This document discusses high availability configurations for CAS using F5 load balancers and replicated databases across CAS nodes. It provides options for replicating session data and tickets using JBoss Cache or a replicated database. It also addresses testing and infrastructure considerations.

1. High Availability F5 Browser CAS Node00 Login CASX509Cert CAS Node01 Validate Encrypted Service If you use X509 Auth, configure trust in the F5 and send the info in X-Headers

2. Points of Replication PresentationLayer AuthManager Ticket Registry/ SessionStorage JPA or ReplicatedCache CentralAuthenticationServiceImpl SessionObjects Session Objects and Flow State Add “<distributable/> to web.xml

3. Replication Tests Display Form from node00, POST userid and password to node01 Node00 issues TGT, Node01 issues ST Node00 issues ST, Node01 validates it Not clear that Proxy adds other issues

4. Replicated Database DB instance CAS Node00 DB instance CAS Node01 24x7x365 availability no backup needed secure network or encrypted (not an application DB)

5. JPA Entity (sorta)In 3.4.2 should not be final @Entity @Table(name="SERVICETICKET") public final class ServiceTicketImpl extends AbstractTicket implements ServiceTicket { /** The service this ticket is valid for. */ @Lob @Column(name="SERVICE",nullable=false) private Service service; /** Is this service ticket the result of a new login. */ @Column(name="FROM_NEW_LOGIN",nullable=false) private booleanfromNewLogin;

6. JBoss Cache is an API Map<String, Ticket> becomes Cache<String, Ticket> Put, Get, Delete keyed serializable objects Map is preloaded on startup, shared within AS There are lifecycle exits, but CAS doesn’t use them.

7. JGroups handles Failover Are you there? I am fine. Node03 has gone down. CAS doesn’t care when Node03 goes down or comes up.Infinispan is more powerful than a JGroups which is already more powerful than CAS needs.

8. Requirements CAS is comfortable, unless under attack or misused Not a lot of nodes, not far apart We will use what JBoss uses for Session and Context replication

9. Institutional Specialization User Interface Experts Security Experts Container Managers F5 iRule programmer Replication Configuration DB Configuration These specialists come into existence for applications more expensive than CAS

10. Configure it Yourself mcast_port="${jboss.jgroups.udp.mcast_port:45688}" mcast_addr="${jboss.partition.udpGroup:228.11.11.11}" tos="8" ucast_recv_buf_size="20000000" ucast_send_buf_size="640000" mcast_recv_buf_size="25000000" mcast_send_buf_size="640000" loopback="true" discard_incompatible_packets="true" enable_bundling="false" ip_ttl="${jgroups.udp.ip_ttl:2}" thread_naming_pattern="cl" thread_pool.enabled="true" thread_pool.min_threads="20" thread_pool.max_threads="200" thread_pool.keep_alive_time="5000"

11. Use JBossAppServerCacheManager(Someone else configures it) Context ctx = new InitialContext(); cacheManager= (CacheManager) ctx.lookup("java:CacheManager"); this.cache = cacheManager.getCache("cas-cache", true ); this.cache.start();

12. Notcas-server-integration-jboss That project uses JBoss Cache as a library, not a container service Change custom Cache<String,Ticket> to managed Cache<Object,Object> “cas-cache” configured along with session replication, etc., by JBoss admin [all the parameters are there, but they are someone else’s problem]

13. Temporary 3.4.2 Ticketid Hash CentralAuthenticationServiceImpl new TGTimpl new STimpl return cleartext ID Hash TicketID when ticket created JBossASTicketRegistry addTicket() getTicket() deleteTicket() Requires cleartext ID Accepts hashed or cleartext ID

14. EAR + Skinny WAR Create an EAR project/POM copy all the WAR dependencies (cas-server-core) Add WAR as <module> in application.xml Mark all the dependencies in the WAR as “provided” except for your own search first jars. Search: WEB-INF/classes (WAR Java source), WEB-INF/lib (WAR “runtime” dependencies), EAR’s /lib (EAR “runtime” dependencies), JBoss common/lib (WAR and EAR “provided” or omitted)

15. Experience

16. 80% of problems comefrom F5 and older clients Want to use modern SSL/TLS, but some clients support only older deprecated levels Oracle 8 (no Host: header), 9 (Host: with port), 11 (proper Host: )

17. Run CAS on JBoss Native (same as Tomcat) Mark common/lib JARs as “provided” in WAR POM JBoss Cache JAR (or can’t find Manager) Hibernate (or JPA hoses up) Logging If CAS won’t start, remove offending JAR.

18. Test: SSH tunnel past the F5 CAS Node00 F5 Get ST HttpClient CAS Node01 Validate

19. Infrastructure CAS projects checked into Subversion Build/Deploy by Hudson Check out source, build Maven Artifacts Deploy 0.0.x-SNAPSHOT to development Cut a release to deploy to Test/production Sensitive parameters (database/AD login) are separated out in an XML file configuring a JBoss JNDI stuffer service. They are external to the artifacts.