Category Archives: 3-tier

how to encrypt a 3-tier architecture communication

I have a JavaEE app structured in a 2-tier architecture. 1st tier has a tomEE that handles https requests and serves the contents, relying on an oracle database in the 2nd tier.

Since the DB connection can be set to be secure and since I am using https, it's pretty safe (at least for these two aspects).

Now, I need to port this app into a 3-tier architecture and all channels must be secure. My first idea was to just move tomEE to the middle tier and add some apache httpd in the first tier, as a reverse proxy.

The problem is the communication between the first and second tier. If I've understood well, https is by design a protocol that ensures no MITM attacks, so httpd simply can't forward https.

OTOH, if both httpd have their own SSL certificates, I could keep the communication encrypted, but these certificates management would not be trivial.

I could just open an SSL tunnel from the 1st and 2nd tier, so TomEE could just run on plain http and let httpd deal with the HTTPS but I am not sure if this solution would scale or have an impact on performance.

Or I could try some EJB to EJB communication, using another TomEE in the 1st tier :-) but this does not seems right.

What would be the best approach for this situation?