Dear all, If I am not mistaken CAS is using a secure cookie called CASTGC to enable Single Sign On by tracing CAS login. If you tried to load SSL to LB and redirect http to the application server, I am afraid the Single Sign On might be affected.
A cheaper way is to buy one SSL certificate which hostname is the VIP, and put the certificate in all the four servers, At the LB, redirect all https request the four servers. Of course, if you tried to access the server directly with https, you will get certificate invalid because you are using the VIP certificate. Thank you azhar On Fri, Feb 5, 2010 at 3:56 AM, Adam Rybicki <[email protected]> wrote: > It's really your call. If Netscaler can handle SSL in hardware, it > would be able to offload the CAS servers from encryption processing. > The beauty of this approach is that you only have one certificate and > one host that has to match the name in the certificate. > > Since CAS cluster commonly does not rely on sticky sessions, your VIP > does not have to look at the payload, so it could also just pass through > encrypted traffic. Each CAS cluster node would then have to have a copy > of a certificate with the same name, and you'd have to make sure that > each node accepts the name in the certificate. This would require > playing some DNS or /etc/hosts tricks because the end users must accept > that your VIP is the CAS host. > > Adam > > Rolly Ferolino wrote: > > Hello, > > > > We are in the process of implementing CAS in a four-node cluster > > behind a Netscaler VIP. What is the best practice for hosting the SSL > > certificate? Do we host it on VIP or the servers? If the VIP is > > accepting request on port 443, do we forward that request to CAS > > server port 8443 (SSL) or to port 80 or 8080 (non-SSL)? > > > > Thanks, > > > > -- > > Rolly Ferolino > > [email protected] <mailto:[email protected]> > > University of Phoenix > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
