You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Afkham Azeez <af...@gmail.com> on 2011/10/06 16:17:44 UTC
Securing Tomcat cluster communication
Hi folks,
Is there a way to do authentication in Tribes when new members try to join a
cluster so that unauthorized nodes cannot join in? Also, when clustering
messages are sent back & forth, how do we ensure security?
Thanks
Azeez
Re: AW: Securing Tomcat cluster communication
Posted by Afkham Azeez <af...@gmail.com>.
Correct. What we have between nodes in a cluster is a channel. My questions
are related to securing this channel.
On Thu, Oct 6, 2011 at 8:17 PM, Ronald Klop (Mailing List) <
ronald-mailinglist@base.nl> wrote:
> A 'connector' is used between for example Apache httpd and Tomcat. It is
> not used between Tomcat nodes in a cluster.
>
> Ronald.
>
>
> Op donderdag, 6 oktober 2011 16:22 schreef Alexander Diedler <
> adiedler@tecracer.de>:
>
>
>> Hello,
>> Please search for "secret" in
>> http://tomcat.apache.org/**connectors-doc/reference/**workers.html<http://tomcat.apache.org/connectors-doc/reference/workers.html> Only requests from members with the same secret word will be acceped.
>> Greetings
>> Alexander
>> -----Ursprüngliche Nachricht-----
>> Von: Afkham Azeez [mailto:afkham@gmail.com]
>> Gesendet: Donnerstag, 6. Oktober 2011 16:18
>> An: Tomcat Users List
>> Betreff: Securing Tomcat cluster communication
>> Hi folks,
>> Is there a way to do authentication in Tribes when new members try to
>> join a
>> cluster so that unauthorized nodes cannot join in? Also, when clustering
>> messages are sent back & forth, how do we ensure security?
>> Thanks
>> Azeez
>>
>>
>>
Re: AW: Securing Tomcat cluster communication
Posted by "Ronald Klop (Mailing List)" <ro...@base.nl>.
A 'connector' is used between for example Apache httpd and Tomcat. It is not used between Tomcat nodes in a cluster.
Ronald.
Op donderdag, 6 oktober 2011 16:22 schreef Alexander Diedler <ad...@tecracer.de>:
>
>
>
> Hello,
> Please search for "secret" in
> http://tomcat.apache.org/connectors-doc/reference/workers.html
> Only requests from members with the same secret word will be acceped.
>
> Greetings
> Alexander
>
>
> -----Ursprüngliche Nachricht-----
> Von: Afkham Azeez [mailto:afkham@gmail.com]
> Gesendet: Donnerstag, 6. Oktober 2011 16:18
> An: Tomcat Users List
> Betreff: Securing Tomcat cluster communication
>
> Hi folks,
> Is there a way to do authentication in Tribes when new members try to join a
> cluster so that unauthorized nodes cannot join in? Also, when clustering
> messages are sent back & forth, how do we ensure security?
>
> Thanks
> Azeez
>
>
>
>
>
>
>
Re: Securing Tomcat cluster communication
Posted by Afkham Azeez <af...@gmail.com>.
Thanks Alexander. That would work for authentication. But how could we
achieve confidentiality when it comes to the clustering messages (state
replication etc)?
On Thu, Oct 6, 2011 at 7:52 PM, Alexander Diedler <ad...@tecracer.de>wrote:
> Hello,
> Please search for "secret" in
> http://tomcat.apache.org/connectors-doc/reference/workers.html
> Only requests from members with the same secret word will be acceped.
>
> Greetings
> Alexander
>
>
> -----Ursprüngliche Nachricht-----
> Von: Afkham Azeez [mailto:afkham@gmail.com]
> Gesendet: Donnerstag, 6. Oktober 2011 16:18
> An: Tomcat Users List
> Betreff: Securing Tomcat cluster communication
>
> Hi folks,
> Is there a way to do authentication in Tribes when new members try to join
> a
> cluster so that unauthorized nodes cannot join in? Also, when clustering
> messages are sent back & forth, how do we ensure security?
>
> Thanks
> Azeez
>
AW: Securing Tomcat cluster communication
Posted by Alexander Diedler <ad...@tecracer.de>.
Hello,
Please search for "secret" in
http://tomcat.apache.org/connectors-doc/reference/workers.html
Only requests from members with the same secret word will be acceped.
Greetings
Alexander
-----Ursprüngliche Nachricht-----
Von: Afkham Azeez [mailto:afkham@gmail.com]
Gesendet: Donnerstag, 6. Oktober 2011 16:18
An: Tomcat Users List
Betreff: Securing Tomcat cluster communication
Hi folks,
Is there a way to do authentication in Tribes when new members try to join a
cluster so that unauthorized nodes cannot join in? Also, when clustering
messages are sent back & forth, how do we ensure security?
