RE: Encrypting AJP13 Traffic With isapi_redirect
Thanks for your input, but we're using IIS, not Apache, so this doesn't apply. Rainer clarified that SSL between IIS and GlassFish is not natively possible anyway. From: Martin Gainty [mailto:mgai...@hotmail.com] Sent: Thursday, May 30, 2013 8:18 PM To: Cochran, Jonathan - IS.CONTRACTOR Subject: RE: Encrypting AJP13 Traffic With isapi_redirect you answered your own question SSLOptions +StdEnvVars +ExportCertData must be set in httpd.conf http://tomcat.apache.org/tomcat-3.2-doc/tomcat-ssl-howto.html#s4 Martin __ American Idiot...contractor to illegal aliens From: jonathan.cochran.contrac...@exelisinc.commailto:jonathan.cochran.contrac...@exelisinc.com To: users@tomcat.apache.orgmailto:users@tomcat.apache.org Subject: Encrypting AJP13 Traffic With isapi_redirect Date: Thu, 30 May 2013 23:38:45 + Does the IIS isapi_redirect.dll support encrypting AJP13 traffic? We are setting up IIS 7.5 talking to GlassFish 3.1.2.2 using the 1.2.37 isapi_redirect.dll. We have everything working with HTTPS/SSL coming into IIS and passing through to GlassFish using unencrypted AJP13, but want to also encrypt the traffic between IIS and GlassFish. There is GlassFish documentation for enabling SSL between Apache and GlassFish using mod_jk, and it involves setting some mod_jk settings (in addition to some settings in GlassFish to enable SSL on that end). I've made the changes to GlassFish to enable SSL on the passthrough port, but can't find any settings for isapi_redirect that would indicate using SSL. The GlassFish documentation for using SSL with mod_jk involved some settings like JkExtractSSL On and JkHTTPSIndicator HTTPS, but there is nothing like that available for the isapi_redirect configuration. I can access the site fine using the built-in GlassFish HTTPS/SSL port 8181, but I'm getting a 502 error when trying to do the IIS passthrough to the SSL-enabled AJP13 port in GlassFish. Following is what I'm seeing in the isapi_redirect log file: [Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (732): About to shutdown socket 1300 [127.0.0.1:61402 - 127.0.0.1:8009] [Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (803): shutting down the read side of socket 1300 [127.0.0.1:61402 - 127.0.0.1:8009] [Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (814): Shutdown socket 1300 [127.0.0.1:61402 - 127.0.0.1:8009] and read 0 lingering bytes in 0 sec. [Thu May 30 17:51:44.219 2013] [224:1172] [info] ajp_connection_tcp_get_message::jk_ajp_common.c (1259): (worker1) can't receive the response header message from tomcat, tomcat (127.0.0.1:8009) has forced a connection close for socket 1300 [Thu May 30 17:51:44.219 2013] [224:1172] [error] ajp_get_reply::jk_ajp_common.c (2126): (worker1) Tomcat is down or refused connection. No response has been sent to the client (yet) Is encrypting the AJP13 traffic possible with isapi_redirect.dll and I just don't have something configured properly, or am I trying to do something that isn't supported natively? I saw some old posts about needing to use other methods to encrypt the traffic, like VPNs or IPSEC, but they also indicated that something was in the works to support this natively. Thanks, Jonathan This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Exelis Inc. The recipient should check this e-mail and any attachments for the presence of viruses. Exelis Inc. accepts no liability for any damage caused by any virus transmitted by this e-mail.
