> I was curious to > know how other schools were deploying their CAS instances, especially > handling the SSL certificate.
I like the idea of offloading the SSL certificate to the load balancer, but I'm not certain the additional burden of maintenance is worthwhile. We have big iron load balancers here at Virginia Tech, and our networking guys recently got SSL offloading worked out after about 2 years of the current devices in production. If it's a headache for them, it will be a bigger headache for me. Even if SSL administration were as straightforward as Apache/Tomcat, I'm uncomfortable with authentication data in the clear (over a presumably trusted network) to the CAS hosts. For the paranoid this means two sets of certificates and you gain nothing in performance; in fact you probably lose some. I'm a big fan of bare Tomcat deployments due to simplicity. If you care about SSL performance, you should investigate the Tomcat Native connectors, http://tomcat.apache.org/native-doc/, which are basically JNI wrappers around Apache Portable Runtime C functions for high performance IO and crypto operations. We use these on an active-active load balanced Tomcat cluster and are very happy with performance. The simplicity of this approach is very attractive. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
