Scott, Thanks for this info. Could you tell me what TicketRegistry provider do you use to replicate the tickets? We will be using JBOSS Cache on a four-node Tomcat cluster. Do you use synchronous multicast or async? I appreciate all other pointers that you can share for clustering.
Thanks, Rolly University of Phoenix On Thu, Feb 4, 2010 at 9:06 PM, Scott Battaglia <[email protected]>wrote: > We terminate SSL at our Cisco ACE and we have no issues with TGTs. > > Cheers, > Scott > > > On Thu, Feb 4, 2010 at 10:53 PM, Azhar K Mustapha < > [email protected]> wrote: > >> Dear all, >> >> If I am not mistaken CAS is using a secure cookie called CASTGC to enable >> Single Sign On by tracing CAS login. If you tried to load SSL to LB and >> redirect http to the application server, I am afraid the Single Sign On >> might be affected. >> >> A cheaper way is to buy one SSL certificate which hostname is the VIP, and >> put the certificate in all the four servers, At the LB, redirect all https >> request the four servers. Of course, if you tried to access the server >> directly with https, you will get certificate invalid because you are using >> the VIP certificate. >> >> Thank you >> azhar >> >> On Fri, Feb 5, 2010 at 3:56 AM, Adam Rybicki <[email protected]> wrote: >> >>> It's really your call. If Netscaler can handle SSL in hardware, it >>> would be able to offload the CAS servers from encryption processing. >>> The beauty of this approach is that you only have one certificate and >>> one host that has to match the name in the certificate. >>> >>> Since CAS cluster commonly does not rely on sticky sessions, your VIP >>> does not have to look at the payload, so it could also just pass through >>> encrypted traffic. Each CAS cluster node would then have to have a copy >>> of a certificate with the same name, and you'd have to make sure that >>> each node accepts the name in the certificate. This would require >>> playing some DNS or /etc/hosts tricks because the end users must accept >>> that your VIP is the CAS host. >>> >>> Adam >>> >>> Rolly Ferolino wrote: >>> > Hello, >>> > >>> > We are in the process of implementing CAS in a four-node cluster >>> > behind a Netscaler VIP. What is the best practice for hosting the SSL >>> > certificate? Do we host it on VIP or the servers? If the VIP is >>> > accepting request on port 443, do we forward that request to CAS >>> > server port 8443 (SSL) or to port 80 or 8080 (non-SSL)? >>> > >>> > Thanks, >>> > >>> > -- >>> > Rolly Ferolino >>> > [email protected] <mailto:[email protected]> >>> > University of Phoenix >>> > -- >>> > You are currently subscribed to [email protected] as: >>> [email protected] >>> > To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- Rolly Ferolino [email protected] -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
