Re: Secure AJP over ssl
Or it could be in the world of outsourcing you have a giant pool of 1st, 2nd, and 3rd level support who are offshore which need access to perform basic trouble shooting before escalation. And 90% of them have no idea they have access but getting them access when they would need it becomes a giant hassle. But since everyone is on the ACL - its secure :) -Tim On 2/23/2011 2:44 PM, Mladen Turk wrote: On 02/23/2011 07:28 PM, Jason Pyeron wrote: encrypting the data transfer between those boxes cause you can just as well make sure the proper persons have the network access. That list includes 78 people. You mean 78 people monitor your network for trouble or you have your production servers in the same network segment as your local intranet? Cannot tell which one is worse :) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure AJP over ssl
On 02/22/2011 11:23 PM, Jason Pyeron wrote: -Original Message- That is a naive view. [Please forgive the wording.] None taken. Given: 1) The Apache box is secure and login is restricted to the minimum set of persons with a kneed to know. 2) The Tomcat box is secure and login is restricted to the minimum set of persons with a kneed to know. There is no reason to allow the set of persons capable (and sometimes authorized) to inspect the data on a network (network operations) to be able to inspect the unsecured contents of the data stream. That would be a briech of security and law. I just waited you mention that :) What do you think happens when encrypted data from client comes in and is encrypted again and send to the client? It's unencrypted in the memory and anyone with access to the box can just inspect the content of the httpd process in the same way it can read the data on the socket. So since persons which are authorized to login to the Apache and Tomcat box have the option to view the data, your entire security is still human based. That's why I see no point of encrypting the data transfer between those boxes cause you can just as well make sure the proper persons have the network access. However I can live with the 'law' reason, but that doesn't mean it's a secure just because the 'law' says it is. Cheers -- ^TM - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure AJP over ssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mladen, On 2/23/2011 3:00 AM, Mladen Turk wrote: What do you think happens when encrypted data from client comes in and is encrypted again and send to the client? It's unencrypted in the memory and anyone with access to the box can just inspect the content of the httpd process in the same way it can read the data on the socket. So since persons which are authorized to login to the Apache and Tomcat box have the option to view the data, your entire security is still human based. I think he's talking about network sniffing (like another node on the network operating in promiscuous mode), not an untrusted box administrator. That's why I see no point of encrypting the data transfer between those boxes cause you can just as well make sure the proper persons have the network access. I certainly agree with this. Anyhow, to answer the OP's question, there are really three options: 1. SSH tunnel 2. Encrypted VPN (OpenVPN is quite good and will auto-reconnect if necessary while ssh generally won't). 3. Switch to mod_proxy_http and use an https:// URL with Mark's indicated settings. These options are roughly in order of performance from best to worst: setting up an HTTPS connection is expensive and I'm not entirely sure how mod_proxy_http does connections, but I suspect it creates and tears-down for each request (i.e. no keepalives, or at least limited ones). Encrypted VPNs are simply more complicated than an SSH tunnel and require slightly more overhead. An SSH tunnel is dead simple and only negotiates a symmetric key once at connect time (okay, and then re-negotiates at intervals) but lacks the robustness of a VPN. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1lKIQACgkQ9CaO5/Lv0PA3AACeLMsHtTuiodq/s1ITyUJYS0Go LrEAnRRTPcVpDkPw9sXYP0vggDSz4fa3 =UJv2 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure AJP over ssl
On 23/02/2011 15:32, Christopher Schultz wrote: Mladen, On 2/23/2011 3:00 AM, Mladen Turk wrote: What do you think happens when encrypted data from client comes in and is encrypted again and send to the client? It's unencrypted in the memory and anyone with access to the box can just inspect the content of the httpd process in the same way it can read the data on the socket. So since persons which are authorized to login to the Apache and Tomcat box have the option to view the data, your entire security is still human based. I think he's talking about network sniffing (like another node on the network operating in promiscuous mode), not an untrusted box administrator. That's why I see no point of encrypting the data transfer between those boxes cause you can just as well make sure the proper persons have the network access. I certainly agree with this. Anyhow, to answer the OP's question, there are really three options: 1. SSH tunnel 2. Encrypted VPN (OpenVPN is quite good and will auto-reconnect if necessary while ssh generally won't). 