Re: Encryption of Tomcat AJP
Brian, On 5/19/22 10:29, Brian Eller wrote: My vendor supports AJP but, I don't know if they support mod_http_proxy. This is a embedded version of Tomcat 8.5 that is tightly coupled with the vendor's software and is an installed subcomponent from the vendor. Well, have a look a tthe facts: 1. Your vendor definitely supports AJP 2. Your cybersecurity group says you definitely need to encrypt that connection 3. AJP doesn't support encryption So you have a couple of options: 1. Encrypt AJP yourself. Your options are: a. IPsec or similar/VPN b. stunnel / ssh tunnel 2. Switch to another protocol (i.e. HTTPS) 3. Switch to a different vendor Which of those would work out best for you? Another option on the list is: 4. Make this your vendor's problem, since they are the one wanting to use AJP This may be helpful to provide to your vendor: https://tomcat.apache.org/presentations.html#latest-migrate-ajp-http Hope that helps, -chris -Original Message- From: Mark H. Wood Sent: Thursday, May 19, 2022 6:12 AM To: users@tomcat.apache.org Subject: Re: Encryption of Tomcat AJP On Thu, May 19, 2022 at 07:09:59AM +, Hiran CHAUDHURI wrote: CONFIDENTIAL & RESTRICTED From: Mark Thomas Subject: Re: Encryption of Tomcat AJP On 19/05/2022 01:32, Brian Eller wrote: TRADING PARTNER Hello, I am working on a Tomcat install embedded inside a vendor product that uses Apache to pass traffic to Tomcat. My cyber security group is asking if we can encrypt all connections. Does the mod_jk protocol, AJP can be encrypted? No, AJP does not support encryption. If you want to encrypt traffic between the reverse proxy and the embedded Tomcat instance I'd recommend using mod_proxy_http and proxy everything over HTTPS. This requires a little more configuration to get things working. The main thing to keep in mind is to make sure that the Tomcat instance correctly identifies whether the client connection to the reverse proxy was over HTTP or HTTPS. Mark I totally agree this is an existing and sufficient mechanism already available. And I see it popping up in more and more locations. But as you point out there are some caveats that potentially open security risks. On the contrary AJP - maybe because it cannot be configured with encryption - looks simple and straightforward. Would it make sense to create a solution with less caveats and up to date security requirements? If the OP's cyber security group insists, then maybe they would care to give him their requirements and suggestions for setting up IPSEC. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu NOTICE: This communication is from Guidehouse Inc. or one of its subsidiaries. The details of the sender are listed above. This email, including any attachments, is meant only for the intended recipient of the transmission and may contain confidential and/or privileged material. If you received this email in error, any review, distribution, dissemination or other use of this information is strictly prohibited. Please notify the sender immediately by return email and delete the messages from your systems. In addition, this communication is subject to, and incorporates by reference, additional disclaimers found in the “Disclaimers” section at www.guidehouse.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Per context heap usage
Robert, On 5/19/22 02:34, Robert Olofsson wrote: On Wed, 2022-05-18 at 17:36 -0400, Christopher Schultz wrote: Is it possible to find out the per deployed context heap usage in tomcat? With a profiler you can look at the retained size of the web application class loader instance associated with a web application. What reference path would lead from a java.lang.String object to the web application ClassLoader? It's allocation-path? That would be tied to the Thread which allocated it, not to the TCCL the Thread happened to have at the time. If you look at a memory dump you can follow the references both up and down Going up means asking "who owns this object" or "what class keeps this object alive". Going down means asking "What fields does this class hold" With modern memory profilers you can aks for the retained set of objects, the profiler will then start from the root objects and go down and calculate how much memory is hanging under each object. Since the jvm heap is a graph with circles this is a bit tricky, but that is for the profile writers to figure out. So if we look at a hypothetical example: Tomcat holds references to one or more classloaders, one per webapp. Each such classloader holds on to a set of servlets. Each servlet holds on to its own resources. So when you look at the retained sets you se something like: Tomcat holds 100% of the memory - Classloader for webapp 1 holds 80% of the memory - Servlet A holds 79% of the memory - Servlet B holds 1% of the memory - Classloader for webapp 2 holds 15% of the memory - classloader for webapp 3 holds 5% of the memory This is of course a simplified example and common things may make the statistics hard to read. Personally I have used both visualvm and eclipse mat to look at memory profiles. Both of them support retained set calculations, but with the last releases of java I have only managed to get visualvm working well. If you get eclipse mat working with this it tends to be a bit more helpful. Hope that makes sense! It does. Thatnks for pointing-out that, in order for the (e.g. String) object to reachable, it must have a reference being held by something else -- and that something was loaded either directly or indirectly from the webapp classloader. Duh. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Encryption of Tomcat AJP
