Configuring CAS to use an oracle database datasource, and clustering
PLEASE NOTE:
I thought I was working on a DRAFT. This is not even CLOSE to complete.
Goals:
As of the time of this writing, the goal is to provide interoperability between CAS and our existing infrastructure. CAS will need to run in a HA cluster. Software versions used are listed below.
Environmental Assumptions:
Solaris 10 zone
Oracle database availible to store information
Oracle Internet Directory (OID) LDAP server populated with data
GNU tar is installed as 'gtar'
All resources have been prefetched and are stored in /nfs/shared_data/cas
BigIP F5 Load balancer
CAS 3.3.5
Tomcat 6.0.24
JDK 1.6.0
Maven 2ojdbc14.jar has been obtained from Oracle.
Assumptions
If you have not ma
Configure Environment
This portion is the easiest, simple untar the three environments into the appropriate locations.
[] Setup Tomcat binaries > mkdir ${TOMCAT_HOME} > cd ${TOMCAT_HOME}/.. > gtar xvfz /nfs/shared_data/cas/apache-tomcat-6.0.24.tar.gz [] Setup Maven binaries > mkdir -p ${MAVEN_HOME} > cd ${MAVEN_HOME}/.. > gtar xvfz /nfs/shared_data/cas/apache-maven-2.2.1-bin.tar.gz [] Setup CAS build environment > mkdir -p ${CAS_HOME} > cd ${CAS_HOME}/.. > gtar xvfz /nfs/shared_data/cas/cas-server-3.3.5-release.tar.gz
Configure Tomcat
[] Configure Tomcat environment --> fully documented in: CN_setup_tomcat_for_CAS.txt > cd ${TOMCAT_HOME} > cp /nfs/shared_data/cas/config_files/${TIER}/conf/server.xml /nfs/shared_data/cas/config_files/${TIER}/conf/web.xml ${TOMCAT_HOME}/conf
Configure Maven
[] Test Maven > mvn -v
Test
At this point it would be appropriate to run through http://www.ja-sig.org/wiki/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven2+WAR+Overlay+Method# and make sure you can build/deploy a working CAS instance.
Install the oracle jdbc connector into Maven so we can use it later.
This was obtained directly from Oracle.
[] Install CAS dependencies into Maven > mvn install:install-file \-Dfile=/nfs/shared_data/cas/ojdbc14.jar \-DgroupId=com.oracle \-DartifactId=oracle \-Dversion=10.2.0.1.0 \-Dpackaging=jar \-DgeneratePom=true
Create cas.properties file
There is a lot going on here.
This is pulled from the following sources:
https://projects.iad.vt.edu:8443/svn/middleware/cas/cas-server/trunk/vt-cas-server-webapp/
http://www.ja-sig.org/wiki/display/CASUM/JpaTicketRegistry
http://www.ja-sig.org/wiki/display/CASUM/Configuring
The important thing to take away from this is all the variables getting set here that will later be pulled into other places. Once a variable is defined here, it can be referenced in other locations.
[] Create file > vi src/main/webapp/WEB-INF/cas.properties --> add the following #set variables to make other configurations easier. host.name=TIER_HOSTcasas1.EXAMPLE.edu cluster.name=cas_TIER.uni.edu ldap.name=LDAP_HOST.EXAMPLE.edu #database connection credentials database.url=jdbc:oracle:thin:@HOST.EXAMPLE.edu:PORT:EXAMPLE_SID database.user=cas_config database.password=PASSWORD #database configuration information database.driverClass=oracle.jdbc.OracleDriver database.dialect=org.hibernate.dialect.OracleDialect #database pool info database.pool.minSize=5 database.pool.maxSize=20 database.pool.maxIdleTime=120 database.pool.maxWait=10000 database.pool.acquireIncrement=3 database.pool.acquireRetryAttempts=3 database.pool.acquireRetryDelay=100 database.pool.idleConnectionTestPeriod=120 #Setup contexts for Services Management cas.securityContext.serviceProperties.service=https://${host.name}/cas/services/j_acegi_cas_security_check cas.securityContext.casProcessingFilterEntryPoint.loginUrl=https://${host.name}/cas/login cas.securityContext.ticketValidator.casServerUrlPrefix=https://${host.name}/cas cas.themeResolver.defaultThemeName=default cas.viewResolver.basename=default_views
Configure deployerConfigContext.xml
We are using the "FastBind" method. This involves replacing the existing
authenticationHandler bean
The new code follows. Please note that the 'Filter' property may need to be updated -- this is the standard Oracle location.
<property name="authenticationHandlers"> <list> <\!-\- \| This is the authentication handler that authenticates services by means of callback via SSL, thereby validating \| a server side SSL certificate. \+--> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"> <property name="httpClient" ref="httpClient" /> </bean> <\!-\- \| This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS \| into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials \| where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your \| local authentication strategy. You might accomplish this by coding a new such handler and declaring \| edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules. \+--> <bean class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" > <property name="filter" value="cn=%u,cn=Users,dc=collab,dc=uni,dc=edu" /> <property name="contextSource" ref="contextSource" /> </bean> </list> </property>
Add in your LDAP source. Note the use of the ldap.name variable, which we defined above, in cas.properties.
