Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do ensure that Apache AJP to Tomcat connection is secure/encrypted?

We want to front-end our Tomcat instance with an Apache instance (running on the same machine) that will be serving everything on HTTPS and connect Apache to Tomcat using AJP. When using AJP, do we need to do anything to make sure that the connection between Apache and Tomcat is secure? (We dont want passwords to be sniffable on the network between Apache and Tomcat). The O/S is Red Hat Enterprise Linux 6.3

like image 637
BestPractices Avatar asked Sep 17 '12 13:09

BestPractices


People also ask

Is AJP protocol encrypted?

The Apache JServ Protocol v1. 3 (AJP13) is binary for performance reasons, but it is not encrypted.

Is AJP secure?

Resolution. This is a configuration issue with AJP protocol in Tomcat/Undertow. AJP is a highly trusted protocol and should never be exposed to untrusted clients. It is insecure (clear text transmission) and assumes that your network is safe.

What is AJP protocol in Tomcat?

Apache JServ Protocol, or AJP, is an optimized binary version of HTTP that is typically used to allow Tomcat to communicate with an Apache web server.

In which file in Tomcat we can enable the security option?

The SecurityManager is normally controlled by a file called "java. policy," which is distributed with the SDK. Tomcat uses the file $CATALINA_BASE/conf/catalina. policy in place of this file.


2 Answers

You are saying

Tomcat instance with an Apache instance (running on the same machine)

and later you are saying

We dont want passwords to be sniffable on the network between Apache and Tomcat

This just contradicts each other.

EDIT: AJP is not designed to be secure, if you need security, use mod_proxy_http and proxy over https, or create SSH tunnel. Needless to say, you will have to pay for this overhead.

like image 156
mindas Avatar answered Sep 20 '22 23:09

mindas


When using AJP you cannot do anything to ensure it is secure. It isn't. There is no SSL version. You would have to use HTTPS. AJP is designed for the usual case where HTTPD and Tomcat are in the same private LAN and security isn't an issue.

like image 20
user207421 Avatar answered Sep 21 '22 23:09

user207421