Re: Cleartrust RSA integration

Tue, 22 Jun 2010 00:03:45 -0700 

Hi Martin


could you briefly explain the need for 2 apache webservers?



I wish I could :)  We currently have our secure web apps fronted by an IBM 
product, which seems to be a munged version of Apache. This has the 
Cleartrust pluin in place and working fine. In the DMZ we have various web 
servers, and the system architects are insisting that these servers do an 
independent Cleartrust authentication. As we want to put a Tomcat machine or 
three in this zone, it would need to be fronted by Apache to acheive 
independent Cleartrust authentication. This sounds like overkill to me...


Regards

Ron



----- Original Message ----- 
From: "Martin Gainty" <mgai...@hotmail.com>

To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Monday, June 21, 2010 11:45 PM
Subject: RE: Cleartrust RSA integration



could you briefly explain the need for 2 apache webservers?


thanks,
Martin
_____________________________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité


Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene 
Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte 
Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht 
dient lediglich dem Austausch von Informationen und entfaltet keine 
rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von 
E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le 
destinataire prévu, nous te demandons avec bonté que pour satisfaire 
informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie 
de ceci est interdite. Ce message sert à l'information seulement et n'aura 
pas n'importe quel effet légalement obligatoire. Étant donné que les email 
peuvent facilement être sujets à la manipulation, nous ne pouvons accepter 
aucune responsabilité pour le contenu fourni.







Date: Mon, 21 Jun 2010 20:22:44 +1200
From: rmcnu...@clear.net.nz
Subject: Re: Cleartrust RSA integration
To: users@tomcat.apache.org

Hi Andre

Thanks for the reply.

I had a long discussion with our architecture group today. Basically they
want Cleartrust authentication at the web gateway (in place now) and again
at the web server. The gateway (an Apache instance) and the Tomcat server
would not be on the same physical box - they would be in separate security
zones.

An option is to use yet another Apache instance fronting Tomcat. I'm not
sure what sort of performance hit this would be (i.e. Apache -> Apache ->
Tomcat) - do you have any insight?

Regards

Ron


----- Original Message ----- 
From: "André Warnier" <a...@ice-sa.com>

To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Sunday, June 20, 2010 9:37 PM
Subject: Re: Cleartrust RSA integration


> Ron McNulty wrote:
>> Hi All
>>

>> We are thinking of bringing some of our apps off proprietary J2EE 
>> servers
>> to Tomcat. We would be deploying on Tomcat 6 (latest), JVM 1.6 and 
>> Linux

>> on a VM (not sure of versions). One of the requirements is to
>> authenticate using RSA Cleartrust.
>>

>>> From my reading, Tomcat does not support this. The recommended 
>>> solution

>>> is
>> to front Tomcat with Apache, and let Apache do the Cleartrust
>> integration.
>>
>> The links I have found are a bit ancient - are my assumptions still
>> correct? Also, our system architects seem to think this setup is
>> insufficiently secure - comments?
>>
> Assuming the Apache Cleartrust authentication is secure..
> If Apache authenticates a request, and if the Apache/Tomcat connector is

> mod_jk, then the authenticated user-id is propagated from Apache to 
> Tomcat

> (*).
> (Additionals info could be propagated via additional HTTP headers, or
> "request attributes").

> If the link between Apache and Tomcat is secure (like for example both 
> run
> on the same machine and the connection is purely internal), then there 
> is

> no reason why this would be less secure.
>
>
> (*) whether Tomcat actually uses it, is determined by the
> "tomcatAuthentication" attribute of the AJP <Connector>.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



_________________________________________________________________

The New Busy is not the too busy. Combine all your e-mail accounts with 
Hotmail.
http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4 



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to