High Availability<br />F5<br />Browser<br />CAS Node00<br />Login<br />CASX509Cert<br />CAS Node01<br />Validate<br />Encr...
Points of Replication<br />PresentationLayer <br />AuthManager<br />Ticket<br />Registry/<br />SessionStorage<br />JPA or<...
Replication Tests<br />Display Form from node00, POST userid and password to node01<br />Node00 issues TGT, Node01 issues ...
Replicated Database<br />DB instance<br />CAS Node00<br />DB instance<br />CAS Node01<br />24x7x365 availability<br />no b...
JPA Entity (sorta)In 3.4.2 should not be final<br />@Entity<br />@Table(name="SERVICETICKET")<br />public final class Serv...
JBoss Cache is an API<br />Map<String, Ticket> becomes Cache<String, Ticket><br />Put, Get, Delete keyed serializable obje...
JGroups handles Failover<br />Are you there? I am fine. Node03 has gone down.<br />CAS doesn’t care when Node03 goes down ...
Requirements<br />CAS is comfortable, unless under attack or misused<br />Not a lot of nodes, not far apart<br />We will u...
Institutional Specialization<br />User Interface Experts<br />Security Experts<br />Container Managers<br />F5 iRule progr...
Configure it Yourself<br />mcast_port="${jboss.jgroups.udp.mcast_port:45688}"<br />mcast_addr="${jboss.partition.udpGroup:...
Use JBossAppServerCacheManager(Someone else configures it)<br />Context ctx = new InitialContext();<br />cacheManager= 	(C...
Notcas-server-integration-jboss<br />That project uses JBoss Cache as a library, not a container service<br />Change custo...
Temporary 3.4.2 Ticketid Hash<br />CentralAuthenticationServiceImpl<br />new TGTimpl<br />new STimpl<br />return cleartext...
EAR + Skinny WAR<br />Create an EAR project/POM <br />copy all the WAR dependencies (cas-server-core)<br />Add WAR as <mod...
Experience<br />
80% of problems comefrom F5 and older clients<br />Want to use modern SSL/TLS, but some clients support only older depreca...
Run CAS on JBoss<br />Native (same as Tomcat)<br />Mark common/lib JARs as “provided” in WAR POM<br />JBoss Cache JAR (or ...
Test: SSH tunnel past the F5<br />CAS Node00<br />F5<br />Get ST<br />HttpClient<br />CAS Node01<br />Validate<br />
Infrastructure<br />CAS projects checked into Subversion<br />Build/Deploy by Hudson<br />Check out source, build Maven Ar...
Upcoming SlideShare
Loading in …5
×

Jasig Cas High Availability - Yale University

7,039 views

Published on

A presentation by Yale University's Howard Gilbert on a high availability CAS implementation at Yale.

Published in: Technology
1 Comment
3 Likes
Statistics
Notes
  • REFERENCING SLIDESHARE GROUP 'YOU TUBE, SLIDECAST & VIDEO '
    This is group dedicated ONLY to ALL the slideshows Youtube video and Slidecast audio track inside and videos. ... We would be honored by your support through your membership. You are invited to join us ! I wish you a
    nice day. Greetings from France.
    - http://www.slideshare.net/group/you-tube-slidecast
    PS : I allowed myself to add it to 'SOUND and MUSIC ' Slideshare group : http://www.slideshare.net/group/sound-and-music-the-best-slideshows .
    NB: Si vous le souhaitez, vous pouvez consulter une liste de tous nos groupes ici:
    http://www.slideshare.net/Bern7/list-of-all-our-groups-slideshare
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
7,039
On SlideShare
0
From Embeds
0
Number of Embeds
279
Actions
Shares
0
Downloads
116
Comments
1
Likes
3
Embeds 0
No embeds

