hi: As far as have seen there is no SSL support for AJP/1.3 - the trafic is in clear between the Apache and tomcat using mod_jk.
I guess with apache 2 you can use mod_proxy and ssl to a tomcat using the http connector with ssl. If you have apache and tomcat on separate servers you might have to look at stunnel to encrypt the traffic. Fred Martin Gainty wrote: > > unless of course the Cert is self-signed with keytool > I would remove all the certs from classpath and start with a 'True > Certificate' signed by Verisign or Thawte > > M- > ----- Original Message ----- > From: "dfelicia" <[EMAIL PROTECTED]> > To: <users@tomcat.apache.org> > Sent: Thursday, December 07, 2006 2:46 PM > Subject: Is this possibe? mod_jk <==SSL==> AJP/1.3 > > >> >> Can traffic between mod_jk and Tomcat's AJP connector be encrypted >> (without >> using ssh/stunnel)? >> >> I see SSL mentioned in the doc for AJP, but it's clear as mud: >> http://tomcat.apache.org/tomcat-5.5-doc/config/ajp.html >> >> So, in Apache, I am using SSL and mod_jk. I set these parameters per the >> mod_jk doc: >> >> # JkOptions indicate to send SSL KEY SIZE, >> JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories >> JkExtractSSL On >> # What is the indicator for SSL (default is HTTPS) >> JkHTTPSIndicator HTTPS >> # What is the indicator for SSL session (default is SSL_SESSION_ID) >> JkSESSIONIndicator SSL_SESSION_ID >> # What is the indicator for client SSL cipher suit (default is >> SSL_CIPHER) >> JkCIPHERIndicator SSL_CIPHER >> # What is the indicator for the client SSL certificated (default is >> SSL_CLIENT_CERT) >> JkCERTSIndicator SSL_CLIENT_CERT >> >> In Tomcat's server.xml, I have define an AJP/1.3 connector like so: >> >> <Connector port="8202" protocol="AJP/1.3" URIEncoding="UTF-8" >> scheme="https" secure="true" clientAuth="false"> >> >> (mod_jk worker uses this connection) >> >> It works whether I set scheme and secure or not. Is the communication >> encrypted? (If so, I'd wonder how since Tomcat knows nothing of my CA's >> public key or my keystore.) >> >> What am I missing? >> -- >> View this message in context: >> http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7746284 >> Sent from the Tomcat - User mailing list archive at Nabble.com. >> >> >> --------------------------------------------------------------------- >> To start a new topic, e-mail: users@tomcat.apache.org >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > -- View this message in context: http://www.nabble.com/Is-this-possibe---mod_jk-%3C%3D%3DSSL%3D%3D%3E-AJP-1.3-tf2776640.html#a7747753 Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