Thanks
Azeez
Re: Securing Tomcat cluster communication
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Afkham,
On 10/6/11 10:17 AM, Afkham Azeez wrote:
> Is there a way to do authentication in Tribes when new members try
> to join a cluster so that unauthorized nodes cannot join in? Also,
> when clustering messages are sent back & forth, how do we ensure
> security?
You could use stunnel between all your boxes, but I'm not sure how
that works with multicast. That would handle your authentication
issues (use ssh authentication) as well as encryption of data across
untrusted network segments.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7NGf0ACgkQ9CaO5/Lv0PB5+gCfZLJVWQIXX3tTWdLYvh8UVaUn
VGUAn3kSVyErbrnSlDHb2ILz+HaA2F9g
=ovVG
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Securing Tomcat cluster communication
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Azeez,
On 10/6/2011 10:17 AM, Afkham Azeez wrote:
> Is there a way to do authentication in Tribes when new members try
> to join a cluster so that unauthorized nodes cannot join in? Also,
> when clustering messages are sent back & forth, how do we ensure
> security?
You could always use stunnel. I'm currently piloting that for a
multi-node cluster with a pair of httpd instances for load-balancing.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6N+MoACgkQ9CaO5/Lv0PA4ggCfRxzweAyWHtEzLOE30nv//wtD
zQUAn3gxOpc9WRDpnRTkNXecGtqKKHG4
=fOAu
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Securing Tomcat cluster communication
Posted by Afkham Azeez <af...@gmail.com>.
Thanks Filip. I will try to implement this & contribute it back to Tomcat
if that would be useful.
Azeez
On Thu, Nov 24, 2011 at 2:06 AM, Filip Hanik - Dev Lists <devlists@hanik.com
> wrote:
> Yes, that way you could encrypt your data packets and not worry about the
> wire protocol.
> the placement of the interceptor will be important, so that you don't
> encrypt packets you don't need to (like ping and failure detection)
>
> Filip
>
>
> On 11/23/2011 10:53 AM, Afkham Azeez wrote:
>
>> On Wed, Nov 23, 2011 at 8:48 PM, Filip Hanik - Dev Lists<
>> devlists@hanik.com
>>
>>> wrote:
>>> On 10/6/2011 8:31 AM, Afkham Azeez wrote:
>>>
>>> I had a look at the Tribes code. Can somebody please explain how
>>>> Channel.SEND_OPTIONS_SECURE works?
>>>>
>>>> not yet implemented :(
>>>
>>> What is the proper way of implementing this if I was to do it?
>> Implement an
>> interceptor which will handle encryption/decryption? This is for Axis2
>> clustering which uses Tribes, so we could use the Tribes API.
>>
>>
>>
>> From the JavaDoc: SEND_OPTIONS_SECURE - Message is sent over an
>>>>>
>>>> encrypted
>>>> channel
>>>>
>>>> How is this encrypted channel setup? How do we define the keys/keystores
>>>> etc?
>>>>
>>>>
>>>> On Thu, Oct 6, 2011 at 7:47 PM, Afkham Azeez<af...@gmail.com> wrote:
>>>>
>>>> Hi folks,
>>>>
>>>>> Is there a way to do authentication in Tribes when new members try to
>>>>> join
>>>>> a cluster so that unauthorized nodes cannot join in? Also, when
>>>>> clustering
>>>>> messages are sent back& forth, how do we ensure security?
>>>>>
>>>>> Thanks
>>>>> Azeez
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------****----------------------------**
>>> --**---------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apa**che.org<http://apache.org>
>>> <us...@tomcat.apache.org>
>>> >
>>>
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
*Afkham Azeez*
Director of Architecture; WSO2, Inc.; http://wso2.com,
*Member; Apache Software Foundation;
**http://www.apache.org/*<http://www.apache.org/>
*
*
*email: **azeez@wso2.com* <az...@wso2.com>* cell: +94 77 3320919
blog: **http://blog.afkham.org* <http://blog.afkham.org>*
twitter: **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez>
*
linked-in: **http://lk.linkedin.com/in/afkhamazeez*
*
*
*Lean . Enterprise . Middleware*
*
*
Re: Securing Tomcat cluster communication
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
Yes, that way you could encrypt your data packets and not worry about the wire protocol.
the placement of the interceptor will be important, so that you don't encrypt packets you don't need to (like ping and failure detection)
Filip
On 11/23/2011 10:53 AM, Afkham Azeez wrote:
> On Wed, Nov 23, 2011 at 8:48 PM, Filip Hanik - Dev Lists<devlists@hanik.com
>> wrote:
>> On 10/6/2011 8:31 AM, Afkham Azeez wrote:
>>
>>> I had a look at the Tribes code. Can somebody please explain how
>>> Channel.SEND_OPTIONS_SECURE works?
>>>
>> not yet implemented :(
>>
> What is the proper way of implementing this if I was to do it? Implement an
> interceptor which will handle encryption/decryption? This is for Axis2
> clustering which uses Tribes, so we could use the Tribes API.
