This document discusses high availability configurations for CAS using F5 load balancers and replicated databases across CAS nodes. It provides options for replicating session data and tickets using JBoss Cache or a replicated database. It also addresses testing and infrastructure considerations.

1. High AvailabilityF5BrowserCAS Node00LoginCASX509CertCAS Node01ValidateEncryptedServiceIf you use X509 Auth,configure trust in the F5and send the info in X-Headers

2. Points of ReplicationPresentationLayer AuthManagerTicketRegistry/SessionStorageJPA orReplicatedCacheCentralAuthenticationServiceImplSessionObjectsSession Objects and Flow StateAdd “<distributable/> to web.xml

3. Replication TestsDisplay Form from node00, POST userid and password to node01Node00 issues TGT, Node01 issues STNode00 issues ST, Node01 validates itNot clear that Proxy adds other issues

4. Replicated DatabaseDB instanceCAS Node00DB instanceCAS Node0124x7x365 availabilityno backup neededsecure network or encrypted(not an application DB)

5. JPA Entity (sorta)In 3.4.2 should not be final@Entity@Table(name="SERVICETICKET")public final class ServiceTicketImpl extends AbstractTicket implementsServiceTicket {/** The service this ticket is valid for. */ @Lob @Column(name="SERVICE",nullable=false)private Service service; /** Is this service ticket the result of a new login. */ @Column(name="FROM_NEW_LOGIN",nullable=false)private booleanfromNewLogin;

6. JBoss Cache is an APIMap<String, Ticket> becomes Cache<String, Ticket>Put, Get, Delete keyed serializable objectsMap is preloaded on startup, shared within ASThere are lifecycle exits, but CAS doesn’t use them.

7. JGroups handles FailoverAre you there? I am fine. Node03 has gone down.CAS doesn’t care when Node03 goes down or comes up.Infinispan is more powerful than a JGroups which is already more powerful than CAS needs.

8. RequirementsCAS is comfortable, unless under attack or misusedNot a lot of nodes, not far apartWe will use what JBoss uses for Session and Context replication

9. Institutional SpecializationUser Interface ExpertsSecurity ExpertsContainer ManagersF5 iRule programmerReplication ConfigurationDB ConfigurationThese specialists come into existence for applications more expensive than CAS

10. Configure it Yourselfmcast_port="${jboss.jgroups.udp.mcast_port:45688}"mcast_addr="${jboss.partition.udpGroup:228.11.11.11}"tos="8"ucast_recv_buf_size="20000000"ucast_send_buf_size="640000"mcast_recv_buf_size="25000000"mcast_send_buf_size="640000" loopback="true"discard_incompatible_packets="true"enable_bundling="false"ip_ttl="${jgroups.udp.ip_ttl:2}"thread_naming_pattern="cl"thread_pool.enabled="true"thread_pool.min_threads="20"thread_pool.max_threads="200"thread_pool.keep_alive_time="5000"

11. Use JBossAppServerCacheManager(Someone else configures it)Context ctx = new InitialContext();cacheManager= (CacheManager) ctx.lookup("java:CacheManager");this.cache = cacheManager.getCache("cas-cache", true );this.cache.start();

12. Notcas-server-integration-jbossThat project uses JBoss Cache as a library, not a container serviceChange custom Cache<String,Ticket> to managed Cache<Object,Object>“cas-cache” configured along with session replication, etc., by JBoss admin [all the parameters are there, but they are someone else’s problem]

13. Temporary 3.4.2 Ticketid HashCentralAuthenticationServiceImplnew TGTimplnew STimplreturn cleartext IDHash TicketID when ticket createdJBossASTicketRegistryaddTicket()getTicket()deleteTicket()Requires cleartext IDAccepts hashed or cleartext ID

14. EAR + Skinny WARCreate an EAR project/POM copy all the WAR dependencies (cas-server-core)Add WAR as <module> in application.xmlMark all the dependencies in the WAR as “provided” except for your own search first jars.Search: WEB-INF/classes (WAR Java source), WEB-INF/lib (WAR “runtime” dependencies), EAR’s /lib (EAR “runtime” dependencies), JBoss common/lib (WAR and EAR “provided” or omitted)

15. Experience

16. 80% of problems comefrom F5 and older clientsWant to use modern SSL/TLS, but some clients support only older deprecated levelsOracle 8 (no Host: header), 9 (Host: with port), 11 (proper Host: )

17. Run CAS on JBossNative (same as Tomcat)Mark common/lib JARs as “provided” in WAR POMJBoss Cache JAR (or can’t find Manager)Hibernate (or JPA hoses up)LoggingIf CAS won’t start, remove offending JAR.

18. Test: SSH tunnel past the F5CAS Node00F5Get STHttpClientCAS Node01Validate

19. InfrastructureCAS projects checked into SubversionBuild/Deploy by HudsonCheck out source, build Maven ArtifactsDeploy 0.0.x-SNAPSHOT to developmentCut a release to deploy to Test/productionSensitive parameters (database/AD login) are separated out in an XML file configuring a JBoss JNDI stuffer service. They are external to the artifacts.