> The question is can we use one alias in DNS to refer to both servers and > therefor only use one signed certificate for CAS?
You can do this but I would caution against it. For only a little more hardware and configuration cost, you could develop a much more robust load balancing setup (e.g. Apache+mod_proxy_balancer). The primary liability of DNS load balancing is that it cannot handle failover. Once a client has resolved the name of the service, it will be bound to that host until the client name resolver cache timeout. If an outage happens on a host, the service will be unavailable to everyone currently bound to that host unless or until the downed node comes back up. A hardware load balancing setup, on the other hand, actively monitors node availability and dynamically routes to active nodes exclusively on each request. > The concern is whether CAS will keep track of which server generated the > request. There is no such tracking. It's important to use a distributed ticket registry such as http://www.ja-sig.org/wiki/display/CASUM/MemcacheTicketRegistry or http://www.ja-sig.org/wiki/display/CASUM/JpaTicketRegistry, but provided you use a ticket registry suitable for HA environments, you should be able to bounce between nodes without problems. See http://www.ja-sig.org/wiki/display/CASUM/Clustering+CAS for more clustering information. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
