Re: Encryption of Tomcat AJP
Brian, On 5/19/22 10:29, Brian Eller wrote: My vendor supports AJP but, I don't know if they support mod_http_proxy. This is a embedded version of Tomcat 8.5 that is tightly coupled with the vendor's software and is an installed subcomponent from the vendor. Well, have a look a tthe facts: 1. Your vendor definitely supports AJP 2. Your cybersecurity group says you definitely need to encrypt that connection 3. AJP doesn't support encryption So you have a couple of options: 1. Encrypt AJP yourself. Your options are: a. IPsec or similar/VPN b. stunnel / ssh tunnel 2. Switch to another protocol (i.e. HTTPS) 3. Switch to a different vendor Which of those would work out best for you? Another option on the list is: 4. Make this your vendor's problem, since they are the one wanting to use AJP This may be helpful to provide to your vendor: https://tomcat.apache.org/presentations.html#latest-migrate-ajp-http Hope that helps, -chris -Original Message- From: Mark H. Wood Sent: Thursday, May 19, 2022 6:12 AM To: users@tomcat.apache.org Subject: Re: Encryption of Tomcat AJP On Thu, May 19, 2022 at 07:09:59AM +, Hiran CHAUDHURI wrote: CONFIDENTIAL & RESTRICTED From: Mark Thomas Subject: Re: Encryption of Tomcat AJP On 19/05/2022 01:32, Brian Eller wrote: TRADING PARTNER Hello, I am working on a Tomcat install embedded inside a vendor product that uses Apache to pass traffic to Tomcat. My cyber security group is asking if we can encrypt all connections. Does the mod_jk protocol, AJP can be encrypted? No, AJP does not support encryption. If you want to encrypt traffic between the reverse proxy and the embedded Tomcat instance I'd recommend using mod_proxy_http and proxy everything over HTTPS. This requires a little more configuration to get things working. The main thing to keep in mind is to make sure that the Tomcat instance correctly identifies whether the client connection to the reverse proxy was over HTTP or HTTPS. Mark I totally agree this is an existing and sufficient mechanism already available. And I see it popping up in more and more locations. But as you point out there are some caveats that potentially open security risks. On the contrary AJP - maybe because it cannot be configured with encryption - looks simple and straightforward. Would it make sense to create a solution with less caveats and up to date security requirements? If the OP's cyber security group insists, then maybe they would care to give him their requirements and suggestions for setting up IPSEC. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu NOTICE: This communication is from Guidehouse Inc. or one of its subsidiaries. The details of the sender are listed above. This email, including any attachments, is meant only for the intended recipient of the transmission and may contain confidential and/or privileged material. If you received this email in error, any review, distribution, dissemination or other use of this information is strictly prohibited. Please notify the sender immediately by return email and delete the messages from your systems. In addition, this communication is subject to, and incorporates by reference, additional disclaimers found in the “Disclaimers” section at www.guidehouse.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Encryption of Tomcat AJP
> -Original Message- > From: Brian Eller > Sent: Thursday, May 19, 2022 9:29 AM > To: Tomcat Users List > Subject: RE: Encryption of Tomcat AJP > > TRADING PARTNER > > Thank you Mark, > > My vendor supports AJP but, I don't know if they support > mod_http_proxy. This is a embedded version of Tomcat 8.5 that is tightly > coupled with the vendor's software and is an installed subcomponent from > the vendor. > > > Brian Eller | Senior System Administrator bel...@guidehouse.com > > Ace Info Solutions (AceInfo), a Guidehouse company | aceinfosolutions.com > 1200 South College Avenue, Suite 210 | Fort Collins, CO 80524 AceInfo is now > a Guidehouse company > > -Original Message- > From: Mark H. Wood > Sent: Thursday, May 19, 2022 6:12 AM > To: users@tomcat.apache.org > Subject: Re: Encryption of Tomcat AJP > > On Thu, May 19, 2022 at 07:09:59AM +0000, Hiran CHAUDHURI wrote: > > CONFIDENTIAL & RESTRICTED > > > > From: Mark Thomas > > Subject: Re: Encryption of Tomcat AJP > > > > >On 19/05/2022 01:32, Brian Eller wrote: > > >> TRADING PARTNER > > >> > > >> Hello, > > >> > > >> I am working on a Tomcat install embedded inside a > > >> vendor > product that uses Apache to pass traffic to Tomcat. My cyber security group > is asking if we can encrypt all connections. Does the mod_jk protocol, AJP > can be encrypted? > > > > > >No, AJP does not support encryption. > > > > > >If you want to encrypt traffic between the reverse proxy and the > embedded Tomcat instance I'd recommend using mod_proxy_http and > proxy everything over HTTPS. This requires a little more configuration to get > things working. > > > > > >The main thing to keep in mind is to make