Good point John. It is a Single sign on so any breech and they have access to everything. I would never get that approved by the security compliance folks anyway.
Thank You, Chris Cheltenham SwainTechs / HHS Cell# 267-586-2369 From: John Gasper [mailto:[email protected]] Sent: Monday, January 12, 2015 12:22 PM To: [email protected] Subject: Re: [cas-user] Apache certificate Yes, they are a hassle, but they keep the communications protected. With that said, many of the CAS client implementation do have properties that can be set to ignore validity of the certificate. Technically, you could ignore the untrusted cert on your internal connections, but I certainly wouldn't recommend it. But your internal network was ever compromised, then the extra layer of security would be most helpful. --- John Gasper IAM Consultant Unicon, Inc. PGP/GPG Key: 0xbafee3ef On 1/12/15 8:36 AM, Chris Cheltenham wrote: Thanks John, I did find the cert that corrected my problem. Thanks for your input however. I will keep it. I am not well versed in certificate at all and am getting better. One thing I question. Why do I need all this overhead if I have a cert on the web server for all data in and out? Everything else is on an internal network and firewalled from the public. These certs are a hassle. Thank You, Chris Cheltenham SwainTechs / HHS Cell# 267-586-2369 From: John Gasper [mailto:[email protected]] Sent: Monday, January 12, 2015 11:24 AM To: [email protected]<mailto:[email protected]> Subject: Re: [cas-user] Apache certificate Hi Chris, What's your plan for Apache? Do you have an application hosted on it that you want to protect with CAS? Or, do you want to front Tomcat with Apache by using mod_jk or reverse proxying? Assuming it is the former, If the cert running on Tomcat is not generally trusted (signed by a common CA) it must be exported and added to the keystore used by the CAS-protected/client application. Otherwise when the application makes the backchannel call to Tomcat, the SSL authentication will fail. I hope that helps. John On 1/11/15 10:43 AM, Chris Cheltenham wrote: [cid:[email protected]] Hello, We have apache running on a separate server than CAS. I can get CAS to work from tomcat on the cas sever but I do not understand what certificate I export to apache from the slew of certificates I created. Can anyone explain that? Thank You, Chris Cheltenham SwainTechs / HHS Cell# 267-586-2369 -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