RE: Encrypting AJP13 Traffic With isapi_redirect
OK, thank you for the clarification. -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Friday, May 31, 2013 1:30 AM To: users@tomcat.apache.org Subject: Re: Encrypting AJP13 Traffic With isapi_redirect On 31.05.2013 01:38, Cochran, Jonathan - IS.CONTRACTOR wrote: Does the IIS isapi_redirect.dll support encrypting AJP13 traffic? We are setting up IIS 7.5 talking to GlassFish 3.1.2.2 using the 1.2.37 isapi_redirect.dll. We have everything working with HTTPS/SSL coming into IIS and passing through to GlassFish using unencrypted AJP13, but want to also encrypt the traffic between IIS and GlassFish. There is GlassFish documentation for enabling SSL between Apache and GlassFish using mod_jk, and it involves setting some mod_jk settings (in addition to some settings in GlassFish to enable SSL on that end). I’ve made the changes to GlassFish to enable SSL on the passthrough port, but can’t find any settings for isapi_redirect that would indicate using SSL. The GlassFish documentation for using SSL with mod_jk involved some settings like “JkExtractSSL On” and “JkHTTPSIndicator HTTPS”, but there is nothing like that available for the isapi_redirect configuration. I can access the site fine using the built-in GlassFish HTTPS! /SSL por t 8181, but I’m getting a 502 error when trying to do the IIS passthrough to the SSL-enabled AJP13 port in GlassFish. Following is what I’m seeing in the isapi_redirect log file: mod_jk and the isapi redirector both do not support encrypting the connection between web server and servlet engine. You could set up an encrypted tunnel. The SSL options for mod_jk are just to control what kind if information about the HTTPS connection betwen client and web server are forwarded from there to the servlet engine (like original ssl session id, crtificate details etc.). [Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (732): About to shutdown socket 1300 [127.0.0.1:61402 - 127.0.0.1:8009] [Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (803): shutting down the read side of socket 1300 [127.0.0.1:61402 - 127.0.0.1:8009] [Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (814): Shutdown socket 1300 [127.0.0.1:61402 - 127.0.0.1:8009] and read 0 lingering bytes in 0 sec. [Thu May 30 17:51:44.219 2013] [224:1172] [info] ajp_connection_tcp_get_message::jk_ajp_common.c (1259): (worker1) can't receive the response header message from tomcat, tomcat (127.0.0.1:8009) has forced a connection close for socket 1300 [Thu May 30 17:51:44.219 2013] [224:1172] [error] ajp_get_reply::jk_ajp_common.c (2126): (worker1) Tomcat is down or refused connection. No response has been sent to the client (yet) Is encrypting the AJP13 traffic possible with isapi_redirect.dll and I just don’t have something configured properly, or am I trying to do something that isn’t supported natively? I saw some old posts about needing to use other methods to encrypt the traffic, like VPNs or IPSEC, but they also indicated that something was in the works to support this natively. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Exelis Inc. The recipient should check this e-mail and any attachments for the presence of viruses. Exelis Inc. accepts no liability for any damage caused by any virus transmitted by this e-mail. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Encrypting AJP13 Traffic With isapi_redirect
Does the IIS isapi_redirect.dll support encrypting AJP13 traffic? We are setting up IIS 7.5 talking to GlassFish 3.1.2.2 using the 1.2.37 isapi_redirect.dll. We have everything working with HTTPS/SSL coming into IIS and passing through to GlassFish using unencrypted AJP13, but want to also encrypt the traffic between IIS and GlassFish. There is GlassFish documentation for enabling SSL between Apache and GlassFish using mod_jk, and it involves setting some mod_jk settings (in addition to some settings in GlassFish to enable SSL on that end). I’ve made the changes to GlassFish to enable SSL on the passthrough port, but can’t find any settings for isapi_redirect that would indicate using SSL. The GlassFish documentation for using SSL with mod_jk involved some settings like “JkExtractSSL On” and “JkHTTPSIndicator HTTPS”, but there is nothing like that available for the isapi_redirect configuration. I can access the site fine using the built-in GlassFish HTTPS/SSL port 8181, but I’m getting a 502 error when trying to do the IIS passthrough to the SSL-enabled AJP13 port in GlassFish. Following is what I’m seeing in the isapi_redirect log file: [Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (732): About to shutdown socket 1300 [127.0.0.1:61402 - 127.0.0.1:8009] [Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (803): shutting down the read side of socket 1300 [127.0.0.1:61402 - 127.0.0.1:8009] [Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (814): Shutdown socket 1300 [127.0.0.1:61402 - 127.0.0.1:8009] and read 0 lingering bytes in 0 sec. [Thu May 30 17:51:44.219 2013] [224:1172] [info] ajp_connection_tcp_get_message::jk_ajp_common.c (1259): (worker1) can't receive the response header message from tomcat, tomcat (127.0.0.1:8009) has forced a connection close for socket 1300 [Thu May 30 17:51:44.219 2013] [224:1172] [error] ajp_get_reply::jk_ajp_common.c (2126): (worker1) Tomcat is down or refused connection. No response has been sent to the client (yet) Is encrypting the AJP13 traffic possible with isapi_redirect.dll and I just don’t have something configured properly, or am I trying to do something that isn’t supported natively? I saw some old posts about needing to use other methods to encrypt the traffic, like VPNs or IPSEC, but they also indicated that something was in the works to support this natively. Thanks, Jonathan This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Exelis Inc. The recipient should check this e-mail and any attachments for the presence of viruses. Exelis Inc. accepts no liability for any damage caused by any virus transmitted by this e-mail.
