How to make mod_jk authenticate SSL connections

Question

I have a 3 Tomcat application servers with 3 Apache servers in front. Communication between Apache and Tomcats is done via mod_jk. I need to have secure connections between the Tomcat and Apache servers. To make this connection secured, it has to be encrypted and authenticated (to prevent man in the middle attacks).

To be clear, I am not trying to authenticate clients. Only to make sure that traffic between Tomcat and Apache cannot be sniffed.

I've been looking around, but I cant find a way to have mod_jk authenticate the certificates exposed by Tomcat. Any idea where I should be looking ?

Thanks for your help !

Answer 1

Unfortunately, I don't think server authentication is possible via an AJP connector.

While client certificates can be communicated to the Tomcat server via SSLOptions +ExportCertData, the AJP connection itself is in the clear and has no means of authenticating either the AJP client (Apache) or the AJP server (Tomcat) in either direction.

You may be forced to switch to HTTPS if server authentication is required. If there's a reason that AJP is needed, there are options adding extra security layers outside of the AJP protocol for doing mutual authentication and connection security; SSH port forwarding or IPsec policies come to mind.