PASOE LoadBalancing with full SSL (client authentication)

Posted by dvoyat on 04-Apr-2017 03:33


Has anyone experience with the TomCat Load implementation with PASOE running fully SSL secured. We've gone rather easily and quickly to a LB trial implementing the TomCat LB via workers. It required adding a Apache HTTPD as a front but overall was easily configured and designed using current PASOE (dedicated LB, STATUS PAS instance). The services are exposed on the apache HTTPD which used AJP connector and protocol (AJP13) to connect PASOE worker.
This works pretty well and once again fairly easy to setup.
AJP13 connector & protocol is not something we widely understood for now. We need to operate internally with full SSL handshake/TLS1.2 (each client & server will have its own certification and CA authorities will be shared internally) between our apache frontend and PASOE. We use PASOE to expose our backend logic as REST services but not all our client are OpenEdge product.

I can obviously disable all http connector in each PASOE but wondering how PASOE AJP port is secured as once again this is partly new for us... and due to that we're still wondering should we use TomCat LB or some other solution (as F5) we do already use within our corporate.

If anyone has good experience and willing to share ;-)

All Replies

Posted by Irfan on 04-Apr-2017 04:07

I can provide you some options which I know but I haven't tried.

1. AJP connectors do not communicate securely using certificates. They just open a TCP connection between the tomcat server and the load balancer for that particular request. To secure it, you can add some tags like <Proxy> to specify which hosts/domain you would like to allow to communicate with the tomcat server.This should be pretty straight forward and it will only allow requests from a certain domain/ipaddress. You can also apply this filter based on URL pattern using <location> tag.

2. If you want to have a secure connection to your webserver and want to encrypt the data between the communication then Instead of AJP connector, you can configure secure HTTPS server and can use something like mod_proxy_http.

I would not suggest which one to choose because it is all about your use-case and how you would like to access your backend.

Posted by dvoyat on 04-Apr-2017 14:15


Thanks Irfan. Most of material mentionned related to Tomcat load balancing - as well as Progress documentation - refers to mod_jk and AJP connector... hence our trial that way. Are you saying I can switch to mod_proxy_http and change httpd conf accordingly ?


Posted by Irfan on 05-Apr-2017 07:12

Yes, you can also do that and see if it benefits you.

This thread is closed