Re: Encrypting AJP13 Traffic With isapi_redirect
On 31.05.2013 01:38, Cochran, Jonathan - IS.CONTRACTOR wrote: Does the IIS isapi_redirect.dll support encrypting AJP13 traffic? We are setting up IIS 7.5 talking to GlassFish 3.1.2.2 using the 1.2.37 isapi_redirect.dll. We have everything working with HTTPS/SSL coming into IIS and passing through to GlassFish using unencrypted AJP13, but want to also encrypt the traffic between IIS and GlassFish. There is GlassFish documentation for enabling SSL between Apache and GlassFish using mod_jk, and it involves setting some mod_jk settings (in addition to some settings in GlassFish to enable SSL on that end). I’ve made the changes to GlassFish to enable SSL on the passthrough port, but can’t find any settings for isapi_redirect that would indicate using SSL. The GlassFish documentation for using SSL with mod_jk involved some settings like “JkExtractSSL On” and “JkHTTPSIndicator HTTPS”, but there is nothing like that available for the isapi_redirect configuration. I can access the site fine using the built-in GlassFish HTTPS! /SSL por t 8181, but I’m getting a 502 error when trying to do the IIS passthrough to the SSL-enabled AJP13 port in GlassFish. Following is what I’m seeing in the isapi_redirect log file: mod_jk and the isapi redirector both do not support encrypting the connection between web server and servlet engine. You could set up an encrypted tunnel. The SSL options for mod_jk are just to control what kind if information about the HTTPS connection betwen client and web server are forwarded from there to the servlet engine (like original ssl session id, crtificate details etc.). [Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (732): About to shutdown socket 1300 [127.0.0.1:61402 - 127.0.0.1:8009] [Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (803): shutting down the read side of socket 1300 [127.0.0.1:61402 - 127.0.0.1:8009] [Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (814): Shutdown socket 1300 [127.0.0.1:61402 - 127.0.0.1:8009] and read 0 lingering bytes in 0 sec. [Thu May 30 17:51:44.219 2013] [224:1172] [info] ajp_connection_tcp_get_message::jk_ajp_common.c (1259): (worker1) can't receive the response header message from tomcat, tomcat (127.0.0.1:8009) has forced a connection close for socket 1300 [Thu May 30 17:51:44.219 2013] [224:1172] [error] ajp_get_reply::jk_ajp_common.c (2126): (worker1) Tomcat is down or refused connection. No response has been sent to the client (yet) Is encrypting the AJP13 traffic possible with isapi_redirect.dll and I just don’t have something configured properly, or am I trying to do something that isn’t supported natively? I saw some old posts about needing to use other methods to encrypt the traffic, like VPNs or IPSEC, but they also indicated that something was in the works to support this natively. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Encrypting ajp13 traffic
Akoulov, Alexandre wrote: I am wondering if there is a way encrypt the traffic between apache and tomcat when they talk to each other on ajp13. Why do you want to do this? What requirement are you trying to meet / security threat are you trying to mitigate? Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Encrypting ajp13 traffic
While I can't speak for the O.P., I have had need for this myself once upon a time. Consider a setup where the content has to be secured via SSL and communication to/from the tomcat is over untrusted infrastructure SSL can't be proxied, so there is a need for the AJP/13 communication to be encrypted. My solution at the time was to setup a SSH tunnel between the two systems. It would be nice to have some form of encryption optionally available. Food for thought. -- David Mark Thomas wrote: Akoulov, Alexandre wrote: I am wondering if there is a way encrypt the traffic between apache and tomcat when they talk to each other on ajp13. Why do you want to do this? What requirement are you trying to meet / security threat are you trying to mitigate? Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- David Smith Network Operations Supervisor Department of Entomology Cornell University 2132 Comstock Hall Ithaca, NY 14853 Phone: (607) 255-9571 Fax: (607) 255-0940 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Encrypting ajp13 traffic
