> No, you do not need to import the SSL cert into the JRE if the F5 BigIP will > be responsible for processing SSL
That's exactly the answer I was after for now. Many Thanks Andrew On Thu, Aug 14, 2008 at 11:01 PM, Nathan Kopp <[EMAIL PROTECTED]> wrote: > We run CAS with an F5 server in front of it. No, you do not need to > import the SSL cert into the JRE if the F5 BigIP will be responsible for > processing SSL. However, you'll want to adjust the appropriate > Connector tag in your Tomcat's conf/server.xml file. For example, ours > for the AJP connector looks like this: > <Connector port="8009" > enableLookups="false" redirectPort="8443" debug="0" > protocol="AJP/1.3" > secure="true" scheme="https" proxyPort="443" /> > > The biggest new things are: secure="true" scheme="https" proxyPort="443" > You need to do this because the SSL aspect of the communication got > erased by the F5 server. > > A few thoughts... > > If you use: Browser -[https]-> Apache -[AJP]-> Tomcat > then you don't need the secure & scheme attributes in your server.xml > file. That's because the AJP protocol passes on the SSL-related > information to Tomcat. > > If you use: Browser -[https]-> F5 -[http]-> Tomcat > Or: Browser -[https]-> F5 -[http]-> Apache -[AJP]-> Tomcat > Then you DO need to add secure & scheme attributes in server.xml. > That's because the F5-to-apache link erases the fact that HTTPS was used > anywhere. > > > Nathan Kopp > Software Architect > Information Technology Group > Campus Crusade for Christ International > (407) 826-2939 Office > (407) 484-8485 Mobile > (407) 826-2968 Fax > [EMAIL PROTECTED] > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Andrew Bruno > Sent: Wednesday, August 13, 2008 8:21 PM > To: Yale CAS mailing list > Subject: Fronting CAS with F5 or Apache hints, experience, links, etc.. > > Does anyone have experience in fronting CAS with F5 or Apache, where > the SSL certificate terminates on the front server? > > I know that when using a self signed certificate you need to import > the certificate into tomcat's JRE cacerts file. > > If using a "real" (verign, etc..) certificate, is the import into the > JRE still required? > > Thanks > Andrew > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