3. Switch to mod_proxy_http and use an https:// URL with Mark's indicated settings. These options are roughly in order of performance from best to worst: setting up an HTTPS connection is expensive and I'm not entirely sure how mod_proxy_http does connections, but I suspect it creates and tears-down for each request (i.e. no keepalives, or at least limited ones). Encrypted VPNs are simply more complicated than an SSH tunnel and require slightly more overhead. An SSH tunnel is dead simple and only negotiates a symmetric key once at connect time (okay, and then re-negotiates at intervals) but lacks the robustness of a VPN. I disagree with that assessment. mod_proxy_http is by far the simplest way to go and it does use keep-alive. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure AJP over ssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 2/23/2011 10:36 AM, Mark Thomas wrote: On 23/02/2011 15:32, Christopher Schultz wrote: Mladen, On 2/23/2011 3:00 AM, Mladen Turk wrote: What do you think happens when encrypted data from client comes in and is encrypted again and send to the client? It's unencrypted in the memory and anyone with access to the box can just inspect the content of the httpd process in the same way it can read the data on the socket. So since persons which are authorized to login to the Apache and Tomcat box have the option to view the data, your entire security is still human based. I think he's talking about network sniffing (like another node on the network operating in promiscuous mode), not an untrusted box administrator. That's why I see no point of encrypting the data transfer between those boxes cause you can just as well make sure the proper persons have the network access. I certainly agree with this. Anyhow, to answer the OP's question, there are really three options: 1. SSH tunnel 2. Encrypted VPN (OpenVPN is quite good and will auto-reconnect if necessary while ssh generally won't). 3. Switch to mod_proxy_http and use an https:// URL with Mark's indicated settings. These options are roughly in order of performance from best to worst: setting up an HTTPS connection is expensive and I'm not entirely sure how mod_proxy_http does connections, but I suspect it creates and tears-down for each request (i.e. no keepalives, or at least limited ones). Encrypted VPNs are simply more complicated than an SSH tunnel and require slightly more overhead. An SSH tunnel is dead simple and only negotiates a symmetric key once at connect time (okay, and then re-negotiates at intervals) but lacks the robustness of a VPN. I disagree with that assessment. mod_proxy_http is by far the simplest way to go and it does use keep-alive. Good to know that mod_proxy_http uses keepalive. I was recommending the others since the OP seems wedded to AJP. Also, if there is any other traffic to encrypt (JDBC, etc.) the VPN would handle that, too. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1lKesACgkQ9CaO5/Lv0PBFRgCfVfwSNBR+hw9goy/jZft92ekx VRQAoICP/Mklk5HmZnyj7EvSdk4dEuGE =6FMQ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Secure AJP over ssl
-Original Message- From: Mladen Turk [mailto:mt...@apache.org] Sent: Wednesday, February 23, 2011 3:01 To: users@tomcat.apache.org Subject: Re: Secure AJP over ssl On 02/22/2011 11:23 PM, Jason Pyeron wrote: -Original Message- That is a naive view. [Please forgive the wording.] None taken. Given: 1) The Apache box is secure and login is restricted to the minimum set of persons with a kneed to know. 2) The Tomcat box is secure and login is restricted to the minimum set of persons with a kneed to know. There is no reason to allow the set of persons capable (and sometimes authorized) to inspect the data on a network (network operations) to be able to inspect the unsecured contents of the data stream. That would be a briech of security and law. I just waited you mention that :) What do you think happens when encrypted data from client comes in and is encrypted again and send to the client? It's unencrypted in the memory and anyone with access to the box can just inspect the content of the httpd process in the same way it can read the data on the socket. So since persons which are authorized to login to the Apache and Tomcat box have the option to view the data, your entire security is still human based. That's why I see no point of Yes, the list includes 4 people. encrypting the data transfer between those boxes cause you can just as well make sure the proper persons have the network access. That list includes 78 people. However I can live with the 'law' reason, but that doesn't mean it's a secure just because the 'law' says it is. I see it as there is no excuse not to encrypt it when it crosses security domain boundaries. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Secure AJP over ssl
-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, February 23, 2011 10:38 To: Tomcat Users List Subject: Re: Secure AJP over ssl -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 2/23/2011 10:36 AM, Mark Thomas wrote: On 23/02/2011 15:32, Christopher Schultz wrote: Mladen, On 2/23/2011 3:00 AM, Mladen Turk wrote: What do you think happens when encrypted data from client comes in and is encrypted again and send to the client? It's unencrypted in the memory and anyone with access to the box can just inspect the content of the httpd process in the same way it can read the data on the socket. So since persons which are authorized to login to the Apache and Tomcat box have the option to view the data, your entire security is still human based. I think he's talking about network sniffing (like another node on the network operating in promiscuous mode), not an untrusted box administrator. That's why I see no point of encrypting the data transfer between those boxes cause you can just as well make sure the proper persons have the network access. I certainly agree with this. Anyhow, to answer the OP's question, there are really three options: 1. SSH tunnel I think I am going to use stunnel in xinetd. 