-
1. Re: AdvertiseSecurityKey in version 1.1.1
mbabacek May 13, 2013 7:15 PM (in response to kclair-rei)Dear Kristina, perhaps, you might have misunderstood the purpose of this attribute. What would you like to use it for?
The behavior you described is indeed expected.
-
2. Re: AdvertiseSecurityKey in version 1.1.1
kclair-rei May 14, 2013 12:03 PM (in response to mbabacek)No doubt I am confused! I had trouble figuring out exactly what the feature was supposed to do based on the documentation.
I had assumed that if it was defined in the apache module then any application server would need to provide the same key in order to be added to the cluster.
I'm unclear if this.config.getAdvertiseSecurityKey(); in your code reference is referring to the apache config or the application server config.
Also, I don't know if it matters, but your code reference is for version 1.2, but we're running 1.1.
-
3. Re: AdvertiseSecurityKey in version 1.1.1
rhusar May 14, 2013 12:34 PM (in response to kclair-rei)The HTTPd advertisements are verified on the AS node. For the AS node to verify it, it needs to know what the security key actually is. When not set, this check is not performed. This prevents AS nodes from responding (and registering) to spoofy advertisements. So for the functionality to work, you need to configure this on both AS and HTTPd nodes.
Note that it is the AS node that actually connects to the LB and configures it.
-
4. Re: AdvertiseSecurityKey in version 1.1.1
rhusar May 14, 2013 1:00 PM (in response to kclair-rei)1 of 1 people found this helpfulKristina, I have filed an issue to fix this https://issues.jboss.org/browse/MODCLUSTER-337 and require digest checking if its set only on the HTTPd side too.
-
5. Re: AdvertiseSecurityKey in version 1.1.1
kclair-rei May 14, 2013 1:03 PM (in response to rhusar)Thanks!
So in the meantime, if I want to prevent unwanted nodes from joining the cluster, the best way to do that is to restrict access to / on the virtualhost based on IP/subnet and to enforce two-way SSL for mod_manager?