Azhar, Thank you for your suggestion. Initially, I had the same concern. However, Scott's reply verified that terminating SSL at the VIP works.
Rolly On Thu, Feb 4, 2010 at 8:53 PM, Azhar K Mustapha <[email protected]>wrote: > Dear all, > > If I am not mistaken CAS is using a secure cookie called CASTGC to enable > Single Sign On by tracing CAS login. If you tried to load SSL to LB and > redirect http to the application server, I am afraid the Single Sign On > might be affected. > > A cheaper way is to buy one SSL certificate which hostname is the VIP, and > put the certificate in all the four servers, At the LB, redirect all https > request the four servers. Of course, if you tried to access the server > directly with https, you will get certificate invalid because you are using > the VIP certificate. > > Thank you > azhar > > On Fri, Feb 5, 2010 at 3:56 AM, Adam Rybicki <[email protected]> wrote: > >> It's really your call. If Netscaler can handle SSL in hardware, it >> would be able to offload the CAS servers from encryption processing. >> The beauty of this approach is that you only have one certificate and >> one host that has to match the name in the certificate. >> >> Since CAS cluster commonly does not rely on sticky sessions, your VIP >> does not have to look at the payload, so it could also just pass through >> encrypted traffic. Each CAS cluster node would then have to have a copy >> of a certificate with the same name, and you'd have to make sure that >> each node accepts the name in the certificate. This would require >> playing some DNS or /etc/hosts tricks because the end users must accept >> that your VIP is the CAS host. >> >> Adam >> >> Rolly Ferolino wrote: >> > Hello, >> > >> > We are in the process of implementing CAS in a four-node cluster >> > behind a Netscaler VIP. What is the best practice for hosting the SSL >> > certificate? Do we host it on VIP or the servers? If the VIP is >> > accepting request on port 443, do we forward that request to CAS >> > server port 8443 (SSL) or to port 80 or 8080 (non-SSL)? >> > >> > Thanks, >> > >> > -- >> > Rolly Ferolino >> > [email protected] <mailto:[email protected]> >> > University of Phoenix >> > -- >> > You are currently subscribed to [email protected] as: >> [email protected] >> > To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- Rolly Ferolino [email protected] -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