2. Encrypted VPN (OpenVPN is quite good and will auto-reconnect if necessary while ssh generally won't). 3. Switch to mod_proxy_http and use an https:// URL with Mark's indicated settings. I am glad to have this cleared up. These options are roughly in order of performance from best to worst: setting up an HTTPS connection is expensive and I'm not entirely sure how mod_proxy_http does connections, but I suspect it creates and tears-down for each request (i.e. no keepalives, or at least limited ones). Encrypted VPNs are simply more complicated than an SSH tunnel and require slightly more overhead. An SSH tunnel is dead simple and only negotiates a symmetric key once at connect time (okay, and then re-negotiates at intervals) but lacks the robustness of a VPN. I disagree with that assessment. mod_proxy_http is by far the simplest way to go and it does use keep-alive. Good to know that mod_proxy_http uses keepalive. I was recommending the others since the OP seems wedded to AJP. Also, if there is any other traffic to encrypt (JDBC, etc.) the VPN would handle that, too. It is not that I am wedded to any particular implementation, it is just each change requires board approval. A change for reconfiguring the enabled modules in apache. [we can skip this if we stay with mod_proxy_ajp, as it was already approved] A change for opening up a port on the apache box -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure AJP over ssl
On 02/23/2011 07:28 PM, Jason Pyeron wrote: encrypting the data transfer between those boxes cause you can just as well make sure the proper persons have the network access. That list includes 78 people. You mean 78 people monitor your network for trouble or you have your production servers in the same network segment as your local intranet? Cannot tell which one is worse :) Regards -- ^TM - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure AJP over ssl
... It is not that I am wedded to any particular implementation, it is just each change requires board approval. A change for reconfiguring the enabled modules in apache. [we can skip this if we stay with mod_proxy_ajp, as it was already approved] A change for opening up a port on the apache box Personally, in such a case I would see the solution with an SSH or VPN tunnel as much simpler to put in place, and requiring much less opening of ports. You have 2 machines : A running httpd, B running Tomcat. In machineA, you have a mod_jk setup which says something like worker.worker1.host=machineB.mydomain.com worker.worker1.port=8009 So let's say you change this to worker.worker1.host=localhost worker.worker1.port=8009 and you set up an SSH or VPN tunnel on localhost, listening on port 8009 and accepting connections only from localhost. This tunnel connects to machine B, where the receiving end forwards the data to localhost:8009 on B. On machine A, you have not opened an additional port (at least not one accessible from outside of machine A). On machine B, in all likelihood the SSH port is already open (and if not, you could have it listen on an arbitrary port, but accepting connections only from machine A). All the changes are transparent to Apache (apart from the above 1 line) and to Tomcat (entirely). And you save yourself the hassle in setting up mod_proxy_http on Apache, and a HTTPS Connector on Tomcat, with all the baggage attached to it. And you may save yourself changes in your authentication setup, since it will continue to use AJP and pass the user credentials as it does right now. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure AJP over ssl
Mladen Turk wrote: On 02/23/2011 07:28 PM, Jason Pyeron wrote: encrypting the data transfer between those boxes cause you can just as well make sure the proper persons have the network access. That list includes 78 people. You mean 78 people monitor your network for trouble ... I don't see what is so surprising there. We are 3 developers in my company, and whenever we want to install a piece of software at some of our customers, that is just about the number of people we have to deal with. ;-) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure AJP over ssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 2/23/2011 2:56 PM, André Warnier wrote: Personally, in such a case I would see the solution with an SSH or VPN tunnel as much simpler to put in place, and requiring much less opening of ports. There's nothing that says that port 8009 has to be used for AJP: you can use HTTPS over port 8009 just as well. So, the congressional approval necessary will only need to cover the switch from mod_proxy_ajp to mod_proxy_http. I would think you'd have to get approval for any of these actions... why not just pick the one that makes the most sense and request permission to do that? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1ljckACgkQ9CaO5/Lv0PARLACgkGOVZh0D8OJZHJNmvwu6B+Nw FFoAoLo4sqBLLUtpKW58msMrofW1LlAs =32/2 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure AJP over ssl
