I've set it up both ways. It all depended on the requirements of the IT Security Team. It's actually a pretty easy way to gain points with the rest of the IT Dept if JDE can get ahead of the security curve. Once you figure out how to work with keytool, it's not difficult. KeyStore Explorer also makes things easier.
One thing many Weblogic/Websphere people will agree upon - is to try and never install SSL encoding directly on the weblogic/websphere servers. Thats the quickest way to dramatically reduce the scalability of your WLS/WAS server and cause a lot of performance issues ! Theres a number of whitepapers out on the interwebs that talk about how Offloading SSL using a separate loadbalancer is the ideal way to deliver SSL to the end user, but keep the WAS/WLS servers scalable.
All loadbalancing options that you consider (F5/Netscaler or even Zen Loadbalancer) has the option to offload SSL - ie, from the end user to the loadbalancer, the traffic is delivered via https - but the loadbalancer deals with the certificate, and the "back-end" traffic (usually only contained within the datacenter on the same segment) is then delivered between the web server and the loadbalancer with http. Fast, scalable and reliable. And, in the case where there are a LOT of webservers, a reduced number of locations where SSL Keys have to be stored.
I totally agree, Jon. The less the JAS server has to do, the better. Hopefully, Adeel has a reasonable infrastructure team that doesn't require encrypted communication within the datacenter even if they are on the same segment. Of course, I think there are ways to offload that too.
The ideal method is to restrict traffic via IP Address and VLAN between the WLS/WAS servers and the Loadbalancer - that way, nobody ever has access to the WLS/WAS servers outside of going through the loadbalancer ! You'd have to "spoof" the IP Address of the loadbalancers to be able to connect directly to the WLS/WAS traffic....
We not tied with AD. Also I assume all the solution is for entire JDE not only specific for WAS. meaning it will secure all clients like deployment server access to DB etc. (I should have clarify in the subject on this post that it is not specific to web.)
I have to go through lot of reading for this. I thought it would be easy task but looks like lot of stuff to consider and testing to implement running system from http to https.