Yes, they are a hassle, but they keep the communications protected. With that said, many of the CAS client implementation do have properties that can be set to ignore validity of the certificate. Technically, you could ignore the untrusted cert on your internal connections, but I certainly wouldn't recommend it. But your internal network was ever compromised, then the extra layer of security would be most helpful.
--- *John Gasper* IAM Consultant Unicon, Inc. PGP/GPG Key: 0xbafee3ef On 1/12/15 8:36 AM, Chris Cheltenham wrote: > > Thanks John, > > > > I did find the cert that corrected my problem. Thanks for your input > however. > > I will keep it. I am not well versed in certificate at all and am > getting better. > > > > One thing I question. > > Why do I need all this overhead if I have a cert on the web server for > all data in and out? > > Everything else is on an internal network and firewalled from the public. > > > > These certs are a hassle. > > > > > > Thank You, > > > > Chris Cheltenham > > SwainTechs / HHS > > > > Cell# 267-586-2369 > > > > *From:*John Gasper [mailto:[email protected]] > *Sent:* Monday, January 12, 2015 11:24 AM > *To:* [email protected] > *Subject:* Re: [cas-user] Apache certificate > > > > Hi Chris, > > > What's your plan for Apache? Do you have an application hosted on it > that you want to protect with CAS? Or, do you want to front Tomcat > with Apache by using mod_jk or reverse proxying? > > Assuming it is the former, If the cert running on Tomcat is not > generally trusted (signed by a common CA) it must be exported and > added to the keystore used by the CAS-protected/client application. > Otherwise when the application makes the backchannel call to Tomcat, > the SSL authentication will fail. > > I hope that helps. > > John > > On 1/11/15 10:43 AM, Chris Cheltenham wrote: > > Hello, > > > > We have apache running on a separate server than CAS. > > > > I can get CAS to work from tomcat on the cas sever but I do not > understand what certificate I export to apache from the slew of > certificates I created. > > > > Can anyone explain that? > > > > > > > > Thank You, > > > > Chris Cheltenham > > SwainTechs / HHS > > > > Cell# 267-586-2369 > > > > -- > > You are currently subscribed to [email protected] > <mailto:[email protected]> as: [email protected] > <mailto:[email protected]> > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > -- > You are currently subscribed to [email protected] > <mailto:[email protected]> as: [email protected] > <mailto:[email protected]> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