> -Original Message- > From: Brian Eller > Sent: Thursday, May 19, 2022 9:29 AM > To: Tomcat Users List > Subject: RE: Encryption of Tomcat AJP > > TRADING PARTNER > > Thank you Mark, > > My vendor supports AJP but, I don't know if they support > mod_http_proxy. This is a embedded version of Tomcat 8.5 that is tightly > coupled with the vendor's software and is an installed subcomponent from > the vendor. > > > Brian Eller | Senior System Administrator bel...@guidehouse.com > > Ace Info Solutions (AceInfo), a Guidehouse company | aceinfosolutions.com > 1200 South College Avenue, Suite 210 | Fort Collins, CO 80524 AceInfo is now > a Guidehouse company > > -Original Message- > From: Mark H. Wood > Sent: Thursday, May 19, 2022 6:12 AM > To: users@tomcat.apache.org > Subject: Re: Encryption of Tomcat AJP > > On Thu, May 19, 2022 at 07:09:59AM +, Hiran CHAUDHURI wrote: > > CONFIDENTIAL & RESTRICTED > > > > From: Mark Thomas > > Subject: Re: Encryption of Tomcat AJP > > > > >On 19/05/2022 01:32, Brian Eller wrote: > > >> TRADING PARTNER > > >> > > >> Hello, > > >> > > >> I am working on a Tomcat install embedded inside a > > >> vendor > product that uses Apache to pass traffic to Tomcat. My cyber security group > is asking if we can encrypt all connections. Does the mod_jk protocol, AJP > can be encrypted? > > > > > >No, AJP does not support encryption. > > > > > >If you want to encrypt traffic between the reverse proxy and the > embedded Tomcat instance I'd recommend using mod_proxy_http and > proxy everything over HTTPS. This requires a little more configuration to get > things working. > > > > > >The main thing to keep in mind is to make sure that the Tomcat instance > correctly identifies whether the client connection to the reverse proxy was > over HTTP or HTTPS. > > > > > >Mark > > > > I totally agree this is an existing and sufficient mechanism already > > available. > And I see it popping up in more and more locations. > > But as you point out there are some caveats that potentially open security > risks. On the contrary AJP - maybe because it cannot be configured with > encryption - looks simple and straightforward. > > > > Would it make sense to create a solution with less caveats and up to date > security requirements? > > If the OP's cyber security group insists, then maybe they would care to give > him their requirements and suggestions for setting up IPSEC. > > -- > Mark H. Wood > Lead Technology Analyst > > University Library > Indiana University - Purdue University Indianapolis > 755 W. Michigan Street > Indianapolis, IN 46202 > 317-274-0749 > https://urldefense.com/v3/__http://www.ulib.iupui.edu__;!!F9svGWnIaVP > GSwU!q7KubMJTlR76KeDOI97BQ9UwOqJiOdAl69CeN765EKZdJBB5Jqsu_D53 > SFMWtnXIeAMsiXm73xEklczYayDsQr_ecXcqi48$ > NOTICE: This communication is from Guidehouse Inc. or one of its > subsidiaries. The details of the sender are listed above. This email, > including > any attachments, is meant only for the intended recipient of the > transmission and may contain confidential and/or privileged material. If you > received this email in error, any review, distribution, dissemination or other > use of this information is strictly prohibited. Please notify the sender > immediately by return email and delete the messages from your systems. In > addition, this communication is subject to, and incorporates by reference, > additional disclaimers found in the “Disclaimers” section at > https://urldefense.com/v3/__http://www.guidehouse.com__;!!F9svGWnIa > VPGSwU!q7KubMJTlR76KeDOI97BQ9UwOqJiOdAl69CeN765EKZdJBB5Jqsu_D > 53SFMWtnXIeAMsiXm73xEklczYayDsQr_eQxkSDm4$ . > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > Another thing to consider. If your Apache HTTPD server, or even IIS web server, are co-hosted on the same server, setup the AJP to listen and communicate on localhost (127.0.0.1) and you shouldn't have to even think about encryption at that point. Another possibility would be to port the traffic over a secure VPN between the servers, but that may be a costly alternative. Otherwise, I agree with Mark and go with MOD-PROXY over HTTPS. Just my .02 worth. Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please adv
RE: Encryption of Tomcat AJP
TRADING PARTNER Thank you Mark, My vendor supports AJP but, I don't know if they support mod_http_proxy. This is a embedded version of Tomcat 8.5 that is tightly coupled with the vendor's software and is an installed subcomponent from the vendor. Brian Eller | Senior System Administrator bel...@guidehouse.com Ace Info Solutions (AceInfo), a Guidehouse company | aceinfosolutions.com 1200 South College Avenue, Suite 210 | Fort Collins, CO 80524 AceInfo is now a Guidehouse company -Original Message- From: Mark H. Wood Sent: Thursday, May 19, 2022 6:12 AM To: users@tomcat.apache.org Subject: Re: Encryption of Tomcat AJP On Thu, May 19, 2022 at 07:09:59AM +, Hiran CHAUDHURI wrote: > CONFIDENTIAL & RESTRICTED > > From: Mark Thomas > Subject: Re: Encryption of Tomcat AJP > > >On 19/05/2022 01:32, Brian Eller wrote: > >> TRADING PARTNER > >> > >> Hello, > >> > >> I am working on a Tomcat install embedded inside a vendor > >> product that uses Apache to pass traffic to Tomcat. My cyber security > >> group is asking if we can encrypt all connections. Does the mod_jk > >> protocol, AJP can be encrypted? > > > >No, AJP does not support encryption. > > > >If you want to encrypt traffic between the reverse proxy and the embedded > >Tomcat instance I'd recommend using mod_proxy_http and proxy everything over > >HTTPS. This requires a little more configuration to get things working. > > > >The main thing to keep in mind is to make sure that the Tomcat instance > >correctly identifies whether the client connection to the reverse proxy was > >over HTTP or HTTPS. > > > >Mark > > I totally agree this is an existing and sufficient mechanism already > available. And I see it popping up in more and more locations. > But as you point out there are some caveats that potentially open security > risks. On the contrary AJP - maybe because it cannot be configured with > encryption - looks simple and straightforward. > > Would it make sense to create a solution with less caveats and up to date > security requirements? If the OP's cyber security group insists, then maybe they would care to give him their requirements and suggestions for setting up IPSEC. