Two questions, as DART seems to be incapable of making recommendations and RIM seems to be incapable of issuing best practices outside of a limited scope of knowledge:
1 - Would you recommend placing the SSL certificate on the hardware load balancer (F5, Cisco, etc) or on the BAS web servers?
My thoughts are to off-load the SSL traffic to the load balancers, especially in the instance where you'd be deploying Web Desktop Manager, and have it translate to the BAS servers over the HTTP/18180 port. However, I wanted to see what everyone else had to say before I made a final decision.
2 - If the recommendation is to place the SSL certificate on the BAS web servers, how exactly would you add the certificate to the second (or third or fourth) BAS server?
In my testing, I went through the normal steps to generate and add the new certificate (genkey, import root, certreq, import cert) to the first BAS server and it came online just fine. However, when I went through the steps to import the certificate to the second BAS server (import root, import cert), it would not fully start the BAS-AS service. The BAS-NCC service has the following issue at the end of the log just prior to starting:
Code:
(07/20 20:26:13:890):{main} [STDOUT] [INFO] com.sun.net.ssl.internal.ssl.SSLSessionContextImpl@2130c2
(07/20 20:26:13:921):{AcceptorThread#0:23843} [org.jboss.remoting.transport.socket.SocketServerInvoker] [ERROR] SSLServerSocket error
javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown Source)
at org.jboss.security.ssl.DomainServerSocket.accept(DomainServerSocket.java:84)
at org.jboss.security.ssl.DomainServerSocket.invoke(DomainServerSocket.java:60)
at javax.net.ssl.SSLServerSocket_$$_javassist_1.accept(SSLServerSocket_$$_javassist_1.java)
at org.jboss.remoting.transport.socket.SocketServerInvoker.run(SocketServerInvoker.java:520)
at java.lang.Thread.run(Unknown Source)
In my experience with other software vendors, they have always made recommendations for load balancer configurations as they best work with their product. It was recommended that I contact Cisco for details on how to configure the load balancer. I'm not even asking the more complicated questions about Stickiness configuration, Probe configuration, etc. I'm simply asking a question about something that is being HIGHLY recommended by the software vendor with no best practices or actual documented recommendations being made.
Load Balancer Configuration and SSL Certificate Placement with BAS
Linear Mode
