RE: Question regarding Tomcat and Apache HTTPD Mod-proxy over SSL [EXTERNAL]
Thank you as always Mark and all! Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -Original Message- > From: Mark Thomas > Sent: Friday, June 3, 2022 4:19 AM > To: users@tomcat.apache.org > Subject: Re: Question regarding Tomcat and Apache HTTPD Mod-proxy over > SSL [EXTERNAL] > > Jon, > > If you want to secure the httpd <-> Tomcat link with mutually authenticated > TLS then I believe it is possible based on reading the docs but a) haven't > tested it and b) you are going to need to be careful to ensure Tomcat doesn't > get confused about whether it is the actual client or the reverse proxy that > is > authenticated. > > The following are some pointers that should help. This is how I would go > about things if I was doing this. > > 1. Set up mod_proxy_http and get it working over http. > > 2. Create and configure a server certificate for Tomcat. > > 3. Switch to proxy over https. > > 4. Use SSLProxyCACertifcate[File|Path] to configure httpd to authenticate > Tomcat. > > 5. Check you got 4 right by changing the Tomcat cert to a self-signed one and > looking for the proxy connection to fail. > > 6. Create a client cert for httpd. > > 7. Configure Tomcat to require client cert authentication. > > 8. Configure httpd using SSLProxyMachineCertificate[File|Path] to provide > the certificate. > > 9. Check you got 8 right by: > a) using a JSP to view the presented certificate > b) changing httpd to use a self-signed cert and check it fails > > > The problem you have now is that Tomcat sees httpd as a TLS authenticated > client and you really want Tomcat to see the authentication status of the real > client. > > I've looked at the SSLValve and it only sets request attributes if the > relevant > headers from httpd are present. You would need to write an additional Valve > that ran earlier in the pipeline and cleared those headers. > > HTH, > > Mark > > > On 03/06/2022 00:13, jonmcalexan...@wellsfargo.com.INVALID wrote: > > Ok, so in short ots not possible to mutually authenticate the > > mod-proxy and a tomcat connector, correct? > > > > I'm needing to convert an ajp configuration to mod-proxy, but a security > architect wants the other as well. > > > > > > Thanks, > > > > > > Sent with BlackBerry Work > > > (https://urldefense.com/v3/__http://www.blackberry.com__;!!F9svGWnIa > VP > > GSwU!oOENK5nJ9Bjo27NDwzO08hd73vpTk3jdwxUjQI6v10Xcd3-p- > MGYhMB5ZZjpooe5o > > iwCi-AthWdFVKAJcCg8cQ$ ) > > From: Christopher Schultz > > Sent: Jun 2, 2022 5:05 PM > > To: users@tomcat.apache.org > > Subject: Re: Question regarding Tomcat and Apache HTTPD Mod-proxy > over > > SSL [EXTERNAL] > > > > On 6/2/22 14:38, Beard, Shawn wrote: > > > I've never done this. But I think it would go something like this: > > > To make tomcat take advantages of Client Authentication, require three > > > certificates. i.e A Server Certificate for Tomcat, Client Certificate > > > for the browser/Apache and Certificate of the CA which will sign both > > > the above mentioned certificates. > > > > Stop. John: if you aren't using client TLS certs with your end-users, > > then this is a rathole you don't want to go down. > > > > If you *do* need to use client-TLS-auth, then this is correct. > > > > -chris > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question regarding Tomcat and Apache HTTPD Mod-proxy over SSL [EXTERNAL]
Jon, If you want to secure the httpd <-> Tomcat link with mutually authenticated TLS then I believe it is possible based on reading the docs but a) haven't tested it and b) you are going to need to be careful to ensure Tomcat doesn't get confused about whether it is the actual client or the reverse proxy that is authenticated. The following are some pointers that should help. This is how I would go about things if I was doing this. 1. Set up mod_proxy_http and get it working over http. 2. Create and configure a server certificate for Tomcat. 3. Switch to proxy over https. 4. Use SSLProxyCACertifcate[File|Path] to configure httpd to authenticate Tomcat. 5. Check you got 4 right by changing the Tomcat cert to a self-signed one and looking for the proxy connection to fail. 6. Create a client cert for httpd. 