Re: encryption and load balancing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 05/12/2014 06:08 PM, David Boreham wrote:


On 5/12/2014 9:53 AM, Elizabeth Jones wrote:


Do the certs have to have the server hostnames in them or can I create a
cert that has a virtual name and put that on all the LDAP servers?
if the GTM there's a two way SSL connection handling which doesn't have anything to-do with the hosts serving the requests. The GTM address certificate is the one which is visible to your clients otherwise you would need to know within your application which host name you are going to connect to ... obsoletes Load balancing a little bit ;)
the complete path gets encrypted by enabled SSL from the GTM to the back end systems where you need to either deploy a client certificate for authentication (if necessary) or simply just encrypt the traffic (considerable if you can ensure that there's no possibility for others to spoof the back end system in a kind of man-in-the middle szenario.
the point you want to look at is in your GTM -> profiles -> SSL -> client & server where server is the one you customers are connecting to and client is the backend communication ... 

regards
mIke
If I understand the scenario : you are using a LB that passes through SSL traffic to the LDAP servers without terminating the SSL sessions (packets come in from clients, and are sent to the LDAP server of choice untouched by the LB). In that case you can deploy a cert on all the LDAP servers with the virtual hostname the client use to make their connections to the LB. The clients will validate the cert presented because its hostname matches the one they used to make the connection.
However, note that any LDAP client that needs to make a connection to a specific server (bypassing the LB) will now see the "wrong" hostname and hence fail the certificate host name check. (e.g. replication traffic from other servers). 

A wild card host name may be a good solution in this case.
There may be a way to get the LDAP server to present different certificates depending on the source IP (hence avoiding the need for a wildcard cert), but I don't remember such a feature existing off the top of my head. 


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux