Hi Corey,
That is exactly how we do it. Terminate SSL at the F5.
A couple of things to be aware of.
If you are planning on issuing ProxyTickets each or the cas servers behind
the F5 will need to have ssl enabled because they will be calling back into
the cas client ofer https.
If you are using Spnego you will need to modify your server.xml to do the
following( its a tomcat example since that is what we run, your server
configuration may be different)
You will need to configure your HTTP connector to return
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
secure="true" scheme="https"
proxyServer="fully qualified domain name of your cas app"
i.e. login.your.company.com
proxyPort="443"
/>
The proxyName and proxyPort attributes can be used when Tomcat is run behind
a proxy server. These attributes modify the values returned to web
applications that call the request.getServerName() and
request.getServerPort() methods, which are often used to construct absolute
URLs for redirects. Without configuring these attributes, the values
returned would reflect the server name and port on which the connection from
the proxy server was received, rather than the server name and port to whom
the client directed the original request.
This is important because, in order to get Spnego to work, you will need to
map the SPN to the proxyServer name.
Good luck with the deployment
Dean
--
View this message in context:
http://n4.nabble.com/CAS-crashing-tp1748174p1749226.html
Sent from the CAS Users mailing list archive at Nabble.com.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
