Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

CAS Caches - All need to be replicated in a cluster

Server

  • Ticket Registry
  • TGT(PGT)*
  • ST (PT)

Client

  • ProxyGrantingTicket
  • PGT*
  • PGT IOU

ClearPass

  • username*
  • password*

* sensitive information

Warning

All of these caches have to be replicated in a clustered installation. For example, if CAS is to be clustered, its Ticket Registry and the optional ClearPass cache need to be replicated. Obviously, sending these across the network needs to be done carefully.

The default implementation of ClearPass cache is a username/password map--an ideal place for hackers. Storing a map like this in memory would get some security experts worried. Sending the updates to this map across the network in clear text is just plain reckless.

A recent CAS Community call presentation by Howard Gilbert discussed securing Ticket Registry by hash-encoding the TGT identifiers prior to storing them in the registry. This idea is probably only OK for Ticket Registry because in the other instances (list above) the items must be recovered in their original form. So, for those items would have to be symmetrically encrypted.

In a follow-up to this session on the cas-dev list, couple of contributions were made available for one-way and symmetric encryption. The contributions were just starting points that would have to be refined.

  • No labels