Since IIS decrypts the request and passes it unencrypted to Tomcat, How do I encrypt the request so that all communication from IIS with Tomcat is secure???
Do you really need it? It would probably affect your performance seriously. (No, I cannot prove that statement...)
I can prove this statement. :)
Connection latency = network transfer time + 2 * (TCP overhead + encryption/decryption)
(Twice since both clients have these overheads).
When the encryption/decryption term becomes zero (removal of SSL), performance increases. The assertion that encryption/decryption takes more than zero time is left as an exercise to the reader. (Oh, and SSL acceleration hardware is expensive, which would seem silly if the ops were trivial).
Latest reference I've been able to google for is from Tomcat 4.1 JK connector (deprecated). But I have not searched a lot.
I don't think that the JK mod is deprecated. In fact, it's suggested for production installations with Apache 1.3 and 2.0 (and IIS, I guess).
(From the other followup post):
I doubt any has that kind of need. If that is the case, then everyone will
pull their brains out.
Often, there's a need. What if you don't trust your own network?
If we are worried about the IIS having SSL with Tomcat, then how about SSL between database and Tomcat. How about query tools used in database ( secured query tool? , I dont know who has like this).
Some people need this type of stuff. Let's say that your database server is on another network, and you need confidential transfers?
I would not worry, if the Tomcat behind firwall, and behind the IIS (SSL).
I would still worry. For example, all of our hardware is hosted by a data center. We get all kinds of M$ virus crap spewing into our syslogs every single day. We get SMB traffic logs. We get all kinds of crap. There's nothing stopping me from running a packet sniffer on my machines, which would compromise the entire network if SSL were not being used. (Fortunately, each app is small enough that we can runn both the app and db on the same machine and avoid those security concerns).
The JK documentation says nothing about SSL (other than forwarding SSL information from thr web server to Tomcat). I assert that you have two options:
1. Use Tomcat standalone (why not? do you have a huge amount of non-dynamic content? If not, consider Tomcat standalone)
2. Set up an SSL tunnel using your favorite ssh software. OpenSSH is available for win32 (at least through cygwin). You can punch through pretty much any network and firewall (as long as they allow SSH). All the data is encrypted. Most ssh clients/servers also support compression as well, which /might/ help offset the performance penalty of encryption (due to lower network transfer times).
Good luck.
-chris
signature.asc
Description: OpenPGP digital signature
