How do ensure that Apache AJP to Tomcat connection is secure/encrypted?
You are saying
Tomcat instance with an Apache instance (running on the same machine)
and later you are saying
We dont want passwords to be sniffable on the network between Apache and Tomcat
This just contradicts each other.
EDIT: AJP is not designed to be secure, if you need security, use mod_proxy_http
and proxy over https, or create SSH tunnel. Needless to say, you will have to pay for this overhead.