Mohamed,
sorry for the late reply - it was one of those things that I
meant to do 'later', but then slipped my mind.
Anyway, there are a myriad of ways to do this - and I'm not certain of
the 'best' way. DNS Round-robin does work, but you need to be mindful
of the fact that once you've chosen a host, you must *stick* to that
server - that is, you can't use the load-balancing name in subsequent
references. This implies you need to re-write / redirect your
connection attempt to reflect the hostname associated with the address
chosen by your RR resolution - e.g. if your resolution request of
portal.sgd.com returns the ip address of the server 'portal-01.sgd.com',
the client web browser needs to be redirected/refreshed to
portal-01.sgd.com by the webserver - either with a Redirect, Rewrite, or
by use of the loaddist JSP script, which does the same thing.
(here's a link to that prior e-mail:
http://www.mail-archive.com/[email protected]/msg00384.html)
Anyway, let me back up a bit - I think I may have mentioned this before,
but just in case, for your server certificates, you'll want to do the
following.
1. On each server, generate a Certificate Signing Request as usual,
(tarantella security certrequest) ensuring the host name on the CSR is
the external (real) hostname, 'portal-01.sgd.com' in your example. (the
RR name is set in the next step.)
2. When getting your certificate generated, you'll want the extra
attribute "ServerAltName" added and set to "portal.sgd.com" on each
certificate. This requires that the CA support this extra attribute;
IIRC, all of the commercial CA's I've checked support this. If you plan
to use a self-signed certificate (via tarantella security selfsign) (not
recommended or supported for production use, of course), you'll want to:
a. edit /opt/tarantella/etc/data/openssl.cnf
in the section "[v3_ca}" add the line:
subjectAltName = DNS:portal.sgd.com, DNS:portal-01.sgd.com
Note that on "portal-02.sgd.com", you'd change the above from portal-01
to portal-02, etc.
3. Install the certificates as usual (tarantella security certuse).
You'll probably want to use the load balancing JSP in DNS Round-Robin
mode as I discussed in an earlier e-mail. Alternatively, you can simply
force a redirect/rewrite at the "landing" host, also discussed previously.
Note that you can kind of get around the above if you use http for your
load-balancing connection, then redirecting to the https port on your
"real" connection. This avoids the mismatched servername issue
altogether. (e.g. connect to http://portal.sgd.com, then on each 'real'
server, redirect to https://portal-01.sgd.com)
Finally, I *think* that in the next release of SGD, the SGD client will
support the use of wildcards and subjectAltName - this would
theoretically allow you to create a single certificate for "*.sgd.com",
for example. But I could be wrong on this, so take this with a grain of
salt.
Hope this helps,
Rick
Mohamed Ali wrote:
Hi Rick,
Thank you for your reply.
I am not really good in SSL and the certs and Windows DNS. FYI, we are
not going to use SSL accelerator or Reverse Proxy. Here is what i
intended to do:
2x SGD servers
----------------
hostname: portal-01.sgd.com
IP Add: 172.16.2.10
hostname: portal-02.sgd.com
IP Add: 172.16.2.11
1) Planning to create dns entry portal.sgd.com = ( portal-01 and
portal-02 ).
- Is this achievable ?
- Any guide ?
2) When creating the certs( tarantella certrequest ) in portal-01 and
portal-02, i will enter the certificate's common name = portal.sgd.com.
- Is this acceptable and okay to use ?
- Or what is your suggestion ?
3) When Configuring the client to use HTTPS and trust SGD server
certificates( keytool ) in portal-01 and portal-02, i use the hostname
as portal.
- Again is it acceptable ?
- What is your suggestion ?
Note: All the users will use the browser( http or https ) and maybe
some users will use SGD client( Integrate Start button ).
You are welcome to advise. Thanks.
# Yours Sincerely,
# Mohamed Ali Bin Abdullah.
Message: 1
Date: Wed, 19 Sep 2007 10:55:04 -0400
From: Rick Butland <[EMAIL PROTECTED]>
Subject: Re: [SGD-Users] SGD 4.31 - Creating X.509 certificate for
SGD
server( Two servers)
To: Sun Secure Global Desktop Users mailing list
<[email protected]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; format=flowed; charset=ISO-8859-1
Mohamed Ali wrote:
Dear SGD users,
To enable the SGD Security services i need to Obtain and install the
X.509 certs. I have two servers need to be enabled security
services. Server1( Primary ) and Server2( Secondary ).
This is the command shown in the Admin guide:
Server1# tarantella security certrequest --country US --state Man
--orgname "Car Company"
I need to send the outcome of the above to supported CA Center. Once
CA Center give the signed certs, i will install in my Server1.
My question is, can i use the same signed certs for my Server2 ?
Not really, unless you used a SSL accelerator in front of your array,
or a reverse proxy.
Recall that you're actually talking about four server certificates -
for each server, one for Apache, one for SGD. Generally, there's a
single certificate, shared between the webserver and SGD, but they
don't have to be. Moreover, there are some differences in
certificate handling between web browsers and the SGD client.
For example, in Apache, you could share webserver certificates among
the two servers, by using wildcards in the hostname, so that a single
certificate/key pair could be used like *.sgd.example.com".
Alternatively, the ServerAltName field of a certificate could
conceivably be used (basically, the subject will be Server1 and the
ServerAltName would be set to Server2, though this is pretty much a
misuse of the certificate.)
But, the SGD client doesn't support either wildcards or
ServerAltName, so neither of these approaches get you very far unless
you don't enable "tarantella security", and only run https. This is
actually not an unreasonable approach for some because sniffing AIP
isn't gonna give up much info - but to use firewall traversal, you
must enable security.
So, for most, this only becomes relevant when you want to establish a
certificate for a "round-robin" name, e.g.:
https://arrayname.example.com
https://server1.example.com
https://server2.example.com
For this to work, you'd create two certificate/key pairs:
cn=server1.example.com, ServerAltName=arrayname.example.com
cn=server2.example.com, ServerAltName=arrayname.example.com
Most web browsers will test the ServerAltName, so whether you browse
to any of:
https://arrayname.example.com, https://server1.example.com, or
https://server2.example.com
the web browsers will be happy because the hostnames will match,
(since they test the ServerAltName field.)
The SGD client itself will connect to a "real" hostname, (i.e.
server1 or server2), so there won't be any issue (that is, the SGD
client will *never* attempt to arrayname.example.com, so the fact
that it doesn't test for ServerAltName won't come into play.)
I know this is probably more info than you needed, but thought it
might be useful for others on the list.
Regards,
Rick
Any advise?
Thanks in advance.
_______________________________________________
SGD-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sgd-users
--
Rick Butland
E-Mail: [EMAIL PROTECTED]
AccessLine: (703) 579-1947 x53261
Direct: (703) 444-9398
Mobile: (703) 328-8130
_______________________________________________
SGD-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sgd-users