<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource"> <property name="pooled" value="true"/> <property name="urls"> <list> <value>ldaps://${ldap.name}/</value> </list> </property> <property name="baseEnvironmentProperties"> <map> <entry> <key> <value>java.naming.security.authentication</value> </key> <value>simple</value> </entry> </map> </property> </bean>
h1. Enable Service Management Console
This configuration uses a database to store it's configuration, rather than the in-memory store, which wipes out on restarts of tomcat.
\[\] Remove the following bean > vi src/main/webapp/WEB-INF/deployerConfigContext.xml <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" /> \[\] Add the following beans: <bean id="serviceRegistryDao" class="org.jasig.cas.services.JpaServiceRegistryDaoImpl"> <property name="entityManagerFactory" ref="entityManagerFactory" /> </bean>
Tell CAS about a database connection
Again, note the variables from above. Add this bean following the one from above.
<bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource" p:driverClass="${database.driverClass}" p:jdbcUrl="${database.url}" p:user="${database.user}" p:password="${database.password}" p:initialPoolSize="${database.pool.minSize}" p:minPoolSize="${database.pool.minSize}" p:maxPoolSize="${database.pool.maxSize}" p:maxIdleTimeExcessConnections="${database.pool.maxIdleTime}" p:checkoutTimeout="${database.pool.maxWait}" p:acquireIncrement="${database.pool.acquireIncrement}" p:acquireRetryAttempts="${database.pool.acquireRetryAttempts}" p:acquireRetryDelay="${database.pool.acquireRetryDelay}" p:idleConnectionTestPeriod="${database.pool.idleConnectionTestPeriod}" p:preferredTestQuery="${database.pool.connectionHealthQuery}" />
h1. Tell CAS how to talk to the database
I am a little unclear what this portion does -- but it appears to be required...
<bean id="entityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean"> <property name="dataSource" ref="dataSource"/> <property name="jpaVendorAdapter"> <bean class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter"> <property name="generateDdl" value="true"/> <property name="showSql" value="true" /> </bean> </property> <property name="jpaProperties"> <props> <prop key="hibernate.dialect">${database.dialect}</prop> <prop key="hibernate.hbm2ddl.auto">update</prop> </props> </property> </bean>\\ <bean id="transactionManager" class="org.springframework.orm.jpa.JpaTransactionManager"> <property name="entityManagerFactory" ref="entityManagerFactory"/> </bean>
Configure a transaction manager
Without this portion Service Management Console will appear to work -- you will be able to log in, and make updates and add services, but nothing will be written to the database, and every few minutes the configuration is reset to null.
There are two edits required here:
The first edit requires editing the top bean to look like this. Note all the added 'tx' stuff -- xmlns:tx and 2 URLs to the schemaLocation:
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:tx="http://www.springframework.org/schema/tx" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.0.xsd"> \\ {code:none} <tx:annotation-driven transaction-manager="transactionManager"/>
[] Build WAR > cd ${PROJECT_HOME} > mvn clean package --> place copy in /nfs/shared_data/cas/config_files/${TIER}/
[] Deploy WAR file > mv ${TOMCAT_HOME}/webapps/cas ~/cas-`date +%Y%m%d` --> Deploy newly build war > cp target/cas.war ${TOMCAT_HOME}/webapps --> if tomcat is not running, the next command will error and whine > ${TOMCAT_HOME}/bin/shutdown.sh > backup_file $TOMCAT_HOME/logs/catalina.out > rm -r ${TOMCAT_HOME}/logs/catalina.out > ${TOMCAT_HOME}/bin/startup.sh
[] Setup SSL in a keystore located in ${TOMCAT_HOME}/conf/keystore This keystore should use the password 'letmein'. If using a load balancer, this should be configured as well.
[] Create initial WAR file > echo "export PROJECT_HOME=${CAS_HOME}/uni-cas" >> ~/.profile > export PROJECT_HOME=${CAS_HOME}/uni-cas > mkdir -p ${PROJECT_HOME} /src/main/webapp/WEB-INF/ > cd $ {PROJECT_HOME} > cp /nfs/shared_data/cas/config_files/$ {TIER}/pom.xml ./ > cp /nfs/shared_data/cas/config_files/${TIER} /src/main/webapp/WEB-INF/deployerConfigContext.xml src/main/webapp/WEB-INF/
\[\] Deploy WAR file > cd $ {TOMCAT_HOME} > mv ${TOMCAT_HOME} /webapps/cas $ {TOMCAT_HOME}/webapps/cas-`date +%Y%m%d` > cp /nfs/shared_data/cas/config_files/${TIER}/cas.war ${TOMCAT_HOME} /webapps \--> if tomcat is not running, the next command will error and whine > $ {TOMCAT_HOME}/bin/shutdown.sh > ${TOMCAT_HOME} /bin/startup.sh
References
[JSG:Best Practice - Setting Up CAS Locally using the Maven2 WAR Overlay Method]