7. Configure Tomcat to require client cert authentication. 8. Configure httpd using SSLProxyMachineCertificate[File|Path] to provide the certificate. 9. Check you got 8 right by: a) using a JSP to view the presented certificate b) changing httpd to use a self-signed cert and check it fails The problem you have now is that Tomcat sees httpd as a TLS authenticated client and you really want Tomcat to see the authentication status of the real client. I've looked at the SSLValve and it only sets request attributes if the relevant headers from httpd are present. You would need to write an additional Valve that ran earlier in the pipeline and cleared those headers. HTH, Mark On 03/06/2022 00:13, jonmcalexan...@wellsfargo.com.INVALID wrote: Ok, so in short ots not possible to mutually authenticate the mod-proxy and a tomcat connector, correct? I'm needing to convert an ajp configuration to mod-proxy, but a security architect wants the other as well. Thanks, Sent with BlackBerry Work (www.blackberry.com) From: Christopher Schultz Sent: Jun 2, 2022 5:05 PM To: users@tomcat.apache.org Subject: Re: Question regarding Tomcat and Apache HTTPD Mod-proxy over SSL [EXTERNAL] On 6/2/22 14:38, Beard, Shawn wrote: > I've never done this. But I think it would go something like this: > To make tomcat take advantages of Client Authentication, require three > certificates. i.e A Server Certificate for Tomcat, Client Certificate > for the browser/Apache and Certificate of the CA which will sign both > the above mentioned certificates. Stop. John: if you aren't using client TLS certs with your end-users, then this is a rathole you don't want to go down. If you *do* need to use client-TLS-auth, then this is correct. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question regarding Tomcat and Apache HTTPD Mod-proxy over SSL [EXTERNAL]
Ok, so in short ots not possible to mutually authenticate the mod-proxy and a tomcat connector, correct? I'm needing to convert an ajp configuration to mod-proxy, but a security architect wants the other as well. Thanks, Sent with BlackBerry Work (www.blackberry.com) From: Christopher Schultz Sent: Jun 2, 2022 5:05 PM To: users@tomcat.apache.org Subject: Re: Question regarding Tomcat and Apache HTTPD Mod-proxy over SSL [EXTERNAL] On 6/2/22 14:38, Beard, Shawn wrote: > I've never done this. But I think it would go something like this: > To make tomcat take advantages of Client Authentication, require three > certificates. i.e A Server Certificate for Tomcat, Client Certificate > for the browser/Apache and Certificate of the CA which will sign both > the above mentioned certificates. Stop. John: if you aren't using client TLS certs with your end-users, then this is a rathole you don't want to go down. If you *do* need to use client-TLS-auth, then this is correct. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question regarding Tomcat and Apache HTTPD Mod-proxy over SSL [EXTERNAL]
On 6/2/22 14:38, Beard, Shawn wrote: > I've never done this. But I think it would go something like this: > To make tomcat take advantages of Client Authentication, require three > certificates. i.e A Server Certificate for Tomcat, Client Certificate > for the browser/Apache and Certificate of the CA which will sign both > the above mentioned certificates. Stop. John: if you aren't using client TLS certs with your end-users, then this is a rathole you don't want to go down. If you *do* need to use client-TLS-auth, then this is correct. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question regarding Tomcat and Apache HTTPD Mod-proxy over SSL [EXTERNAL]
