-
1. Re: Verifying secure Mod_Cluster communications
jfclere Oct 24, 2012 5:02 AM (in response to mmilutinovic)There are 2 sides to configure node to httpd (MCMP) and httpd to node (https).
If you configure MCMP you should be able to use curl -v https://http_name:6666/ to check that ssl is enabled on the virtualHost.
if you https between httpd and node then curl -v https://node_name:8443/ will check that ssl is enabled on the node side.
wireshark on port 6666 and 8443 should show ssl packets. Note that the muticast messages are not encrypted.
-
2. Re: Verifying secure Mod_Cluster communications
mmilutinovic Oct 24, 2012 4:15 PM (in response to jfclere)Hi thanks for the info. I'm getting HTTP code 403 errors when trying to run the curl commands. I think there might be an issue with the proxy I have where it's not allowing HTTPS under 8443 and 6666 ports.
-
3. Re: Verifying secure Mod_Cluster communications
jfclere Oct 25, 2012 3:37 AM (in response to mmilutinovic)you need a Allow from your_box_ip in the <Directory /> of the 6666 VirtualHost.
From the nodes it is a bit weird do you have a filter on IP in AS?
-
4. Re: Verifying secure Mod_Cluster communications
mmilutinovic Oct 25, 2012 12:18 PM (in response to mmilutinovic)It looks like it was a caching issue. Once I cleared the cache the curl commands worked and it looks like SSL was present on both ports. I still couldn't see any traffic on ports 6666 or 8443 with wireshark when running the curl commands.
From the JBoss perspective it looks like everything is ok with mod_cluster, there are no errors popping up. I just wanted to verify the traffic for my own curiosity that the traffic is encrypted.
I've tried the following filters in wireshark: "ssl", "ssl.handshake", "udp.port == 6666", "udp.port == 8443", "tcp.port == 6666", "tcp.port == 8443", and a couple of other combination involving just the IPs I am expecting.
-
5. Re: Verifying secure Mod_Cluster communications
jfclere Oct 26, 2012 2:40 AM (in response to mmilutinovic)Use tcp port 6666 in wireshark or tcp port 8443 you should get encrpyted packet (make sure you used the right interface or the pseudo that captures all).
-
6. Re: Verifying secure Mod_Cluster communications
mmilutinovic Oct 26, 2012 10:20 AM (in response to jfclere)Once I selected the pseudo port, i was able to see traffic on tcp port 6666/8443. Not sure why just selecting the ethernet adapter didn't work ...
Anyway thanks for your help. Much appreciated