Hi Rick,
Thank you for your reply.
I am not really good in SSL and the certs and Windows DNS. FYI, we are
not going to use SSL accelerator or Reverse Proxy. Here is what i
intended to do:
2x SGD servers
----------------
hostname: portal-01.sgd.com
IP Add: 172.16.2.10
hostname: portal-02.sgd.com
IP Add: 172.16.2.11
1) Planning to create dns entry portal.sgd.com = ( portal-01 and
portal-02 ).
- Is this achievable ?
- Any guide ?
2) When creating the certs( tarantella certrequest ) in portal-01 and
portal-02, i will enter the certificate's common name = portal.sgd.com.
- Is this acceptable and okay to use ?
- Or what is your suggestion ?
3) When Configuring the client to use HTTPS and trust SGD server
certificates( keytool ) in portal-01 and portal-02, i use the hostname
as portal.
- Again is it acceptable ?
- What is your suggestion ?
Note: All the users will use the browser( http or https ) and maybe some
users will use SGD client( Integrate Start button ).
You are welcome to advise. Thanks.
# Yours Sincerely,
# Mohamed Ali Bin Abdullah.
Message: 1
Date: Wed, 19 Sep 2007 10:55:04 -0400
From: Rick Butland <[EMAIL PROTECTED]>
Subject: Re: [SGD-Users] SGD 4.31 - Creating X.509 certificate for SGD
server( Two servers)
To: Sun Secure Global Desktop Users mailing list
<[email protected]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; format=flowed; charset=ISO-8859-1
Mohamed Ali wrote:
Dear SGD users,
To enable the SGD Security services i need to Obtain and install the
X.509 certs. I have two servers need to be enabled security services.
Server1( Primary ) and Server2( Secondary ).
This is the command shown in the Admin guide:
Server1# tarantella security certrequest --country US --state Man
--orgname "Car Company"
I need to send the outcome of the above to supported CA Center. Once
CA Center give the signed certs, i will install in my Server1.
My question is, can i use the same signed certs for my Server2 ?
Not really, unless you used a SSL accelerator in front of your array, or
a reverse proxy.
Recall that you're actually talking about four server certificates - for
each server, one for Apache, one for SGD. Generally, there's a single
certificate, shared between the webserver and SGD, but they don't have
to be. Moreover, there are some differences in certificate handling
between web browsers and the SGD client.
For example, in Apache, you could share webserver certificates among the
two servers, by using wildcards in the hostname, so that a single
certificate/key pair could be used like *.sgd.example.com".
Alternatively, the ServerAltName field of a certificate could
conceivably be used (basically, the subject will be Server1 and the
ServerAltName would be set to Server2, though this is pretty much a
misuse of the certificate.)
But, the SGD client doesn't support either wildcards or ServerAltName,
so neither of these approaches get you very far unless you don't enable
"tarantella security", and only run https. This is actually not an
unreasonable approach for some because sniffing AIP isn't gonna give up
much info - but to use firewall traversal, you must enable security.
So, for most, this only becomes relevant when you want to establish a
certificate for a "round-robin" name, e.g.:
https://arrayname.example.com
https://server1.example.com
https://server2.example.com
For this to work, you'd create two certificate/key pairs:
cn=server1.example.com, ServerAltName=arrayname.example.com
cn=server2.example.com, ServerAltName=arrayname.example.com
Most web browsers will test the ServerAltName, so whether you browse to
any of:
https://arrayname.example.com, https://server1.example.com, or
https://server2.example.com
the web browsers will be happy because the hostnames will match, (since
they test the ServerAltName field.)
The SGD client itself will connect to a "real" hostname, (i.e. server1
or server2), so there won't be any issue (that is, the SGD client will
*never* attempt to arrayname.example.com, so the fact that it doesn't
test for ServerAltName won't come into play.)
I know this is probably more info than you needed, but thought it might
be useful for others on the list.
Regards,
Rick
Any advise?
Thanks in advance.
_______________________________________________
SGD-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sgd-users
