Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 26354 invoked from network); 25 Jun 2010 17:41:21 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 25 Jun 2010 17:41:21 -0000 Received: (qmail 84069 invoked by uid 500); 25 Jun 2010 17:41:18 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 83997 invoked by uid 500); 25 Jun 2010 17:41:17 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 83988 invoked by uid 99); 25 Jun 2010 17:41:17 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Jun 2010 17:41:17 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=FREEMAIL_FROM,HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of jranaudo@gmail.com designates 209.85.214.45 as permitted sender) Received: from [209.85.214.45] (HELO mail-bw0-f45.google.com) (209.85.214.45) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Jun 2010 17:41:10 +0000 Received: by bwz13 with SMTP id 13so1725286bwz.18 for ; Fri, 25 Jun 2010 10:40:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type; bh=TD1YRoHUpY3OPYBTdf5/cAXCzo68JiQlOpdZCzVPz28=; b=Pmfjsvh8oCcOTTZR0fE9jeOFabLxqEYaVnQv6OSo4K1t0ECKJEm+6EEHYpo+3N7qId pxLv1bU9nqZZQrWlnB6siBx+0eG2zuYR8PAoXsZmCj6vGkOfsXOzz6+QpQ/lUaowlV7B B5DTjq8HzPdEQF2j6YyyQThUDNhFz6OVjj0vQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=UMPIteS2aSAe6BOFuPk+T41FLwDp+w8di794HSzzJzMQcUfIJGyqQrnoBctlRW/SZG rD60Jq4CvEKAdlhnjWit4JzpyEC1qbNVqTQLRmX/m8YlD3PTuvRfXSWM3xAuFqk2NZHM muFL3FjdHO+HVBrtqcrnytH6RGbC33F8/OCRc= MIME-Version: 1.0 Received: by 10.204.8.5 with SMTP id f5mr721620bkf.209.1277487649441; Fri, 25 Jun 2010 10:40:49 -0700 (PDT) Received: by 10.204.121.141 with HTTP; Fri, 25 Jun 2010 10:40:49 -0700 (PDT) In-Reply-To: <4C24E4EF.8020001@pidster.com> References: <4C24E4EF.8020001@pidster.com> Date: Fri, 25 Jun 2010 13:40:49 -0400 Message-ID: Subject: Re: SSL and non SSL configuration on tomcat 6.0.26, confused From: John-Paul Ranaudo To: Tomcat Users List , pid@pidster.com Content-Type: multipart/alternative; boundary=0015174bdd3a8cc7e70489de45ad X-Virus-Checked: Checked by ClamAV on apache.org --0015174bdd3a8cc7e70489de45ad Content-Type: text/plain; charset=ISO-8859-1 Thanks for the reply. Ok, so I am assuming I do not have to setup SSL (certificates etc) since my load balancer is decoding the connection. So even if the load balancer is "decoding" the connection I still have to have SSLEnabled="true"? However if I do, does this not make Tomcat try and decode the "connection"? *Which is the root of my problem. How to use the HTTPS protocol without having Tomcat decrypt the connection since the load balancer has done this for me. * The link to the documentation is correct. However the properties of the connector are confusing to me. For example "SSLEnabled" if fairly obvious but "secure" it confusing. Not sure under what context I need to set this. The application always uses relative paths so whatever protocol the framework is using will be what is returned in the page. I have also tried setting the redirect port thinking I can redirect requests to 443 to the port 80 internally and scheme to 'https'. This actually had the effect of making one framework (the one with https) work but broke the other. Regards, John On Fri, Jun 25, 2010 at 1:18 PM, Pid wrote: > On 25/06/2010 17:56, John-Paul Ranaudo wrote: > > Our environment: > > > > Unix Solaris 5.9 > > Tomcat 6.0.26 > > JVM 1.6.20 > > > > Our application runs in two frameworks. One uses https one does not. I am > > trying to configure the tomcat connectors to work but when I get it > working > > in one framework it does not work in the other. > > > > *I have been told we do not need to 'handle' SSL totally as this is > handled > > by our load balancers. Not sure what these means*. > > That usually means that the load-balancer is decoding the SSL connection > and passing an unencrypted connection through to the servers in the > cluster, which then don't need to repeat the effort. > > > > For example: In one framework we'll get permission denied errors and the > > other will work. If we change things around the opposite occurs but > instead > > of permission errors we get invalid certificate error. > > > > The tomcat documentation on connectors does not describe the options very > > well. > > This link, or another one? > > http://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL Support > > > > > > > > > maxThreads="150" scheme="https" secure="false" clientAuth="false" > > sslProtocol="TLS"/> > > Looks like a few odd things going on there. > > SSLEnabled=false > secure=false > > You'll need to set at least one of those to true. > > If the connector on 443 is supposed to be decoding SSL connections > there's a lot more config you'll need too. See the link above. > > > > The above connectors work with the http framework but gives me the "mixed > > content warning" in IE because some requests are http and some https. > > That's nothing to do with the Connectors per se. If your web app is > mixing references to secure and insecure pages, you'll get that warning. > > You need to fix your app so it does the right thing. > > > p > > > > It's obvious I have not worked with SSL very much. Any help would be > greatly > > appreciated. > > > > Regards, > > > > John Ranaudo > > > > > --0015174bdd3a8cc7e70489de45ad--