Imagine for a moment a primary tomcat server that is exposed to the outside world. Imagine further that below this tomcat server are 1 to "N" tomcat servers that are NOT exposed to the outside world. These tomcat servers respond to serialized object requests from the primary. We will use the words primary and secondaries.
The secondaries (I hope) do NOT need to use login names and passwords.
Is it possible to configure the secondaries such that they allow only https connections from the trusted primary (a trusted certificate?)?
No users will ever access a web page on the secondaries, and if they do try to do so, they will be redirected to an error page.
-- More Details --
This is a legacy system that serializes POJOs from the Master/Top tomcat server to "Worker" tomcat servers (No framework / standard is followed). The "Worker" tomcat servers currently utilize a SSO (JOSSO in this case) which isn't needed. At one point in the past these "Worker" tomcats provided web pages and required authentication. That isn't the case anymore.
I wish to remove from the Worker tomcats the SSO agents and make life much easier for us when we upgrade the systems. Some of the deployed systems are vast and it takes weeks to upgrade all of the tomcat Workers. Image the headache of trying to get different tomcats to all play nice with different versions of SSO?
Since these Worker tomcat servers are not exposed to the outside world, it is my hope that I can establish some form of trusted connection between the Master tomcat and any-one of the Worker tomcat servers such that it doesn't require user level credentials. I hope that this can be setup such that a hacker who is sitting within the customer network will find it a challenge to connect to the Worker tomcats.
In the end I'm lacking the experience of making a trusted connection between tomcat A and tomcat B such that user credentials are not used.
Any advice on how to research that topic or if it is even possible is appreciated.
