Re: Is this possibe? mod_jk ==SSL== AJP/1.3
yes. Bill's original statement is accurate if we reference http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html Option1 (Tomcat container running behind another SSL enabled web-server) When running Tomcat primarily as a Servlet/JSP container behind another web server, such as Apache or Microsoft IIS, it is usually necessary to configure the primary web server to handle the SSL connections from users. Typically, this server will negotiate all SSL-related functionality, then pass on any requests destined for the Tomcat container only after decrypting those requests. Likewise, Tomcat will return cleartext responses, that will be encrypted before being returned to the user's browser. In this environment, Tomcat knows that communications between the primary web server and the client are taking place over a secure connection (because your application needs to be able to ask about this), but it does not participate in the encryption or decryption itself Option2 certificates please referece this link from Certificate provider Verisign http://www.verisign.com/ssl/ssl-information-center/how-ssl-security-works/index.html where the certificate supplies a public key to decrypt information and also supplies a private key used to decipher the key To quote An SSL Certificate consists of a public key and a private key. The public key is used to encrypt information and the private key is used to decipher it Tomcat container(s) are not doing the encrypting or decrypting in either scenario- HTH, M- --- This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary , confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. --- Le présent message électronique (y compris les pièces qui y sont annexées, le cas échéant) s'adresse au destinataire indiqué et peut contenir des renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le destinataire de ce document, nous vous signalons qu'il est strictement interdit de le diffuser, de le distribuer ou de le reproduire. - Original Message - From: dfelicia [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Friday, December 08, 2006 11:07 PM Subject: Re: Is this possibe? mod_jk ==SSL== AJP/1.3 Tomcat currently does not support encryption. Huh? Sure it does. I think you mean AJP doesn't support encryption. -- View this message in context: http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7769280 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Is this possibe? mod_jk ==SSL== AJP/1.3
Hi, although I have not tested this personally, but I was told that mod_proxy (_ajp) does not have the Auto Flush option that you can set with mod_jk and thus creates problem for streaming applications. I wonder if others came accross this problem ? Rgds - Fred Hassan Schroeder-2 wrote: On 12/7/06, dfelicia [EMAIL PROTECTED] wrote: mod_proxy is ... It also doesn't offer load-balancing, Not true; see http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html I've used this recently (with mod_proxy_ajp) and it worked fine. :-) FWIW, -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7758513 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Is this possibe? mod_jk ==SSL== AJP/1.3
On 12/8/06, fredk2 [EMAIL PROTECTED] wrote: although I have not tested this personally, but I was told that mod_proxy (_ajp) does not have the Auto Flush option that you can set with mod_jk and thus creates problem for streaming applications. You might want to look at the flushpackets parameter to the ProxyPass directive http://httpd.apache.org/docs/2.2/mod/mod_proxy.html :-) FWIW, -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Is this possibe? mod_jk ==SSL== AJP/1.3
ooops - I need to spend more time reading the fine manual :-) tx for the reminder :) Hassan Schroeder-2 wrote: On 12/8/06, fredk2 [EMAIL PROTECTED] wrote: although I have not tested this personally, but I was told that mod_proxy (_ajp) does not have the Auto Flush option that you can set with mod_jk and thus creates problem for streaming applications. You might want to look at the flushpackets parameter to the ProxyPass directive http://httpd.apache.org/docs/2.2/mod/mod_proxy.html :-) FWIW, -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7760968 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Is this possibe? mod_jk ==SSL== AJP/1.3
Not true; see http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html Interesting. I'll need to look into mod_proxy, further. But what about performance? I've not tested it in a long while, but last I tried it was slower that mod_jk. BTW, does Apache 2.2's new mod_proxy_ajp support encryption? Is that the answer for me? (Yes, I know I have to RTFM... going there now.) -- View this message in context: http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7763820 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Is this possibe? mod_jk ==SSL== AJP/1.3
Tomcat currently does not support encryption. Huh? Sure it does. I think you mean AJP doesn't support encryption. -- View this message in context: http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7769280 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Is this possibe? mod_jk ==SSL== AJP/1.3
