From users-return-268291-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Mon Sep 9 21:37:16 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 20361180608 for ; Mon, 9 Sep 2019 23:37:16 +0200 (CEST) Received: (qmail 40584 invoked by uid 500); 9 Sep 2019 21:37:13 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 40573 invoked by uid 99); 9 Sep 2019 21:37:13 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 09 Sep 2019 21:37:13 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id E6BE71A43C0 for ; Mon, 9 Sep 2019 21:37:12 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.001 X-Spam-Level: X-Spam-Status: No, score=0.001 tagged_above=-999 required=6.31 tests=[RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-he-de.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id l8b8xSYxoXuf for ; Mon, 9 Sep 2019 21:37:10 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=188.68.47.11; helo=mx2f0b.netcup.net; envelope-from=logo@kreuser.name; receiver= Received: from mx2f0b.netcup.net (mx2f0b.netcup.net [188.68.47.11]) by mx1-he-de.apache.org (ASF Mail Server at mx1-he-de.apache.org) with ESMTPS id B4D317DD32 for ; Mon, 9 Sep 2019 21:37:09 +0000 (UTC) Received: from [192.168.1.17] (p2E5C6818.dip0.t-ipconnect.de [46.92.104.24]) by mx2f0b.netcup.net (Postfix) with ESMTPSA id 5532B1205B2 for ; Mon, 9 Sep 2019 23:37:03 +0200 (CEST) Authentication-Results: mx2f0b; spf=pass (sender IP is 46.92.104.24) smtp.mailfrom=logo@kreuser.name smtp.helo=[192.168.1.17] Received-SPF: pass (mx2f0b: connection is authenticated) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 From: Peter Kreuser Mime-Version: 1.0 (1.0) Date: Mon, 9 Sep 2019 23:37:02 +0200 Message-Id: <0A1C7A81-A45C-40D2-8909-689C6DF74E8A@kreuser.name> Subject: Re: Secure Communication Between Tomcat Servers In-Reply-To: References: To: Tomcat Users List X-Mailer: iPhone Mail (16G102) X-PPP-Message-ID: <20190909213703.29379.20346@mx2f0b.netcup.net> X-PPP-Vhost: kreuser-online.de Isn=E2=80=98t that what client certs are for? Https to identify Server A, Client cert to authenticate Server B? Message integrity should then be unnecessary?! Or am I missing a piece? Peter > Am 09.09.2019 um 21:10 schrieb M. Manna : >=20 > Why not use JWT cookies/tokens? You sign your claims and only you can > validate the claims and ensure that it=E2=80=99s coming from the right pla= ce/user. >=20 > Thanks, >=20 >> On Mon, 9 Sep 2019 at 19:26, Michael Duffy wrote: >>=20 >> I need to communicate securely between two Tomcat servers running in two >> different environments. I have control of both servers. >>=20 >> I would like to do this through a simple REST call from Server-B to >> Server-A. >>=20 >> On the server I am communicating to, Server-A, I can easily set up HTTPS >> with a self-signed certificate. If I import this certificate into the Ja= va >> Keystore on Server-B, I can make a trusted HTTPS Rest call from my Java >> code on Server-B. >>=20 >> Good instructions for doing this can be found here: >>=20 >> https://blog.10pines.com/2017/09/25/how-to-communicate-via-https-between-= two-tomcat-servers-using-a-self-signed-certificate/ >>=20 >>=20 >> I would also like to add a confirmation that the Rest call to Server-A is= >> certainly coming from Server-B and the message has integrity. >>=20 >> My plan is to generate a self-signed certificate on Server-B and import >> this certificate into the Java Keystore on Server-A. Then for any REST >> call from Server-B I will first generate an SHA-512 hash of the message a= nd >> sign the hash with the private key associated with the Server-B >> certificate. When Server-A receives the message, the SHA-512 hash will b= e >> recalculated and checked for accuracy of the hash (no message tampering).= >> I will then check the signature of the Hash against the public key of the= >> certificate from Server-B. >>=20 >> For a little bit of extra paranoia I may encrypt the REST message with th= e >> public key of the certificate from Server-A; for short messages this shou= ld >> be fine (no need for Symmetric encryption). >>=20 >> Does this seem like a good plan? >>=20 >> Thx in advance for any suggestions. >>=20 >> Mike >>=20 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org