|
Home > Archive > WebSphere Edge Server > January 2004 > Network Dispatcher balancing SSL servers
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Network Dispatcher balancing SSL servers
|
|
| Nick Dakoronias 2004-01-19, 3:02 pm |
| Hello Edge Server forum readers,
I would be much appreciated if someone could advise on the following
issue:
Our customer has a network dispatcher balancing two SSL server machines.
The SSL machines have addresses A and B, and the dispatcher cluster
itself answers at address C (cluster address).
The customer wants to buy and install Verisign certificates on the SSL
servers.
The question is:
Does he need just one certificate for the cluster address C, or does he
need two certificates,
one for address A and the other for address B (the SSL servers)?
Fyi, SSL Servers = WAS on AIX machines with IBM HTTP (Apache).
Regards, Nick Dakoronias.
ITS Athens
| |
|
| I think it's more a matter of Verisign than Network Dispatcher licensing
issue.
My feeling is that he'll have to pay per back-end CPU or machine. Otherwise,
how would Verisign make money on large sites ? ;-)
"Nick Dakoronias" <dakoroni@gr.ibm.com> wrote in message
news:3E563AF7.FB8DA47F@gr.ibm.com...quote:
> Hello Edge Server forum readers,
>
> I would be much appreciated if someone could advise on the following
> issue:
>
> Our customer has a network dispatcher balancing two SSL server machines.
>
> The SSL machines have addresses A and B, and the dispatcher cluster
> itself answers at address C (cluster address).
> The customer wants to buy and install Verisign certificates on the SSL
> servers.
> The question is:
> Does he need just one certificate for the cluster address C, or does he
> need two certificates,
> one for address A and the other for address B (the SSL servers)?
> Fyi, SSL Servers = WAS on AIX machines with IBM HTTP (Apache).
>
> Regards, Nick Dakoronias.
> ITS Athens
>
>
| |
| anthony.carrigan@ntlworld.com 2004-01-19, 3:02 pm |
|
He only needs to buy one certificate, receive it into IBM Key Manager on one of the back-end servers, then export it as a P12 file and import it into IBM Key Manager on the other server. He will need to
create an IP-based virtual host in httpd.conf on each of the WAS servers, with the cluster address (port 443) in the virtual-host header. The certificate common name should be the same as the domain name
and should also match the Virtual Host 'ServerName'.
Also, if the clients will be connecting to these servers via a reverse proxy, he will need to also import the same P12 file into IBM Key Manager on that as well. (This assumes he wants to do SSL bridging
- alternatively he could just import the cert onto the reverse proxy and proxy through to the back-end servers using http rather than https - this is slightly less secure oviously).
If you look at Verisign's website they will tell you to buy a separate cert for each of the 2 (or 3) servers in the above scenario but I do not believe this is justifiable...
Tony Carrigan (Abbey National Glasgow)
tony.carrigan@anfis.co.uk
On Fri, 21 Feb 2003 16:43:03 +0200, Nick Dakoronias <dakoroni@gr.ibm.com> wrote:quote:
> Hello Edge Server forum readers,
>
> I would be much appreciated if someone could advise on the following
> issue:
>
> Our customer has a network dispatcher balancing two SSL server machines.
>
> The SSL machines have addresses A and B, and the dispatcher cluster
> itself answers at address C (cluster address).
> The customer wants to buy and install Verisign certificates on the SSL
> servers.
> The question is:
> Does he need just one certificate for the cluster address C, or does he
> need two certificates,
> one for address A and the other for address B (the SSL servers)?
> Fyi, SSL Servers = WAS on AIX machines with IBM HTTP (Apache).
>
> Regards, Nick Dakoronias.
> ITS Athens
>
>
|
|
|
|
|