sure that the Tomcat instance > correctly identifies whether the client connection to the reverse proxy was > over HTTP or HTTPS. > > > > > >Mark > > > > I totally agree this is an existing and sufficient mechanism already > > available. > And I see it popping up in more and more locations. > > But as you point out there are some caveats that potentially open security > risks. On the contrary AJP - maybe because it cannot be configured with > encryption - looks simple and straightforward. > > > > Would it make sense to create a solution with less caveats and up to date > security requirements? > > If the OP's cyber security group insists, then maybe they would care to give > him their requirements and suggestions for setting up IPSEC. > > -- > Mark H. Wood > Lead Technology Analyst > > University Library > Indiana University - Purdue University Indianapolis > 755 W. Michigan Street > Indianapolis, IN 46202 > 317-274-0749 > https://urldefense.com/v3/__http://www.ulib.iupui.edu__;!!F9svGWnIaVP > GSwU!q7KubMJTlR76KeDOI97BQ9UwOqJiOdAl69CeN765EKZdJBB5Jqsu_D53 > SFMWtnXIeAMsiXm73xEklczYayDsQr_ecXcqi48$ > NOTICE: This communication is from Guidehouse Inc. or one of its > subsidiaries. The details of the sender are listed above. This email, > including > any attachments, is meant only for the intended recipient of the > transmission and may contain confidential and/or privileged material. If you > received this email in error, any review, distribution, dissemination or other > use of this information is strictly prohibited. Please notify the sender > immediately by return email and delete the messages from your systems. In > addition, this communication is subject to, and incorporates by reference, > additional disclaimers found in the “Disclaimers” section at > https://urldefense.com/v3/__http://www.guidehouse.com__;!!F9svGWnIa > VPGSwU!q7KubMJTlR76KeDOI97BQ9UwOqJiOdAl69CeN765EKZdJBB5Jqsu_D > 53SFMWtnXIeAMsiXm73xEklczYayDsQr_eQxkSDm4$ . > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > Another thing to consider. If your Apache HTTPD server, or even IIS web server, are co-hosted on the same server, setup the AJP to listen and communicate on localhost (127.0.0.1) and you shouldn't have to even think about encryption at that point. Another possibility would be to port the traffic over a secure VPN between the servers, but that may be a costly alternative. Otherwise, I agree with Mark and go with MOD-PROXY over HTTPS. Just my .02 worth. Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO |
RE: Encryption of Tomcat AJP
TRADING PARTNER Thank you Mark, My vendor supports AJP but, I don't know if they support mod_http_proxy. This is a embedded version of Tomcat 8.5 that is tightly coupled with the vendor's software and is an installed subcomponent from the vendor. Brian Eller | Senior System Administrator bel...@guidehouse.com Ace Info Solutions (AceInfo), a Guidehouse company | aceinfosolutions.com 1200 South College Avenue, Suite 210 | Fort Collins, CO 80524 AceInfo is now a Guidehouse company -Original Message- From: Mark H. Wood Sent: Thursday, May 19, 2022 6:12 AM To: users@tomcat.apache.org Subject: Re: Encryption of Tomcat AJP On Thu, May 19, 2022 at 07:09:59AM +, Hiran CHAUDHURI wrote: > CONFIDENTIAL & RESTRICTED > > From: Mark Thomas > Subject: Re: Encryption of Tomcat AJP > > >On 19/05/2022 01:32, Brian Eller wrote: > >> TRADING PARTNER > >> > >> Hello, > >> > >> I am working on a Tomcat install embedded inside a vendor > >> product that uses Apache to pass traffic to Tomcat. My cyber security > >> group is asking if we can encrypt all connections. Does the mod_jk > >> protocol, AJP can be encrypted? > > > >No, AJP does not support encryption. > > > >If you want to encrypt traffic between the reverse proxy and the embedded > >Tomcat instance I'd recommend using mod_proxy_http and proxy everything over > >HTTPS. This requires a little more configuration to get things working. > > > >The main thing to keep in mind is to make sure that the Tomcat instance > >correctly identifies whether the client connection to the reverse proxy was > >over HTTP or HTTPS. > > > >Mark > > I totally agree this is an existing and sufficient mechanism already > available. And I see it popping up in more and more locations. > But as you point out there are some caveats that potentially open security > risks. On the contrary AJP - maybe because it cannot be configured with > encryption - looks simple and straightforward. > > Would it make sense to create a solution with less caveats and up to date > security requirements? If the OP's cyber security group insists, then maybe they would care to give him their requirements and suggestions for setting up IPSEC. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu NOTICE: This communication is from Guidehouse Inc. or one of its subsidiaries. The details of the sender are listed above. This email, including any attachments, is meant only for the intended recipient of the transmission and may contain confidential and/or privileged material. If you received this email in error, any review, distribution, dissemination or other use of this information is strictly prohibited. Please notify the sender immediately by return email and delete the messages from your systems. In addition, this communication is subject to, and incorporates by reference, additional disclaimers found in the “Disclaimers” section at www.guidehouse.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Encryption of Tomcat AJP
On Thu, May 19, 2022 at 07:09:59AM +, Hiran CHAUDHURI wrote: > CONFIDENTIAL & RESTRICTED > > From: Mark Thomas > Subject: Re: Encryption of Tomcat AJP > > >On 19/05/2022 01:32, Brian Eller wrote: > >> TRADING PARTNER > >> > >> Hello, > >> > >> I am working on a Tomcat install embedded inside a vendor > >> product that uses Apache to pass traffic to Tomcat. My cyber security > >> group is asking if we can encrypt all connections. Does the mod_jk > >> protocol, AJP can be encrypted? > > > >No, AJP does not support encryption. > > > >If you want to encrypt traffic between the reverse proxy and the embedded > >Tomcat instance I'd recommend using mod_proxy_http and proxy everything over > >HTTPS. This requires a little more configuration to get things working. > > > >The main thing to keep in mind is to make sure that the Tomcat instance > >correctly identifies whether the client connection to the reverse proxy was > >over HTTP or HTTPS. > > > >Mark > > I totally agree this is an existing and sufficient mechanism already > available. And I see it popping up in more and more locations. > But as you point out there are some caveats that potentially open security > risks. On the contrary AJP - maybe because it cannot be configured with > encryption - looks simple and straightforward. > > Would it make sense to create a solution with less caveats and up to date > security requirements? If the OP's cyber security group insists, then maybe they would care to give him their requirements and suggestions for setting up IPSEC. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
RE: Encryption of Tomcat AJP
CONFIDENTIAL & RESTRICTED From: Mark Thomas Subject: Re: Encryption of Tomcat AJP >On 19/05/2022 01:32, Brian Eller wrote: >> TRADING PARTNER >> >> Hello, >> >> I am working on a Tomcat install embedded inside a vendor >> product that uses Apache to pass traffic to Tomcat. My cyber security group >> is asking if we can encrypt all connections. Does the mod_jk protocol, AJP >> can be encrypted? > >No, AJP does not support encryption. > >If you want to encrypt traffic between the reverse proxy and the embedded >Tomcat instance I'd recommend using mod_proxy_http and proxy everything over >HTTPS. This requires a little more configuration to get things working. > >The main thing to keep in mind is to make sure that the Tomcat instance >correctly identifies whether the client connection to the reverse proxy was >over HTTP or HTTPS. > >Mark I totally agree this is an existing and sufficient mechanism already available. And I see it popping up in more and more locations. But as you point out there are some caveats that potentially open security risks. On the contrary AJP - maybe because it cannot be configured with encryption - looks simple and straightforward. Would it make sense to create a solution with less caveats and up to date security requirements? Hiran IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended only for the use of the individual or entity shown above as addressees . It may contain information which is privileged, confidential or otherwise protected from disclosure under applicable laws . If the reader of this transmission is not the intended recipient, you are hereby notified that any dissemination, printing, distribution, copying, disclosure or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this transmission in error, please immediately notify us by reply e-mail or using the address below and delete the message and any attachments from your system. Amadeus Data Processing GmbH Geschaftsfuhrer: Sven Fuhrmeister Sitz der Gesellschaft: Erding HR Munchen 212770 Berghamer Strasse 6 85435 Erding Germany.
Re: Encryption of Tomcat AJP
On 19/05/2022 01:32, Brian Eller wrote: TRADING PARTNER Hello, I am working on a Tomcat install embedded inside a vendor product that uses Apache to pass traffic to Tomcat. My cyber security group is asking if we can encrypt all connections. Does the mod_jk protocol, AJP can be encrypted? No, AJP does not support encryption. If you want to encrypt traffic between the reverse proxy and the embedded Tomcat instance I'd recommend using mod_proxy_http and proxy everything over HTTPS. This requires a little more configuration to get things working. The main thing to keep in mind is to make sure that the Tomcat instance correctly identifies whether the client connection to the reverse proxy was over HTTP or HTTPS. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