That was my thought also, but wouldn’t that then require the end-users to also have certificates? Or would it just be Apache HTTPD? Basically the end users connection terminates at the proxy, and the proxy uses its own connection to pass it thru. Is that right? Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com> This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. From: Beard, Shawn Sent: Thursday, June 2, 2022 1:39 PM To: Tomcat Users List Subject: RE: Question regarding Tomcat and Apache HTTPD Mod-proxy over SSL [EXTERNAL] I've never done this. But I think it would go something like this: To make tomcat take advantages of Client Authentication, require three certificates. i.e A Server Certificate for Tomcat, Client Certificate for the browser/Apache and Certificate of the CA which will sign both the above mentioned certificates. Then you might need to import these into each others trust/keystore Tomcat connector config would need to have something like this, note the cleintAuth="true" Shawn Beard • Sr. Systems Engineer Middleware Engineering [cid:image673978.png@4BD479EE.2F6A6ED7] 3840 109th Street , Urbandale , IA 50322 Phone: +1-515-564-2528 Email: sbe...@wrberkley.com<mailto:sbe...@wrberkley.com> Website: https://berkleytechnologyservices.com/ [cid:image749241.jpg@C8087C5D.3210F22C] Technology Leadership Unleashing Business Potential -Original Message- From: jonmcalexan...@wellsfargo.com.INVALID<mailto:jonmcalexan...@wellsfargo.com.INVALID> mailto:jonmcalexan...@wellsfargo.com.INVALID>> Sent: Thursday, June 2, 2022 1:21 PM To: users@tomcat.apache.org<mailto:users@tomcat.apache.org> Subject: Question regarding Tomcat and Apache HTTPD Mod-proxy over SSL [EXTERNAL] ** CAUTION: External message I'm trying to figure out if there is a way to use certificates between Tomcat and Apache for mutual authentication of the mod-proxy connection to Tomcat. This would be similar as to how you can setup the WebSphere plugin to communicate with WebSphere over a mutually secured connection. Is this possible with Apache HTTPD and Tomcat over mod-proxy? Thanks, Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com%3cmailto:jonmcalexan...@wellsfargo.com>> This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain private, privileged and confidential information belonging to the sender. The information therein is solely for the use of the addressee. If your receipt of this transmission has occurred as the result of an error, please immediately notify us so we can arrange for the return of the documents. In such circumstances, you are advised that you may not disclose, copy, distribute or take any other action in reliance on the information transmitted.
RE: Question regarding Tomcat and Apache HTTPD Mod-proxy over SSL [EXTERNAL]
I've never done this. But I think it would go something like this: To make tomcat take advantages of Client Authentication, require three certificates. i.e A Server Certificate for Tomcat, Client Certificate for the browser/Apache and Certificate of the CA which will sign both the above mentioned certificates. Then you might need to import these into each others trust/keystore Tomcat connector config would need to have something like this, note the cleintAuth="true" Shawn Beard• Sr. Systems Engineer Middleware Engineering [cid:image673978.png@4BD479EE.2F6A6ED7] 3840 109th Street , Urbandale , IA 50322 Phone: +1-515-564-2528 Email: sbe...@wrberkley.com<mailto:sbe...@wrberkley.com> Website: https://berkleytechnologyservices.com/ [cid:image749241.jpg@C8087C5D.3210F22C] Technology Leadership Unleashing Business Potential -Original Message- From: jonmcalexan...@wellsfargo.com.INVALID Sent: Thursday, June 2, 2022 1:21 PM To: users@tomcat.apache.org Subject: Question regarding Tomcat and Apache HTTPD Mod-proxy over SSL [EXTERNAL] ** CAUTION: External message I'm trying to figure out if there is a way to use certificates between Tomcat and Apache for mutual authentication of the mod-proxy connection to Tomcat. This would be similar as to how you can setup the WebSphere plugin to communicate with WebSphere over a mutually secured connection. Is this possible with Apache HTTPD and Tomcat over mod-proxy? Thanks, Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com> This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain private, privileged and confidential information belonging to the sender. The information therein is solely for the use of the addressee. If your receipt of this transmission has occurred as the result of an error, please immediately notify us so we can arrange for the return of the documents. In such circumstances, you are advised that you may not disclose, copy, distribute or take any other action in reliance on the information transmitted.
