Thanks for your input, but we're using IIS, not Apache, so this doesn't apply. Rainer clarified that SSL between IIS and GlassFish is not natively possible anyway.
From: Martin Gainty [mailto:mgai...@hotmail.com] Sent: Thursday, May 30, 2013 8:18 PM To: Cochran, Jonathan - IS.CONTRACTOR Subject: RE: Encrypting AJP13 Traffic With isapi_redirect you answered your own question SSLOptions +StdEnvVars +ExportCertData must be set in httpd.conf http://tomcat.apache.org/tomcat-3.2-doc/tomcat-ssl-howto.html#s4 Martin ______________________________________________ American Idiot...contractor to illegal aliens > From: > jonathan.cochran.contrac...@exelisinc.com<mailto:jonathan.cochran.contrac...@exelisinc.com> > To: users@tomcat.apache.org<mailto:users@tomcat.apache.org> > Subject: Encrypting AJP13 Traffic With isapi_redirect > Date: Thu, 30 May 2013 23:38:45 +0000 > > Does the IIS isapi_redirect.dll support encrypting AJP13 traffic? We are > setting up IIS 7.5 talking to GlassFish 3.1.2.2 using the 1.2.37 > isapi_redirect.dll. We have everything working with HTTPS/SSL coming into IIS > and passing through to GlassFish using unencrypted AJP13, but want to also > encrypt the traffic between IIS and GlassFish. There is GlassFish > documentation for enabling SSL between Apache and GlassFish using mod_jk, and > it involves setting some mod_jk settings (in addition to some settings in > GlassFish to enable SSL on that end). I've made the changes to GlassFish to > enable SSL on the passthrough port, but can't find any settings for > isapi_redirect that would indicate using SSL. The GlassFish documentation for > using SSL with mod_jk involved some settings like "JkExtractSSL On" and > "JkHTTPSIndicator HTTPS", but there is nothing like that available for the > isapi_redirect configuration. I can access the site fine using the built-in > GlassFish HTTPS/SSL port 8181, but I'm getting a 502 error when trying to do > the IIS passthrough to the SSL-enabled AJP13 port in GlassFish. Following is > what I'm seeing in the isapi_redirect log file: > > [Thu May 30 17:51:44.219 2013] [224:1172] [debug] > jk_shutdown_socket::jk_connect.c (732): About to shutdown socket 1300 > [127.0.0.1:61402 -> 127.0.0.1:8009] > [Thu May 30 17:51:44.219 2013] [224:1172] [debug] > jk_shutdown_socket::jk_connect.c (803): shutting down the read side of socket > 1300 [127.0.0.1:61402 -> 127.0.0.1:8009] > [Thu May 30 17:51:44.219 2013] [224:1172] [debug] > jk_shutdown_socket::jk_connect.c (814): Shutdown socket 1300 [127.0.0.1:61402 > -> 127.0.0.1:8009] and read 0 lingering bytes in 0 sec. > [Thu May 30 17:51:44.219 2013] [224:1172] [info] > ajp_connection_tcp_get_message::jk_ajp_common.c (1259): (worker1) can't > receive the response header message from tomcat, tomcat (127.0.0.1:8009) has > forced a connection close for socket 1300 > [Thu May 30 17:51:44.219 2013] [224:1172] [error] > ajp_get_reply::jk_ajp_common.c (2126): (worker1) Tomcat is down or refused > connection. No response has been sent to the client (yet) > > Is encrypting the AJP13 traffic possible with isapi_redirect.dll and I just > don't have something configured properly, or am I trying to do something that > isn't supported natively? I saw some old posts about needing to use other > methods to encrypt the traffic, like VPNs or IPSEC, but they also indicated > that something was in the works to support this natively. > > Thanks, > Jonathan > > ________________________________ > > This e-mail and any files transmitted with it may be proprietary and are > intended solely for the use of the individual or entity to whom they are > addressed. If you have received this e-mail in error please notify the > sender. Please note that any views or opinions presented in this e-mail are > solely those of the author and do not necessarily represent those of Exelis > Inc. The recipient should check this e-mail and any attachments for the > presence of viruses. Exelis Inc. accepts no liability for any damage caused > by any virus transmitted by this e-mail.
