jasig-cas IRC Logs-2011-11-02

Owned by Apereo Infrastructure
Last updated: Nov 02, 2011Version comment
4 min read

[07:57:13 CDT(-0500)] <foxnesn> morning

[12:41:40 CDT(-0500)] <atilling> cd

[12:43:07 CDT(-0500)] <foxnesn> hi

[12:43:59 CDT(-0500)] <foxnesn> atilling, your HA environment do you keep your database separate from the cas server or do you have a database on each cas server having them replicate data?

[12:44:22 CDT(-0500)] <foxnesn> so do you have 1 db where both cas servers point to

[12:44:36 CDT(-0500)] <foxnesn> or does each cas server have its own database with replication of the db

[12:44:45 CDT(-0500)] <atilling> depends (smile)

[12:44:49 CDT(-0500)] <foxnesn> o?

[12:45:22 CDT(-0500)] <atilling> for our password management there is one certral DB server that CAS writes to

[12:45:36 CDT(-0500)] <foxnesn> ok

[12:45:45 CDT(-0500)] <foxnesn> what about ticket registry?

[12:45:49 CDT(-0500)] <atilling> for service registry there is a replicated database on each cas server

[12:45:56 CDT(-0500)] <foxnesn> ahh

[12:46:09 CDT(-0500)] <atilling> for ticket registry we use ehcache in RMI mode

[12:46:09 CDT(-0500)] <foxnesn> by service registry doyou mean ticket reg?

[12:46:14 CDT(-0500)] <foxnesn> oh

[12:46:56 CDT(-0500)] <foxnesn> so service registry is for /cas/services

[12:47:05 CDT(-0500)] <atilling> correct

[12:47:05 CDT(-0500)] <foxnesn> keeping that on a db instead of in memory

[12:47:48 CDT(-0500)] <atilling> Right because we have deffined services and have themes and attributes managed accrossed the services

[12:48:01 CDT(-0500)] <foxnesn> hrm

[12:48:59 CDT(-0500)] <foxnesn> maybe we just keep service reg in memory and force it in the deployer

[12:49:28 CDT(-0500)] <foxnesn> for tix reg did you follow this

[12:49:37 CDT(-0500)] <foxnesn> https://wiki.jasig.org/display/CASUM/JpaTicketRegistry

[12:54:13 CDT(-0500)] <foxnesn> o u use ehcache

[12:54:40 CDT(-0500)] <atilling> we used the same JPA for service reg but not tickets

[12:54:58 CDT(-0500)] <atilling> we're using this for tickets: https://wiki.jasig.org/display/CASUM/EhcacheTicketRegistry

[12:55:40 CDT(-0500)] <foxnesn> i see

[12:56:05 CDT(-0500)] <foxnesn> also could you tell me if my solution to webflow is secure?

[12:56:17 CDT(-0500)] <foxnesn> ill show you the code for the forward url i used

[12:56:33 CDT(-0500)] <atilling> we had the ehcache set up before we did service registry

[12:57:20 CDT(-0500)] <atilling> If we had the service reg is JPA first we might have gone JPA for tickets too

[12:57:45 CDT(-0500)] <atilling> but our main goal was to have CAS as independant as possible

[12:58:08 CDT(-0500)] <foxnesn> https://pwm:8443/pwm/private...checkAll&forwardURL="https%3A%2F%2Fmoodle/login/index.php?"+request.getParameter("ticket"(wink);

[12:58:24 CDT(-0500)] <atilling> with JPA ticketReg CAS depends on MyQL

[12:58:53 CDT(-0500)] <foxnesn> the request.getParameter appends the ticket to the url

[12:58:57 CDT(-0500)] <foxnesn> it works great

[12:59:06 CDT(-0500)] <foxnesn> not sure if it is secure tho

[12:59:23 CDT(-0500)] <atilling> Looks good to me, there aren't passwords exchanged and when the PWM passes them to Moodle, moodle does the validate

[12:59:43 CDT(-0500)] <foxnesn> im assuing since it is built into the flow nobody can hijack the "ticker"

[12:59:46 CDT(-0500)] <foxnesn> "ticket"

[13:00:03 CDT(-0500)] <foxnesn> or have CAS send the ticket to another sesson

[13:00:07 CDT(-0500)] <atilling> the PWM is just passing on the service ticket so it's secure