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu NOTICE: This communication is from Guidehouse Inc. or one of its subsidiaries. The details of the sender are listed above. This email, including any attachments, is meant only for the intended recipient of the transmission and may contain confidential and/or privileged material. If you received this email in error, any review, distribution, dissemination or other use of this information is strictly prohibited. Please notify the sender immediately by return email and delete the messages from your systems. In addition, this communication is subject to, and incorporates by reference, additional disclaimers found in the “Disclaimers” section at www.guidehouse.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Encryption of Tomcat AJP
On Thu, May 19, 2022 at 07:09:59AM +, Hiran CHAUDHURI wrote: > CONFIDENTIAL & RESTRICTED > > From: Mark Thomas > Subject: Re: Encryption of Tomcat AJP > > >On 19/05/2022 01:32, Brian Eller wrote: > >> TRADING PARTNER > >> > >> Hello, > >> > >> I am working on a Tomcat install embedded inside a vendor > >> product that uses Apache to pass traffic to Tomcat. My cyber security > >> group is asking if we can encrypt all connections. Does the mod_jk > >> protocol, AJP can be encrypted? > > > >No, AJP does not support encryption. > > > >If you want to encrypt traffic between the reverse proxy and the embedded > >Tomcat instance I'd recommend using mod_proxy_http and proxy everything over > >HTTPS. This requires a little more configuration to get things working. > > > >The main thing to keep in mind is to make sure that the Tomcat instance > >correctly identifies whether the client connection to the reverse proxy was > >over HTTP or HTTPS. > > > >Mark > > I totally agree this is an existing and sufficient mechanism already > available. And I see it popping up in more and more locations. > But as you point out there are some caveats that potentially open security > risks. On the contrary AJP - maybe because it cannot be configured with > encryption - looks simple and straightforward. > > Would it make sense to create a solution with less caveats and up to date > security requirements? If the OP's cyber security group insists, then maybe they would care to give him their requirements and suggestions for setting up IPSEC. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Final reminder: ApacheCon North America call for presentations closing soon
[Note: You're receiving this because you are subscribed to one or more Apache Software Foundation project mailing lists.] This is your final reminder that the Call for Presetations for ApacheCon North America 2022 will close at 00:01 GMT on Monday, May 23rd, 2022. Please don't wait! Get your talk proposals in now! Details here: https://apachecon.com/acna2022/cfp.html --Rich, for the ApacheCon Planners - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Encryption of Tomcat AJP
CONFIDENTIAL & RESTRICTED From: Mark Thomas Subject: Re: Encryption of Tomcat AJP >On 19/05/2022 01:32, Brian Eller wrote: >> TRADING PARTNER >> >> Hello, >> >> I am working on a Tomcat install embedded inside a vendor >> product that uses Apache to pass traffic to Tomcat. My cyber security group >> is asking if we can encrypt all connections. Does the mod_jk protocol, AJP >> can be encrypted? > >No, AJP does not support encryption. > >If you want to encrypt traffic between the reverse proxy and the embedded >Tomcat instance I'd recommend using mod_proxy_http and proxy everything over >HTTPS. This requires a little more configuration to get things working. > >The main thing to keep in mind is to make sure that the Tomcat instance >correctly identifies whether the client connection to the reverse proxy was >over HTTP or HTTPS. > >Mark I totally agree this is an existing and sufficient mechanism already available. And I see it popping up in more and more locations. But as you point out there are some caveats that potentially open security risks. On the contrary AJP - maybe because it cannot be configured with encryption - looks simple and straightforward. Would it make sense to create a solution with less caveats and up to date security requirements? Hiran IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended only for the use of the individual or entity shown above as addressees . It may contain information which is privileged, confidential or otherwise protected from disclosure under applicable laws . If the reader of this transmission is not the intended recipient, you are hereby notified that any dissemination, printing, distribution, copying, disclosure or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this transmission in error, please immediately notify us by reply e-mail or using the address below and delete the message and any attachments from your system. Amadeus Data Processing GmbH Geschaftsfuhrer: Sven Fuhrmeister Sitz der Gesellschaft: Erding HR Munchen 212770 Berghamer Strasse 6 85435 Erding Germany.