Encrypting AJP13 Traffic With isapi_redirect

["Cochran, Jonathan - IS.CONTRACTOR" <Jo...@exelisinc.com>]

Does the IIS isapi_redirect.dll support encrypting AJP13 traffic?  We are setting up IIS 7.5 talking to GlassFish 3.1.2.2 using the 1.2.37 isapi_redirect.dll.  We have everything working with HTTPS/SSL coming into IIS and passing through to GlassFish using unencrypted AJP13, but want to also encrypt the traffic between IIS and GlassFish.  There is GlassFish documentation for enabling SSL between Apache and GlassFish using mod_jk, and it involves setting some mod_jk settings (in addition to some settings in GlassFish to enable SSL on that end).  I’ve made the changes to GlassFish to enable SSL on the passthrough port, but can’t find any settings for isapi_redirect that would indicate using SSL.  The GlassFish documentation for using SSL with mod_jk involved some settings like “JkExtractSSL On” and “JkHTTPSIndicator HTTPS”, but there is nothing like that available for the isapi_redirect configuration.  I can access the site fine using the built-in GlassFish HTTPS/SSL port 8181, but I’m getting a 502 error when trying to do the IIS passthrough to the SSL-enabled AJP13 port in GlassFish.  Following is what I’m seeing in the isapi_redirect log file:

[Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (732): About to shutdown socket 1300 [127.0.0.1:61402 -> 127.0.0.1:8009]
[Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (803): shutting down the read side of socket 1300 [127.0.0.1:61402 -> 127.0.0.1:8009]
[Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (814): Shutdown socket 1300 [127.0.0.1:61402 -> 127.0.0.1:8009] and read 0 lingering bytes in 0 sec.
[Thu May 30 17:51:44.219 2013] [224:1172] [info] ajp_connection_tcp_get_message::jk_ajp_common.c (1259): (worker1) can't receive the response header message from tomcat, tomcat (127.0.0.1:8009) has forced a connection close for socket 1300
[Thu May 30 17:51:44.219 2013] [224:1172] [error] ajp_get_reply::jk_ajp_common.c (2126): (worker1) Tomcat is down or refused connection. No response has been sent to the client (yet)

Is encrypting the AJP13 traffic possible with isapi_redirect.dll and I just don’t have something configured properly, or am I trying to do something that isn’t supported natively?  I saw some old posts about needing to use other methods to encrypt the traffic, like VPNs or IPSEC, but they also indicated that something was in the works to support this natively.

Thanks,
Jonathan

________________________________

This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Exelis Inc. The recipient should check this e-mail and any attachments for the presence of viruses. Exelis Inc. accepts no liability for any damage caused by any virus transmitted by this e-mail.

RE: Encrypting AJP13 Traffic With isapi_redirect

["Cochran, Jonathan - IS.CONTRACTOR" <Jo...@exelisinc.com>]

OK, thank you for the clarification.

-----Original Message-----
From: Rainer Jung [mailto:rainer.jung@kippdata.de]
Sent: Friday, May 31, 2013 1:30 AM
To: users@tomcat.apache.org
Subject: Re: Encrypting AJP13 Traffic With isapi_redirect

On 31.05.2013 01:38, Cochran, Jonathan - IS.CONTRACTOR wrote:
> Does the IIS isapi_redirect.dll support encrypting AJP13 traffic?  We are setting up IIS 7.5 talking to GlassFish 3.1.2.2 using the 1.2.37 isapi_redirect.dll.  We have everything working with HTTPS/SSL coming into IIS and passing through to GlassFish using unencrypted AJP13, but want to also encrypt the traffic between IIS and GlassFish.  There is GlassFish documentation for enabling SSL between Apache and GlassFish using mod_jk, and it involves setting some mod_jk settings (in addition to some settings in GlassFish to enable SSL on that end).  I’ve made the changes to GlassFish to enable SSL on the passthrough port, but can’t find any settings for isapi_redirect that would indicate using SSL.  The GlassFish documentation for using SSL with mod_jk involved some settings like “JkExtractSSL On” and “JkHTTPSIndicator HTTPS”, but there is nothing like that available for the isapi_redirect configuration.  I can access the site fine using the built-in GlassFish HTTPS!
 /SSL por
t 8181, but I’m getting a 502 error when trying to do the IIS passthrough to the SSL-enabled AJP13 port in GlassFish.  Following is what I’m seeing in the isapi_redirect log file:

mod_jk and the isapi redirector both do not support encrypting the connection between web server and servlet engine.

