is the indicator for client SSL cipher suit (default is SSL_CIPHER)
> JkCIPHERIndicator SSL_CIPHER
> # What is the indicator for the client SSL certificated (default is
> SSL_CLIENT_CERT)
> JkCERTSIndicator SSL_CLIENT_CERT
> 
> In Tomcat's server.xml, I have define an AJP/1.3 connector like so:
> 
>scheme="https" secure="true" clientAuth="false">
> 
> (mod_jk worker uses this connection)
> 
> It works whether I set scheme and secure or not.  Is the communication
> encrypted?  (If so, I'd wonder how since Tomcat knows nothing of my CA's
> public key or my keystore.)
> 
> What am I missing?
> -- 
> View this message in context: 
> http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7746284
> Sent from the Tomcat - User mailing list archive at Nabble.com.
> 
> 
> -
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
>

Is this possibe? mod_jk <==SSL==> AJP/1.3

2006-12-07 Thread dfelicia


Can traffic between mod_jk and Tomcat's AJP connector be encrypted (without
using ssh/stunnel)?

I see SSL mentioned in the doc for AJP, but it's clear as mud: 
http://tomcat.apache.org/tomcat-5.5-doc/config/ajp.html

So, in Apache, I am using SSL and mod_jk.  I set these parameters per the
mod_jk doc:

# JkOptions indicate to send SSL KEY SIZE,
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
JkExtractSSL On
# What is the indicator for SSL (default is HTTPS)
JkHTTPSIndicator HTTPS
# What is the indicator for SSL session (default is SSL_SESSION_ID)
JkSESSIONIndicator SSL_SESSION_ID
# What is the indicator for client SSL cipher suit (default is SSL_CIPHER)
JkCIPHERIndicator SSL_CIPHER
# What is the indicator for the client SSL certificated (default is
SSL_CLIENT_CERT)
JkCERTSIndicator SSL_CLIENT_CERT

In Tomcat's server.xml, I have define an AJP/1.3 connector like so:



(mod_jk worker uses this connection)

It works whether I set scheme and secure or not.  Is the communication
encrypted?  (If so, I'd wonder how since Tomcat knows nothing of my CA's
public key or my keystore.)

What am I missing?
-- 
View this message in context: 
http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7746284
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Is this possibe? mod_jk <==SSL==> AJP/1.3

Re: Is this possibe? mod_jk <==SSL==> AJP/1.3

Re: Is this possibe? mod_jk <==SSL==> AJP/1.3

Re: Is this possibe? mod_jk <==SSL==> AJP/1.3

Re: Is this possibe? mod_jk <==SSL==> AJP/1.3

Re: Is this possibe? mod_jk <==SSL==> AJP/1.3

Re: Is this possibe? mod_jk <==SSL==> AJP/1.3

Re: Is this possibe? mod_jk <==SSL==> AJP/1.3

Re: Is this possibe? mod_jk <==SSL==> AJP/1.3

Re: Is this possibe? mod_jk <==SSL==> AJP/1.3

Re: Is this possibe? mod_jk <==SSL==> AJP/1.3

Is this possibe? mod_jk <==SSL==> AJP/1.3

12 matches

Site Navigation

Mail list logo

Footer information