>
>
>
>>>> From the JavaDoc: SEND_OPTIONS_SECURE - Message is sent over an
>>> encrypted
>>> channel
>>>
>>> How is this encrypted channel setup? How do we define the keys/keystores
>>> etc?
>>>
>>>
>>> On Thu, Oct 6, 2011 at 7:47 PM, Afkham Azeez<af...@gmail.com> wrote:
>>>
>>> Hi folks,
>>>> Is there a way to do authentication in Tribes when new members try to
>>>> join
>>>> a cluster so that unauthorized nodes cannot join in? Also, when
>>>> clustering
>>>> messages are sent back& forth, how do we ensure security?
>>>>
>>>> Thanks
>>>> Azeez
>>>>
>>>>
>>>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Securing Tomcat cluster communication
Posted by Afkham Azeez <af...@gmail.com>.
On Wed, Nov 23, 2011 at 8:48 PM, Filip Hanik - Dev Lists <devlists@hanik.com
> wrote:
> On 10/6/2011 8:31 AM, Afkham Azeez wrote:
>
>> I had a look at the Tribes code. Can somebody please explain how
>> Channel.SEND_OPTIONS_SECURE works?
>>
> not yet implemented :(
>
What is the proper way of implementing this if I was to do it? Implement an
interceptor which will handle encryption/decryption? This is for Axis2
clustering which uses Tribes, so we could use the Tribes API.
>
>> > From the JavaDoc: SEND_OPTIONS_SECURE - Message is sent over an
>> encrypted
>> channel
>>
>> How is this encrypted channel setup? How do we define the keys/keystores
>> etc?
>>
>>
>> On Thu, Oct 6, 2011 at 7:47 PM, Afkham Azeez<af...@gmail.com> wrote:
>>
>> Hi folks,
>>> Is there a way to do authentication in Tribes when new members try to
>>> join
>>> a cluster so that unauthorized nodes cannot join in? Also, when
>>> clustering
>>> messages are sent back& forth, how do we ensure security?
>>>
>>> Thanks
>>> Azeez
>>>
>>>
>>>
>>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
*Afkham Azeez*
Director of Architecture; WSO2, Inc.; http://wso2.com,
*Member; Apache Software Foundation;
**http://www.apache.org/*<http://www.apache.org/>
*
*
*email: **azeez@wso2.com* <az...@wso2.com>* cell: +94 77 3320919
blog: **http://blog.afkham.org* <http://blog.afkham.org>*
twitter: **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez>
*
linked-in: **http://lk.linkedin.com/in/afkhamazeez*
*
*
*Lean . Enterprise . Middleware*
*
*
Re: Securing Tomcat cluster communication
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
On 10/6/2011 8:31 AM, Afkham Azeez wrote:
> I had a look at the Tribes code. Can somebody please explain how
> Channel.SEND_OPTIONS_SECURE works?
not yet implemented :(
>
> > From the JavaDoc: SEND_OPTIONS_SECURE - Message is sent over an encrypted
> channel
>
> How is this encrypted channel setup? How do we define the keys/keystores
> etc?
>
>
> On Thu, Oct 6, 2011 at 7:47 PM, Afkham Azeez<af...@gmail.com> wrote:
>
>> Hi folks,
>> Is there a way to do authentication in Tribes when new members try to join
>> a cluster so that unauthorized nodes cannot join in? Also, when clustering
>> messages are sent back& forth, how do we ensure security?
>>
>> Thanks
>> Azeez
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Securing Tomcat cluster communication
Posted by Afkham Azeez <af...@gmail.com>.
I had a look at the Tribes code. Can somebody please explain how
Channel.SEND_OPTIONS_SECURE works?
>From the JavaDoc: SEND_OPTIONS_SECURE - Message is sent over an encrypted
channel
How is this encrypted channel setup? How do we define the keys/keystores
etc?
On Thu, Oct 6, 2011 at 7:47 PM, Afkham Azeez <af...@gmail.com> wrote:
> Hi folks,
> Is there a way to do authentication in Tribes when new members try to join
> a cluster so that unauthorized nodes cannot join in? Also, when clustering
> messages are sent back & forth, how do we ensure security?
>
> Thanks
> Azeez
>
>
--
*Afkham Azeez*
Director of Architecture; WSO2, Inc.; http://wso2.com,
*Member; Apache Software Foundation;
**http://www.apache.org/*<http://www.apache.org/>
*
*
*email: **azeez@wso2.com* <az...@wso2.com>* cell: +94 77 3320919
blog: **http://blog.afkham.org* <http://blog.afkham.org>*
twitter: **http://twitter.com/afkham_azeez*<http://twitter.com/afkham_azeez>
*
linked-in: **http://lk.linkedin.com/in/afkhamazeez*
*
*
*Lean . Enterprise . Middleware*
*
*