Blog : Enabling SSL Communication and Client Certificate Authentication between Apache Web Server and Apache Tomcat

posted by jfullam on July 9, 2012 07:56 PM

Secure Socket Layer, or SSL, certificates are frequently used to confirm the identity of a server before consuming its services and to secure communications with the server. Typically, when an Apache web server is used to load balance requests to one or more Apache Tomcat servers (including VMware’s commercial version, tc Server), the SSL encryption and certificate authentication is terminated at the web server. Communication between the Apache web server and Tomcat is then trusted and in clear text.

However, there are organizational security policies and B2B scenarios that could mandate secure communication between Apache web server and Tomcat. Furthermore, it could be important to restrict access to Tomcat to known instances of Apache web server.

This tutorial will provide details for a configuration option that enables SSL communication and client certificate authentication between Apache Web Server and Tomcat.

At a high level, this tutorial provides instructions to

    1. Encrypt communication with Tomcat
    2. Restrict communication with Tomcat to known clients
    3. Configure Apache web server to proxy requests to Tomcat using SSL
    4. Configure Apache web server to use a specific client certifica te to authenticate with Tomcat


Read More



Developers, Operations | authentication, client certificate, communication

Knowledge Base : Securing Apache Tomcat for Enterprise Use

posted by SpringSource on April 8, 2010 12:06 PM

For development and operations teams, a presentation that covers various security configuration options available in Apache Tomcat and SpringSource tc Server.

A default Apache Tomcat installation is secure but each installation environment is different and may have additional security requirements. This presentation will examine the security configuration options available in Apache Tomcat and SpringSource tc Server, when to use them (and when not to use them) and the threats they might help mitigate. The rationale behind having resource passwords (e.g. for database access) in clear text in server.xml will also be discussed.

Read More



Security | authentication, deployment, logs

Knowledge Base : Apache Tomcat blocking IO connector

posted by SpringSource on October 27, 2009 03:06 PM

How the client certificate authentication works in Tomcat

The CLIENT-CERTauthorization in Tomcat works in the following way: 

1) If tomcatAuthentication="false" is set in server.xml, Tomcat simply takes the username from the AJP request and assumes all authentication has already been done.

2) If tomcatAuthentication="true" is set, the CLIENT-CERT will result in the org.apache.catalina.authenticator.SSLAuthenticator valve being inserted automatically into the application Context.

Read More



Security | authentication, client certificate, Tomcat

Syndicate content