Can traffic between mod_jk and Tomcat's AJP connector be encrypted (without using ssh/stunnel)? I see SSL mentioned in the doc for AJP, but it's clear as mud: http://tomcat.apache.org/tomcat-5.5-doc/config/ajp.html So, in Apache, I am using SSL and mod_jk. I set these parameters per the mod_jk doc: # JkOptions indicate to send SSL KEY SIZE, JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories JkExtractSSL On # What is the indicator for SSL (default is HTTPS) JkHTTPSIndicator HTTPS # What is the indicator for SSL session (default is SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) JkCIPHERIndicator SSL_CIPHER # What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT) JkCERTSIndicator SSL_CLIENT_CERT In Tomcat's server.xml, I have define an AJP/1.3 connector like so: Connector port=8202 protocol=AJP/1.3 URIEncoding=UTF-8 scheme=https secure=true clientAuth=false (mod_jk worker uses this connection) It works whether I set scheme and secure or not. Is the communication encrypted? (If so, I'd wonder how since Tomcat knows nothing of my CA's public key or my keystore.) What am I missing? -- View this message in context: http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7746284 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Is this possibe? mod_jk ==SSL== AJP/1.3
unless of course the Cert is self-signed with keytool I would remove all the certs from classpath and start with a 'True Certificate' signed by Verisign or Thawte M- --- This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary , confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. --- Le présent message électronique (y compris les pièces qui y sont annexées, le cas échéant) s'adresse au destinataire indiqué et peut contenir des renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le destinataire de ce document, nous vous signalons qu'il est strictement interdit de le diffuser, de le distribuer ou de le reproduire. - Original Message - From: dfelicia [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Thursday, December 07, 2006 2:46 PM Subject: Is this possibe? mod_jk ==SSL== AJP/1.3 Can traffic between mod_jk and Tomcat's AJP connector be encrypted (without using ssh/stunnel)? I see SSL mentioned in the doc for AJP, but it's clear as mud: http://tomcat.apache.org/tomcat-5.5-doc/config/ajp.html So, in Apache, I am using SSL and mod_jk. I set these parameters per the mod_jk doc: # JkOptions indicate to send SSL KEY SIZE, JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories JkExtractSSL On # What is the indicator for SSL (default is HTTPS) JkHTTPSIndicator HTTPS # What is the indicator for SSL session (default is SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) JkCIPHERIndicator SSL_CIPHER # What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT) JkCERTSIndicator SSL_CLIENT_CERT In Tomcat's server.xml, I have define an AJP/1.3 connector like so: Connector port=8202 protocol=AJP/1.3 URIEncoding=UTF-8 scheme=https secure=true clientAuth=false (mod_jk worker uses this connection) It works whether I set scheme and secure or not. Is the communication encrypted? (If so, I'd wonder how since Tomcat knows nothing of my CA's public key or my keystore.) What am I missing? -- View this message in context: http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7746284 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Is this possibe? mod_jk ==SSL== AJP/1.3
hi: As far as have seen there is no SSL support for AJP/1.3 - the trafic is in clear between the Apache and tomcat using mod_jk. I guess with apache 2 you can use mod_proxy and ssl to a tomcat using the http connector with ssl. If you have apache and tomcat on separate servers you might have to look at stunnel to encrypt the traffic. Fred Martin Gainty wrote: unless of course the Cert is self-signed with keytool I would remove all the certs from classpath and start with a 'True Certificate' signed by Verisign or Thawte M- - Original Message - From: dfelicia [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Thursday, December 07, 2006 2:46 PM Subject: Is this possibe? mod_jk ==SSL== AJP/1.3 Can traffic between mod_jk and Tomcat's AJP connector be encrypted (without using ssh/stunnel)? I see SSL mentioned in the doc for AJP, but it's clear as mud: http://tomcat.apache.org/tomcat-5.5-doc/config/ajp.html So, in Apache, I am using SSL and mod_jk. I set these parameters per the mod_jk doc: # JkOptions indicate to send SSL KEY SIZE, JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories JkExtractSSL On # What is the indicator for SSL (default is HTTPS) JkHTTPSIndicator HTTPS # What is the indicator for SSL session (default is SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) JkCIPHERIndicator SSL_CIPHER # What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT) JkCERTSIndicator SSL_CLIENT_CERT In Tomcat's server.xml, I have define an AJP/1.3 connector like so: Connector port=8202 protocol=AJP/1.3 URIEncoding=UTF-8 scheme=https secure=true clientAuth=false (mod_jk worker uses this connection) It works whether I set scheme and secure or not. Is the communication encrypted? (If so, I'd wonder how since Tomcat knows nothing of my CA's public key or my keystore.) What am I missing? -- View this message in context: http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7746284 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7747753 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Is this possibe? mod_jk ==SSL== AJP/1.3
As far as have seen there is no SSL support for AJP/1.3 - the trafic is in clear between the Apache and tomcat using mod_jk. I guess with apache 2 you can use mod_proxy and ssl to a tomcat using the http connector with ssl. Thanks for the reply, Fred. I feared that was the answer. The problem with mod_proxy is that it doesn't perform as well. It also doesn't offer load-balancing, connection pooling, etc. -- View this message in context: http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7750917 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Is this possibe? mod_jk ==SSL== AJP/1.3
On 12/7/06, dfelicia [EMAIL PROTECTED] wrote: mod_proxy is ... It also doesn't offer load-balancing, Not true; see http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html I've used this recently (with mod_proxy_ajp) and it worked fine. :-) FWIW, -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]