...and one more thought. My concern is that, for me, this is on an IBM iSeries (AS400) not Linux/Unix/Win so that solution my not work for me.
-----Original Message----- From: Andreas Mohrig [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 12:04 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache Please correct my typo: It has to be "ssh" instead of "ssl" (of course) in the command used to start the secure shell!!! And one mor thought: I have no idea how this might affect performance. ----- I think the setup within apache's httpd.conf will enable encryption between the client browsers and the webserver only, but not between apache and tomcat. You might use ssh to do that, since you can build an "encrypted tunnel" to forward the connections to a remote port. Suppose your apache machine was on ip 192.168.0.1 and your tomcat machine was on ip 192.168.0.2. Further suppose your ajp connector is configured to use port 8009. You could start a port forwarding tunnel on your apache machine with ssh -L 8009:192.168.0.2:8009 [EMAIL PROTECTED] Any connection to port 192.168.0.1:8009 will be forwarded to 192.168.0.2 via the encrypted connection established by ssh. Of course this requires ssh to be installed on both machines, i.e. the server component on the tomcat-machine and the client component on the apache-machine. (You could do it the other way around using the -R switch). Note that the connection will only be forwarded if it is coming from the local machine (i.e. the apache-machine in this example), unless you also state "-g" to enable other machines to connect. (You might wish to read up on this in a suitable ssh documentation). You would then have to modify back your workers.properties file to look something like this (on the apache machine): # Definition for Ajp13 worker # worker.ajp13.port=8009 worker.ajp13.host=localhost worker.ajp13.type=ajp13 Note that it is "localhost" again instead of 192.168.0.2 (the ip of the tomcat-machine). I have not tested this procedure, and have not given it much thought if this will cause additional security problems. I have also not explored in which way the ssh connection has to be set up to be available to apache (I would presume you would have to do it using "nohup ssh -L 8009:192.168.0.2:8009 [EMAIL PROTECTED] &" just before starting apache, but that could cause problems with the password you would have to enter, and may force you to use client authentication with public/private keys instead). The best solution of course would be to place your tomcat worker-machines physically behind your apache webserver, using a second network interface card on the apache machine and a switch/hub to connect it to potentially quite a lot of tomcat-machines, which would not be reachable by any other machines if you set up the apache-machine correctly. Please let me (let us all) know if you manage to successfully set up such a configuration using ssh. greetings Andreas Mohrig -----Original Message----- From: Turner, John [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 5:49 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache Thanks for your post with the configuration in it...SSL between apache and tomcat is something I have been wanting to research for awhile now, and your info will make it easier to do that. That said, I'm curious to know how you are verifying that SSL is working between apache and tomcat on different machines. How do you know the datastream is truly encrypted? I'm not questioning your setup, I'm asking how I will know the same thing for sure once I set it up myself. Having SSL setup on both machines is no guarantee that the datastream is encrypted. John Turner [EMAIL PROTECTED] -----Original Message----- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 11:27 AM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache i have it working on different machines. Tomcat on one machine and apache on another. SSL will work irrespective of the machines, as long as both of the machines can see each other.(i mean on the same network). -----Original Message----- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:38 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache What about the transmittions between Apache and Tomcat? I realize if they are on the same machine it isn't a problem, but what about if it is on a different machine? This is all for the intranet. -----Original Message----- From: Pooleery, Manoj [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 3:33 PM To: 'Tomcat Users List' Subject: RE: SSL Connection Tomcat and Apache In the httpd.conf file of apache, you can implement the virtual host directive for SSL. The port used is 443. You have to have an entry like this - ## ## SSL Virtual Host Context ## <VirtualHost <server_name>:443> # General setup for the virtual host DocumentRoot "C:/Apache/htdocs" ServerName <server_name> ServerAdmin webmaster@localhost ErrorLog logs/ssl/error.log TransferLog logs/ssl/access.log SSLCertificateFile "<certificate_location>/<certificate_name>" SSLCertificateKeyFile "<certificate_key_location>/<certificate_key>" </VirtualHost> you have to generate a CSR file(instructions for creating a CSR can be found at http://www.verisign.com/support/csr/apache/v01.html). Once you create a CSR, you can send it to any of the certificate issuing authorities(verisign, thawte etc) and once you get a certificate, you make the above changes in the httpd.conf. Thanks Manoj. -----Original Message----- From: Wills, Mike N. (TC) [mailto:[EMAIL PROTECTED]] Sent: Monday, August 12, 2002 4:21 PM To: '[EMAIL PROTECTED]' Subject: SSL Connection Tomcat and Apache I have Apache and Tomcat working together, but now I am curious on security. How I do implement SSL on that connection? Mike Wills IT Corporate Support Taylor Corporation [EMAIL PROTECTED] Phone: (507) 386-3187 -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