You could set up an encrypted tunnel.

The SSL options for mod_jk are just to control what kind if information about the HTTPS connection betwen client and web server are forwarded from there to the servlet engine (like original ssl session id, crtificate details etc.).

> [Thu May 30 17:51:44.219 2013] [224:1172] [debug]
> jk_shutdown_socket::jk_connect.c (732): About to shutdown socket 1300
> [127.0.0.1:61402 -> 127.0.0.1:8009] [Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (803): shutting down the read side of socket 1300 [127.0.0.1:61402 -> 127.0.0.1:8009] [Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (814): Shutdown socket 1300 [127.0.0.1:61402 -> 127.0.0.1:8009] and read 0 lingering bytes in 0 sec.
> [Thu May 30 17:51:44.219 2013] [224:1172] [info]
> ajp_connection_tcp_get_message::jk_ajp_common.c (1259): (worker1)
> can't receive the response header message from tomcat, tomcat
> (127.0.0.1:8009) has forced a connection close for socket 1300 [Thu
> May 30 17:51:44.219 2013] [224:1172] [error]
> ajp_get_reply::jk_ajp_common.c (2126): (worker1) Tomcat is down or
> refused connection. No response has been sent to the client (yet)
>
> Is encrypting the AJP13 traffic possible with isapi_redirect.dll and I just don’t have something configured properly, or am I trying to do something that isn’t supported natively?  I saw some old posts about needing to use other methods to encrypt the traffic, like VPNs or IPSEC, but they also indicated that something was in the works to support this natively.

Regards,

Rainer


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


________________________________

This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Exelis Inc. The recipient should check this e-mail and any attachments for the presence of viruses. Exelis Inc. accepts no liability for any damage caused by any virus transmitted by this e-mail.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Encrypting AJP13 Traffic With isapi_redirect

[Rainer Jung <ra...@kippdata.de>]

On 31.05.2013 01:38, Cochran, Jonathan - IS.CONTRACTOR wrote:
> Does the IIS isapi_redirect.dll support encrypting AJP13 traffic?  We are setting up IIS 7.5 talking to GlassFish 3.1.2.2 using the 1.2.37 isapi_redirect.dll.  We have everything working with HTTPS/SSL coming into IIS and passing through to GlassFish using unencrypted AJP13, but want to also encrypt the traffic between IIS and GlassFish.  There is GlassFish documentation for enabling SSL between Apache and GlassFish using mod_jk, and it involves setting some mod_jk settings (in addition to some settings in GlassFish to enable SSL on that end).  I’ve made the changes to GlassFish to enable SSL on the passthrough port, but can’t find any settings for isapi_redirect that would indicate using SSL.  The GlassFish documentation for using SSL with mod_jk involved some settings like “JkExtractSSL On” and “JkHTTPSIndicator HTTPS”, but there is nothing like that available for the isapi_redirect configuration.  I can access the site fine using the built-in GlassFish HTTPS!
 /SSL por
t 8181, but I’m getting a 502 error when trying to do the IIS passthrough to the SSL-enabled AJP13 port in GlassFish.  Following is what I’m seeing in the isapi_redirect log file:

mod_jk and the isapi redirector both do not support encrypting the
connection between web server and servlet engine.

You could set up an encrypted tunnel.

The SSL options for mod_jk are just to control what kind if information
about the HTTPS connection betwen client and web server are forwarded
from there to the servlet engine (like original ssl session id,
crtificate details etc.).

> [Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (732): About to shutdown socket 1300 [127.0.0.1:61402 -> 127.0.0.1:8009]
> [Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (803): shutting down the read side of socket 1300 [127.0.0.1:61402 -> 127.0.0.1:8009]
> [Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (814): Shutdown socket 1300 [127.0.0.1:61402 -> 127.0.0.1:8009] and read 0 lingering bytes in 0 sec.
> [Thu May 30 17:51:44.219 2013] [224:1172] [info] ajp_connection_tcp_get_message::jk_ajp_common.c (1259): (worker1) can't receive the response header message from tomcat, tomcat (127.0.0.1:8009) has forced a connection close for socket 1300
> [Thu May 30 17:51:44.219 2013] [224:1172] [error] ajp_get_reply::jk_ajp_common.c (2126): (worker1) Tomcat is down or refused connection. No response has been sent to the client (yet)
> 
> Is encrypting the AJP13 traffic possible with isapi_redirect.dll and I just don’t have something configured properly, or am I trying to do something that isn’t supported natively?  I saw some old posts about needing to use other methods to encrypt the traffic, like VPNs or IPSEC, but they also indicated that something was in the works to support this natively.

