> What is the best practice for hosting the SSL certificate? There's no best practice here. If you want to leverage the SSL offloading capabilities of your load balancing hardware, host the certificate on the LB and forward the request to a non-SSL port on the application server. If you feel the SSL handling capability of your LB is negligibly better than your application servers, host the certificate on each app server. I would argue there may be a security risk in the first scenario since you are trusting the network behind your LB, but this is a reasonable assumption in many cases.
I should note that we think SSL offloading is largely vendor snake oil and we like the ability to control our app server configuration, including SSL handling, instead of having to cooperate with our LB admins for the SSL setup. (They're great, it's just that we have adopted a strategy of "keep the LB stupid" which has worked well for us. Additionally our "big iron" ServerIron devices only recently got the SSL offloading working to the satisfaction of our LB admins. YMMV.) M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
