RE: Fronting CAS with F5 or Apache hints, experience, links, etc..

Thu, 14 Aug 2008 06:18:55 -0700 

We run CAS with an F5 server in front of it.  No, you do not need to
import the SSL cert into the JRE if the F5 BigIP will be responsible for
processing SSL.  However, you'll want to adjust the appropriate
Connector tag in your Tomcat's conf/server.xml file.  For example, ours
for the AJP connector looks like this:
    <Connector port="8009" 
               enableLookups="false" redirectPort="8443" debug="0"
               protocol="AJP/1.3"
               secure="true" scheme="https" proxyPort="443" />

The biggest new things are: secure="true" scheme="https" proxyPort="443"
You need to do this because the SSL aspect of the communication got
erased by the F5 server.

A few thoughts...

If you use: Browser -[https]-> Apache -[AJP]-> Tomcat
then you don't need the secure & scheme attributes in your server.xml
file.  That's because the AJP protocol passes on the SSL-related
information to Tomcat.

If you use: Browser -[https]-> F5 -[http]-> Tomcat
        Or: Browser -[https]-> F5 -[http]-> Apache -[AJP]-> Tomcat
Then you DO need to add secure & scheme attributes in server.xml.
That's because the F5-to-apache link erases the fact that HTTPS was used
anywhere.


Nathan Kopp
Software Architect
Information Technology Group
Campus Crusade for Christ International
(407) 826-2939 Office
(407) 484-8485 Mobile
(407) 826-2968 Fax 
[EMAIL PROTECTED]

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Andrew Bruno
Sent: Wednesday, August 13, 2008 8:21 PM
To: Yale CAS mailing list
Subject: Fronting CAS with F5 or Apache hints, experience, links, etc..

Does anyone have experience in fronting CAS with F5 or Apache, where
the SSL certificate terminates on the front server?

I know that when using a self signed certificate you need to import
the certificate into tomcat's JRE cacerts file.

If using a "real" (verign, etc..) certificate, is the import into the
JRE still required?

Thanks
Andrew
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas


_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to