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 2/23/2011 2:56 PM, André Warnier wrote: Personally, in such a case I would see the solution with an SSH or VPN tunnel as much simpler to put in place, and requiring much less opening of ports. There's nothing that says that port 8009 has to be used for AJP: you can use HTTPS over port 8009 just as well. So, the congressional approval necessary will only need to cover the switch from mod_proxy_ajp to mod_proxy_http. I would think you'd have to get approval for any of these actions... why not just pick the one that makes the most sense and request permission to do that? My mistake. I thought, incorrectly, that the OP was using mod_jk as a connector right now, and the tunnel solution then looked simpler with respect to the (lack of) configuration changes required in that case. But if he is using mod_proxy_ajp now, then the situation is reversed. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Secure AJP over ssl
-Original Message- From: Mladen Turk [mailto:mt...@apache.org] Sent: Tuesday, February 22, 2011 1:20 To: users@tomcat.apache.org Subject: Re: Secure AJP over ssl On 02/21/2011 10:31 PM, Jason Pyeron wrote: Does (or could) tomcat 5.5 support encrypted AJP? The frontend apache will be on a different host than the tomcat server. It is required that the communications are encrypted. I would suggest you reconsider your security requirements. Cordially, no. Unless your frontend and backend are on different continents the best way to fight wire tapping (only reason why would you Yes. You hit the nail on the head, besides being required by law. secure the communication at the first place) is much better done with securing your infrastructure. That is a naive view. [Please forgive the wording.] Given: 1) The Apache box is secure and login is restricted to the minimum set of persons with a kneed to know. 2) The Tomcat box is secure and login is restricted to the minimum set of persons with a kneed to know. There is no reason to allow the set of persons capable (and sometimes authorized) to inspect the data on a network (network operations) to be able to inspect the unsecured contents of the data stream. That would be a briech of security and law. -Jason -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure AJP over ssl
On 21/02/2011 22:28, Jason Pyeron wrote: Where are the docs for certificate chaining with mod_proxy? I have not found any. Unhelpfully, the comments in the relevant class aren't in Javadoc format. Grr. That will be fixed shortly. In the meantime, add the following to your SSL virtual host in httpd: RequestHeader set SSL_CLIENT_CERT %{SSL_CLIENT_CERT}s RequestHeader set SSL_CIPHER %{SSL_CIPHER}s RequestHeader set SSL_SESSION_ID %{SSL_SESSION_ID}s RequestHeader set SSL_CIPHER_USEKEYSIZE %{SSL_CIPHER_USEKEYSIZE}s And add the SSLValve to the Engine element in server.xml Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure AJP over ssl
On 21/02/2011 22:19, Jason Pyeron wrote: -Original Message- From: Mark Thomas Sent: Monday, February 21, 2011 17:15 To: Tomcat Users List Subject: Re: Secure AJP over ssl On 21/02/2011 21:31, Jason Pyeron wrote: Does (or could) tomcat 5.5 support encrypted AJP? No. Would I be best off using stunnel? Also, no. Use mod_proxy_http and proxy over https. Then we would loose the is_secure handling of AJP, as well as the client certificates of the web application clients. That is the purpose of mod_proxy_ajp, among others. No you wouldn't. That all works (with a little more configuration) with mod_proxy_http. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Secure AJP over ssl
-Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Monday, February 21, 2011 17:26 To: Tomcat Users List Subject: Re: Secure AJP over ssl On 21/02/2011 22:19, Jason Pyeron wrote: -Original Message- From: Mark Thomas Sent: Monday, February 21, 2011 17:15 To: Tomcat Users List Subject: Re: Secure AJP over ssl On 21/02/2011 21:31, Jason Pyeron wrote: Does (or could) tomcat 5.5 support encrypted AJP? No. Would I be best off using stunnel? Also, no. Use mod_proxy_http and proxy over https. Then we would loose the is_secure handling of AJP, as well as the client certificates of the web application clients. That is the purpose of mod_proxy_ajp, among others. No you wouldn't. That all works (with a little more configuration) with mod_proxy_http. Where are the docs for certificate chaining with mod_proxy? I have not found any. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure AJP over ssl
On 21/02/2011 21:31, Jason Pyeron wrote: Does (or could) tomcat 5.5 support encrypted AJP? No. Would I be best off using stunnel? Also, no. Use mod_proxy_http and proxy over https. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Secure AJP over ssl
-Original Message- From: Mark Thomas Sent: Monday, February 21, 2011 17:15 To: Tomcat Users List Subject: Re: Secure AJP over ssl On 21/02/2011 21:31, Jason Pyeron wrote: Does (or could) tomcat 5.5 support encrypted AJP? No. Would I be best off using stunnel? Also, no. Use mod_proxy_http and proxy over https. Then we would loose the is_secure handling of AJP, as well as the client certificates of the web application clients. That is the purpose of mod_proxy_ajp, among others. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure AJP over ssl
On 02/21/2011 10:31 PM, Jason Pyeron wrote: Does (or could) tomcat 5.5 support encrypted AJP? The frontend apache will be on a different host than the tomcat server. It is required that the communications are encrypted. I would suggest you reconsider your security requirements. Unless your frontend and backend are on different continents the best way to fight wire tapping (only reason why would you secure the communication at the first place) is much better done with securing your infrastructure. Regards -- ^TM - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org