Adam: I won't test this now, but I thank you for the response. I expect you're right. The ca.key for Apache is no different than a mykeystore.jks or cacerts. Just like I had to add a certificate that is to be trusted from the ldaps:// server, and at the application server for the Apache certificate. When HTTPS is used with reverse proxy, the ca.key (in Apache) would need the application server's certificate to be imported so that it could be trusted when Apache can't produce a little dialog like the browser can.
:-) Thanks David On 11/20/08, Adam Rybicki <[EMAIL PROTECTED]> wrote: > > David, > > The reason that your "Successful" scenario works, I think, is because you > have told your browser to accept the cert on > https://www.applicationhost.com:8443/application. When you tell Apache to > proxy to that same point, Apache doesn't trust that cert. This is what I > think is happening. > > If this is indeed what's happening, why not use the same approach that you > have used to have Apache talk to CAS? Use mod_proxy_ajp, and avoid the > performance hit from re-encryption. If I understand your setup correctly, > you don't want anyone to access > https://www.applicationhost.com:8443/application with their browsers > directly. > > If removing reverse proxy is not an option, then either get a signed cert > or convince Apache to trust your self-signed cert. > > Adam > > David Whitehurst wrote: > > I am unable to get CAS to work in a particular situation and I would like > to try to explain the issue to see if anyone has any ideas. When my > installation began Apache was not being used and HTTP was employed only to > use CAS on JBoss as an authentication mechanism and SSO was not a concern. > The application architecture consisted of presentation application services > on presentation servers and business application services on business > servers. CAS was originally installed on the presentation servers. Once > that was working, Apache was added to provide reverse proxy and hide the > service hosts whether they were business server only or if two-part > architecture the presentation server. In either case, the service host was > hidden using reverse proxy on the Apache and CAS server at that time. > > Next, CAS was extracted from the presentation server and placed on an > Apache/CAS/JBoss server so that CAS was fully isolated from any application > server need. Then HTTPS was employed. First, Apache would have a > certificate after openSSL created a key and a signing request. Then, the > application (presentation) server would use a signing request created using > Java keytool for Tomcat in JBoss. Reverse proxy does not work. We get > internal server error. > > If we remove the reverse proxy and use a URL from the application host with > the 8443 port, things work fine. So I'll try to pseudo-diagram the failure > configuration and then the successful. We want to use reverse proxy so that > all traffic goes through Apache. > > Fails: > https://<https://www.apachehost.com/cas/login?service=https://www.apachehost.com/application/> > www.apachehost.com/cas/login?service=https:// > www.apachehost.com/application/ > https://www.apachehost.com Apache->8009 (AJP) ->JBoss (CAS) .... Apache > certificate config in httpd.conf > Service URL https://www.apachehost.com/application/ > ProxyPass and Reverse /application > https://www.applicationhost.com/application:8443 ... Certificate Tomcat > configured > > Successful: > > https://www.apachehost.com/cas/login?service=https://www.applicationhost.com:8443/application/ > https://www.apachehost.com Apache->8009 (AJP) ->JBoss (CAS) ... Apache > certificate config in httpd.conf > Service URL https://www.applicationhost.com:8443/application ... > Certificate Tomcat configured > No reverse proxy > > We want to be able to use https without port number and also hide the URL > for the service host. > > Any suggestions or comments? > > Thanks, > > David > > > ------------------------------ > > _______________________________________________ > Yale CAS mailing [EMAIL PROTECTED]://tp.its.yale.edu/mailman/listinfo/cas > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
