users@glassfish.java.net

Re: Securing two GF v3 Prelude DASs front-ended by a load balancer

From: Kshitiz Saxena <Kshitiz.Saxena_at_Sun.COM>
Date: Mon, 29 Dec 2008 14:37:06 +0530

Hi David,

It depends on what you want to secure. Mostly client to web-server
communication is over secure channel while web-server to
application-server is over non-secured channel. If this is what you are
trying to achieve, then certs are to be installed on web-server. You can
refer to load-balancer plugin documentation in GFv2 for the same :
http://docs.sun.com/app/docs/doc/819-3679/gchvt?l=en&a=view

Please note there is no provision to export load-balancer xml in GFv3.
So you need to manually edit load-balancer xml to reflect cluster view.
Also you need to ensure that both DASs are homogeneous in terms of
application deployment. You can only achieve load distribution but
session fail-over will not work.

Thanks,
Kshitiz

glassfish_at_javadesktop.org wrote:
> I need to secure a GF v3 Prelude configuration in which I have a load balancer balancing requests to two DASs. Looking for clarification/confirmation on how to set up the certs and trust relationships before I start.
>
> Seems like I should just:
>
> - Install the (instance) certificates for the two DASs into the config/keystore.jks files for the DASs
> - Install the CA cert for the LB into the config/cacerts.jks files for the two DASs
>
> Is this correct?
>
> And, is it recommended to use keytool for this or is there an asadmin argument that I ought to use? (If so, what?)
>
> Is this anywhere in the docs? I could not find it - there are explanations of what certs are and even how you generate them but I could not find a reference to how you install a cert (CA or otherwise) into the container.
>
> Thanks,
>
> David
> [Message sent by forum member 'dgolds' (dgolds)]
>
> http://forums.java.net/jive/thread.jspa?messageID=323108
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>