Yes, i've got similar setup . We might end up setting up ssh tunnelling as well. Kind regards, Sasha. -Original Message- From: David Smith [mailto:[EMAIL PROTECTED] Sent: Tuesday, 14 February 2006 8:18 AM To: Tomcat Users List Subject: Re: Encrypting ajp13 traffic While I can't speak for the O.P., I have had need for this myself once upon a time. Consider a setup where the content has to be secured via SSL and communication to/from the tomcat is over untrusted infrastructure SSL can't be proxied, so there is a need for the AJP/13 communication to be encrypted. My solution at the time was to setup a SSH tunnel between the two systems. It would be nice to have some form of encryption optionally available. Food for thought. -- David Mark Thomas wrote: Akoulov, Alexandre wrote: I am wondering if there is a way encrypt the traffic between apache and tomcat when they talk to each other on ajp13. Why do you want to do this? What requirement are you trying to meet / security threat are you trying to mitigate? Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- David Smith Network Operations Supervisor Department of Entomology Cornell University 2132 Comstock Hall Ithaca, NY 14853 Phone: (607) 255-9571 Fax: (607) 255-0940 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Encrypting ajp13 traffic
Hi all, I am wondering if there is a way encrypt the traffic between apache and tomcat when they talk to each other on ajp13. All suggestions are welcome. Kind regards, Sasha. -Original Message- From: Ian Buzer [mailto:[EMAIL PROTECTED] Sent: Saturday, 11 February 2006 2:44 AM To: 'Tomcat Users List' Subject: RE: Tomcat - blank page problem Webpages seem to be loading then usually blank page comes(totaly blank no error messages) on high traffic. I suspect this could either be your redirector cachesize is not large enough (the number of threads that the redirector will accept from IIS) or tomcat is not able to respond to all the threads that are being passed through to it. Both these will show up in the isapi redirector logs. Cache size is set in /conf/workers.properties Tomcat threads are set in /conf/server.xml (maxThreads etc. on the AJP connector) Ian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Encrypting ajp13 traffic
Sasha, There are several ways to accomplish this, and I think it has been mentioned on the list before but I don't remember a best way if it was decided there is one. Options include: VPN IPSec (part of VPN) ssh isolated lan segment (if feasible, IE your side of network) There may already be something out there. If so, someone here will know. Doug - Original Message - From: Akoulov, Alexandre [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Sunday, February 12, 2006 11:01 PM Subject: Encrypting ajp13 traffic Hi all, I am wondering if there is a way encrypt the traffic between apache and tomcat when they talk to each other on ajp13. All suggestions are welcome. Kind regards, Sasha. -Original Message- From: Ian Buzer [mailto:[EMAIL PROTECTED] Sent: Saturday, 11 February 2006 2:44 AM To: 'Tomcat Users List' Subject: RE: Tomcat - blank page problem Webpages seem to be loading then usually blank page comes(totaly blank no error messages) on high traffic. I suspect this could either be your redirector cachesize is not large enough (the number of threads that the redirector will accept from IIS) or tomcat is not able to respond to all the threads that are being passed through to it. Both these will show up in the isapi redirector logs. Cache size is set in /conf/workers.properties Tomcat threads are set in /conf/server.xml (maxThreads etc. on the AJP connector) Ian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]