RE: clustering + ssl together

[elephantwalker]

Greg,   I am doing this now, so I will get back to the list when I am finished. This is my working plan:   1. there are two loadbalancers instances, one for http and one for https. These can be on the same machine or seperate machines. 2. the ports for your web-sites can be different from your loadbalancer(s) port. This allows you to have the loadbalancer and an orion instance on the same machine, for example. Or the ports can be the same, in which case the loadbalancer(s) has to be on a different machine. 3. the same rules apply for the loadbalancer as orion for unix machines. You need to use some port forwarding, like ipchains, if you want to run the loadbalancer on a user account which is not the superuser. This applies also for the ssl port. (skip 3 if you are using m$ or don't care) 4. the ssl setup in the load-balancer.xml (see the ssl-config tag in the load-balancer.xml documentation) is the same as the secure-web-site.xml, but you will have to set the secure flag in the load-balancer tag. Obviously, this means you will need a keystore for the loadbalancer, and a keystore for the backend for total secure communication. I believe that the communication to the backend is transparant to the user, so you can self certify that connection, irregardless of what those guys at verisign say. 5. you can skip all of this and use apache for ssl (interesting, but slow). This is what oracle advises, because they can't figure out orion, or they have so much invested in the "apache/oracle" solution.   I'm testing this now, as soon as I get through the hickups, I will let the list know.   regards,   the elephantwalker             -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Greg Matthews Sent: Sunday, June 24, 2001 3:02 PM To: Orion-Interest Subject: clustering + ssl together   dear all,   there has been a recent post on this but no solution posted. i've got some more info on the problem.   can the developers of orion or anyone else let me know if anyone has successfully set up an ssl orion cluster?   i can: - set up clustering - set up ssl   ...but not both together.   some clues.   1. on orionserver.com there is doco for load-balancer.xml that     suggests loadbalancer.jar can be given SSL keystore information.     does this mean that a clustered SSL setup requires loadbalancer     to share the same keystore as each box in the cluster?   2. how do you set the web-site.xml for a clustered secure app.       you can't have both the loadbalancer + your secure app     both running on port 443 on the same box, so what do you     do?         i) run loadbalancer on another port?         ii) run your app on another port?             - the orion doco says that when your app needs to               be made secure you should add a secure="true"               attribute to the web-site element of the web-site.xml               plus remove the port attribute.   if someone has made this work i'd be grateful for any information, or if you couldn't be bothered explaining how to do it, just maybe forward me your server.xml, loadbalancer.xml, web-site.xml and i'll work it out from that.   thanks. greg.