No notes for slide

Jasig Cas High Availability - Yale University

  1. 1. High Availability<br />F5<br />Browser<br />CAS Node00<br />Login<br />CASX509Cert<br />CAS Node01<br />Validate<br />Encrypted<br />Service<br />If you use X509 Auth,<br />configure trust in the F5<br />and send the info in X-Headers<br />
  2. 2. Points of Replication<br />PresentationLayer <br />AuthManager<br />Ticket<br />Registry/<br />SessionStorage<br />JPA or<br />ReplicatedCache<br />CentralAuthenticationServiceImpl<br />SessionObjects<br />Session Objects and Flow State<br />Add “<distributable/> to web.xml<br />
  3. 3. Replication Tests<br />Display Form from node00, POST userid and password to node01<br />Node00 issues TGT, Node01 issues ST<br />Node00 issues ST, Node01 validates it<br />Not clear that Proxy adds other issues<br />
  4. 4. Replicated Database<br />DB instance<br />CAS Node00<br />DB instance<br />CAS Node01<br />24x7x365 availability<br />no backup needed<br />secure network or encrypted<br />(not an application DB)<br />
  5. 5. JPA Entity (sorta)In 3.4.2 should not be final<br />@Entity<br />@Table(name="SERVICETICKET")<br />public final class ServiceTicketImpl extends AbstractTicket implements<br />ServiceTicket {<br />/** The service this ticket is valid for. */<br /> @Lob<br /> @Column(name="SERVICE",nullable=false)<br />private Service service;<br /> /** Is this service ticket the result of a new login. */<br /> @Column(name="FROM_NEW_LOGIN",nullable=false)<br />private booleanfromNewLogin;<br />
  6. 6. JBoss Cache is an API<br />Map<String, Ticket> becomes Cache<String, Ticket><br />Put, Get, Delete keyed serializable objects<br />Map is preloaded on startup, shared within AS<br />There are lifecycle exits, but CAS doesn’t use them.<br />
  7. 7. JGroups handles Failover<br />Are you there? I am fine. Node03 has gone down.<br />CAS doesn’t care when Node03 goes down or comes up.Infinispan is more powerful than a JGroups which is <br />already more powerful than CAS needs.<br />
  8. 8. Requirements<br />CAS is comfortable, unless under attack or misused<br />Not a lot of nodes, not far apart<br />We will use what JBoss uses for Session and Context replication<br />
  9. 9. Institutional Specialization<br />User Interface Experts<br />Security Experts<br />Container Managers<br />F5 iRule programmer<br />Replication Configuration<br />DB Configuration<br />These specialists come into existence for applications more expensive than CAS<br />
  10. 10. Configure it Yourself<br />mcast_port="${jboss.jgroups.udp.mcast_port:45688}"<br />mcast_addr="${jboss.partition.udpGroup:228.11.11.11}"<br />tos="8"<br />ucast_recv_buf_size="20000000"<br />ucast_send_buf_size="640000"<br />mcast_recv_buf_size="25000000"<br />mcast_send_buf_size="640000"<br /> loopback="true"<br />discard_incompatible_packets="true"<br />enable_bundling="false"<br />ip_ttl="${jgroups.udp.ip_ttl:2}"<br />thread_naming_pattern="cl"<br />thread_pool.enabled="true"<br />thread_pool.min_threads="20"<br />thread_pool.max_threads="200"<br />thread_pool.keep_alive_time="5000"<br />
  11. 11. Use JBossAppServerCacheManager(Someone else configures it)<br />Context ctx = new InitialContext();<br />cacheManager= (CacheManager) ctx.lookup("java:CacheManager");<br />this.cache = cacheManager.getCache("cas-cache", true );<br />this.cache.start();<br />
  12. 12. Notcas-server-integration-jboss<br />That project uses JBoss Cache as a library, not a container service<br />Change custom Cache<String,Ticket> to managed Cache<Object,Object><br />“cas-cache” configured along with session replication, etc., by JBoss admin [all the parameters are there, but they are someone else’s problem]<br />
  13. 13. Temporary 3.4.2 Ticketid Hash<br />CentralAuthenticationServiceImpl<br />new TGTimpl<br />new STimpl<br />return cleartext ID<br />Hash TicketID when ticket created<br />JBossASTicketRegistry<br />addTicket()<br />getTicket()<br />deleteTicket()<br />Requires cleartext ID<br />Accepts hashed or cleartext ID<br />
  14. 14. EAR + Skinny WAR<br />Create an EAR project/POM <br />copy all the WAR dependencies (cas-server-core)<br />Add WAR as <module> in application.xml<br />Mark all the dependencies in the WAR as “provided” except for your own search first jars.<br />Search: WEB-INF/classes (WAR Java source), WEB-INF/lib (WAR “runtime” dependencies), EAR’s /lib (EAR “runtime” dependencies), JBoss common/lib (WAR and EAR “provided” or omitted)<br />
  15. 15. Experience<br />
  16. 16. 80% of problems comefrom F5 and older clients<br />Want to use modern SSL/TLS, but some clients support only older deprecated levels<br />Oracle 8 (no Host: header), 9 (Host: with port), 11 (proper Host: )<br />
  17. 17. Run CAS on JBoss<br />Native (same as Tomcat)<br />Mark common/lib JARs as “provided” in WAR POM<br />JBoss Cache JAR (or can’t find Manager)<br />Hibernate (or JPA hoses up)<br />Logging<br />If CAS won’t start, remove offending JAR. <br />
  18. 18. Test: SSH tunnel past the F5<br />CAS Node00<br />F5<br />Get ST<br />HttpClient<br />CAS Node01<br />Validate<br />
  19. 19. Infrastructure<br />CAS projects checked into Subversion<br />Build/Deploy by Hudson<br />Check out source, build Maven Artifacts<br />Deploy 0.0.x-SNAPSHOT to development<br />Cut a release to deploy to Test/production<br />Sensitive parameters (database/AD login) are separated out in an XML file configuring a JBoss JNDI stuffer service. They are external to the artifacts.<br />

×