[13:00:17 CDT(-0500)] <foxnesn> awesome

[13:00:30 CDT(-0500)] <foxnesn> i was worried i found a solution but it wouldnt be secure

[13:00:56 CDT(-0500)] <foxnesn> gonna have to install development portal to test it on

[13:02:03 CDT(-0500)] <foxnesn> making this HA could be tricky

[13:02:12 CDT(-0500)] <foxnesn> cause PWM responses are stored in mysql schema

[13:02:31 CDT(-0500)] <foxnesn> so i think both service and ticket reg will be stored in separate schemas on the same mysql server

[13:02:47 CDT(-0500)] <foxnesn> and there will be two separate physical servers

[13:03:00 CDT(-0500)] <foxnesn> could cause issues replicated data across 3 schemas

[13:03:10 CDT(-0500)] <foxnesn> replicating

[13:15:14 CDT(-0500)] <atilling> shouldn't be an issue but experience will tell

[13:15:32 CDT(-0500)] <foxnesn> yea

[13:15:36 CDT(-0500)] <foxnesn> will be fun tho

[13:26:27 CDT(-0500)] <foxnesn> ive never setup tomcat in HA

[13:30:26 CDT(-0500)] <foxnesn> do u have load balancing setup?

[13:30:35 CDT(-0500)] <atilling> yes

[13:30:48 CDT(-0500)] <foxnesn> do you use a separate program for that?

[13:30:49 CDT(-0500)] <atilling> Tomcat is pretty simple to ha

[13:31:03 CDT(-0500)] <atilling> We have a hardware load balancer

[13:31:10 CDT(-0500)] <foxnesn> ahh

[13:31:20 CDT(-0500)] <foxnesn> im sure we do then

[13:31:25 CDT(-0500)] <foxnesn> just never set one up

[13:31:27 CDT(-0500)] <atilling> actually we have load balanced load balancers

[13:31:37 CDT(-0500)] <foxnesn> wow nice

[13:31:52 CDT(-0500)] <atilling> two cisco Ace 4710's

[13:31:54 CDT(-0500)] <foxnesn> are they fiber connected or something?

[13:33:11 CDT(-0500)] <atilling> they are fiber connected to our cisco 6500

[13:33:16 CDT(-0500)] <foxnesn> nice

[13:40:28 CDT(-0500)] <foxnesn> so should i setup contextpooling first

[13:40:31 CDT(-0500)] <foxnesn> then build jpa reg

[13:40:35 CDT(-0500)] <foxnesn> then setup HA ?

[13:41:08 CDT(-0500)] <foxnesn> context pooling seems to only be necessary if there is one database that multiple cas instances talk to

[14:09:50 CDT(-0500)] <atilling> You should set up the tomcat cluster first, without any apps installed

[14:10:06 CDT(-0500)] <atilling> no CAS or anything else, just the tomcat manager app

[14:12:00 CDT(-0500)] <foxnesn> o

[14:13:11 CDT(-0500)] <foxnesn> so follow the tomcat directions for clustering

[14:13:21 CDT(-0500)] <foxnesn> then follow https://wiki.jasig.org/display/CASUM/Clustering+CAS

[14:13:26 CDT(-0500)] <atilling> that's how I'd do it

[14:13:37 CDT(-0500)] <foxnesn> when would i setup jpa ?

[14:14:16 CDT(-0500)] <atilling> In the CAS side

[14:14:28 CDT(-0500)] <atilling> Tomcat cluster shouldn't need it

[14:15:27 CDT(-0500)] <foxnesn> right

[14:15:46 CDT(-0500)] <foxnesn> i may have to test this with a software load balancer

[14:22:03 CDT(-0500)] <atilling> I do condulting on the side, and from my experence there I can tell you a single apache httpd server with mod_jk can be an effective load balancer for tomcat

[14:22:33 CDT(-0500)] <atilling> with the apache you can do ssl off load and other performance boosts too

[14:25:17 CDT(-0500)] <foxnesn> really we just need failover

[14:25:28 CDT(-0500)] <foxnesn> but if we are going through all of this work why not setup load balancing

[14:46:39 CDT(-0500)] <foxnesn> atilling, in your LPPE will you build in an easy way to add questions to the responses section and edit the questions?