Regards,

Rainer


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Encrypting AJP13 Traffic With isapi_redirect

["Cochran, Jonathan - IS.CONTRACTOR" <Jo...@exelisinc.com>]

Thanks for your input, but we're using IIS, not Apache, so this doesn't apply.  Rainer clarified that SSL between IIS and GlassFish is not natively possible anyway.

From: Martin Gainty [mailto:mgainty@hotmail.com]
Sent: Thursday, May 30, 2013 8:18 PM
To: Cochran, Jonathan - IS.CONTRACTOR
Subject: RE: Encrypting AJP13 Traffic With isapi_redirect

you answered your own question
SSLOptions +StdEnvVars +ExportCertData must be set in httpd.conf

http://tomcat.apache.org/tomcat-3.2-doc/tomcat-ssl-howto.html#s4

Martin
______________________________________________
American Idiot...contractor to illegal aliens

> From: Jonathan.Cochran.Contractor@exelisinc.com<ma...@exelisinc.com>
> To: users@tomcat.apache.org<ma...@tomcat.apache.org>
> Subject: Encrypting AJP13 Traffic With isapi_redirect
> Date: Thu, 30 May 2013 23:38:45 +0000
>
> Does the IIS isapi_redirect.dll support encrypting AJP13 traffic? We are setting up IIS 7.5 talking to GlassFish 3.1.2.2 using the 1.2.37 isapi_redirect.dll. We have everything working with HTTPS/SSL coming into IIS and passing through to GlassFish using unencrypted AJP13, but want to also encrypt the traffic between IIS and GlassFish. There is GlassFish documentation for enabling SSL between Apache and GlassFish using mod_jk, and it involves setting some mod_jk settings (in addition to some settings in GlassFish to enable SSL on that end). I've made the changes to GlassFish to enable SSL on the passthrough port, but can't find any settings for isapi_redirect that would indicate using SSL. The GlassFish documentation for using SSL with mod_jk involved some settings like "JkExtractSSL On" and "JkHTTPSIndicator HTTPS", but there is nothing like that available for the isapi_redirect configuration. I can access the site fine using the built-in GlassFish HTTPS/SSL port 8181, but I'm getting a 502 error when trying to do the IIS passthrough to the SSL-enabled AJP13 port in GlassFish. Following is what I'm seeing in the isapi_redirect log file:
>
> [Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (732): About to shutdown socket 1300 [127.0.0.1:61402 -> 127.0.0.1:8009]
> [Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (803): shutting down the read side of socket 1300 [127.0.0.1:61402 -> 127.0.0.1:8009]
> [Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (814): Shutdown socket 1300 [127.0.0.1:61402 -> 127.0.0.1:8009] and read 0 lingering bytes in 0 sec.
> [Thu May 30 17:51:44.219 2013] [224:1172] [info] ajp_connection_tcp_get_message::jk_ajp_common.c (1259): (worker1) can't receive the response header message from tomcat, tomcat (127.0.0.1:8009) has forced a connection close for socket 1300
> [Thu May 30 17:51:44.219 2013] [224:1172] [error] ajp_get_reply::jk_ajp_common.c (2126): (worker1) Tomcat is down or refused connection. No response has been sent to the client (yet)
>
> Is encrypting the AJP13 traffic possible with isapi_redirect.dll and I just don't have something configured properly, or am I trying to do something that isn't supported natively? I saw some old posts about needing to use other methods to encrypt the traffic, like VPNs or IPSEC, but they also indicated that something was in the works to support this natively.
>
> Thanks,
> Jonathan
>
> ________________________________
>
> This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Exelis Inc. The recipient should check this e-mail and any attachments for the presence of viruses. Exelis Inc. accepts no liability for any damage caused by any virus transmitted by this e-mail.