On Fri, Dec 4, 2009 at 6:18 PM, Marvin Addison <[email protected]>wrote:
> > I was curious to > > know how other schools were deploying their CAS instances, especially > > handling the SSL certificate. > > I like the idea of offloading the SSL certificate to the load > balancer, but I'm not certain the additional burden of maintenance is > worthwhile. We have big iron load balancers here at Virginia Tech, > and our networking guys recently got SSL offloading worked out after > about 2 years of the current devices in production. If it's a > headache for them, it will be a bigger headache for me. Even if SSL > administration were as straightforward as Apache/Tomcat, I'm > uncomfortable with authentication data in the clear (over a presumably > trusted network) to the CAS hosts. For the paranoid this means two > sets of certificates and you gain nothing in performance; in fact you > probably lose some. > > I'm a big fan of bare Tomcat deployments due to simplicity. If you > care about SSL performance, you should investigate the Tomcat Native > connectors, http://tomcat.apache.org/native-doc/, which are basically > JNI wrappers around Apache Portable Runtime C functions for high > performance IO and crypto operations. We use these on an > active-active load balanced Tomcat cluster and are very happy with > performance. The simplicity of this approach is very attractive. > > M > > Chico State is running a bare tomcat deployment. We have a Cisco CSS in front doing SSL pass-through, in case I ever get my act together and get the Rutgers setup going (as Scott has already described). The simplicity is huge for us and if you're worried about SSL performance just use a recent JDK. The performance isn't that bad, especially if you're only dealing with higher-ed level traffic. It's unlikely your institution will have more traffic than Sony or Blizzard ;-) Pat -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
