I've attached this to: https://issues.jasig.org/browse/CAS-750
Though we're currently still testing this setup, I believe we have a general setup for CAS 3.4.2 to run with Terracotta (assuming this will work with 4.x as well.) Though anyone's environment will differ somewhat, I'm assuming most people are running something similar to our setup (multiple nodes of CAS server with an external load balancer.) I'll list details below with some notes inline. I'm all ears for any suggestions or corrections. Some notes though about Terracotta CAS support: re: https://wiki.jasig.org/display/CASUM/Terracotta I believe this documentation should be updated as CAS doest not come delivered with an /etc/terracotta directory re: https://source.jasig.org/cas3/tags/cas-server-3.4.2/etc/terracotta/sample-terracotta-config.xml Also, the sample setups are missing some pretty basic components IMHO and should be updated. Background: In our dev environment we run one instance CAS, not load balanced, and run Terracotta on the same machine. In our test and production environments we run 2 machines per environment, with each machine running CAS server and Terracotta server. Load balancing is hardware based (CISCO ACE) and is not sticky. Software versions: CAS 3.4.2 Tomcat 5.5.27 Terracotta 3.2.1_1 (version tested with other products run with terracotta) Java jdk1.6.0_13 Important portions below are: <tc-properties> This sets up how nodes will check one one another for keepalive. We do a 30s to allow for networking inconsistencies, etc. <ha> Allows for the server nodes to see one another and configure themselves as the active or passive roles (first come first server in our setup). <modules> The modules listed below I believe are critical for this to work properly. org.jasig.cas.ticket.ServiceTicketImpl.grantTicketGrantingTicket(..) write lock was missing from earlier versions of the default config. Here's the file itself: ---tc-config.xml--- <?xml version="1.0" encoding="UTF-8"?> <tc:tc-config xsi:schemaLocation="http://www.terracotta.org/schema/terracotta-4.xsd"; xmlns:tc="http://www.terracotta.org/config"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> <!-- NAU sample Terracotta Configuration for CAS --> <tc-properties> <!-- Network Active/Passive for failover from Active to Passive --> <!-- The Nodes keeps tabs on each other to failover from Active to Passive --> <!-- http://www.terracotta.org/documentation/ga/product-documentation-16.html#50462727_19590 --> <!-- L2 - L2 --> <!-- Max Time = (ping.idletime) + socketConnectCount * [(ping.interval * ping.probes) + (socketConnectTimeout * ping.interval)] --> <!-- 5000 + 5[ (3 * 1000) + (2 * 1000) ] = 5000 + 25000 = 30000 ms --> <!-- The health checker declares the node dead in 25 seconds --> <property name="l2.healthcheck.l2.ping.enabled" value="true" /> <property name="l2.healthcheck.l2.ping.idletime" value="5000" /> <property name="l2.healthcheck.l2.ping.interval" value="1000" /> <property name="l2.healthcheck.l2.ping.probes" value="3" /> <property name="l2.healthcheck.l2.socketConnect" value="true" /> <property name="l2.healthcheck.l2.socketConnectTimeout" value="2" /> <property name="l2.healthcheck.l2.socketConnectCount" value="5" /> <!-- Terracotta-Server and Client-JVMs correspondences --> <!-- L2 - L1 L2 Terracotta Server L1 Client --> <!-- 5000 + 5[ (3 * 1000) + (2 * 1000) ] =5000 + 25000 = 30000 ms --> <!-- Terracotta server keeping tabs on client i.e. apache/tomcat shibboleth --> <!-- The health checker declares the client dead in 25 seconds --> <!-- Max Time = (ping.idletime) + socketConnectCount * [(ping.interval * ping.probes) + (socketConnectTimeout * ping.interval)] --> <property name="l2.healthcheck.l1.ping.enabled" value="true" /> <property name="l2.healthcheck.l1.ping.idletime" value="5000" /> <property name="l2.healthcheck.l1.ping.interval" value="1000" /> <property name="l2.healthcheck.l1.ping.probes" value="3" /> <property name="l2.healthcheck.l1.socketConnect" value="true " /> <property name="l2.healthcheck.l1.socketConnectTimeout" value="2" /> <property name="l2.healthcheck.l1.socketConnectCount" value="5" /> <!-- Client-JVMs and Terracotta Server correspondences --> <!-- L1 - L2 L2 Terracotta Server L1 Client --> <!-- 5000 + 5[ (3 * 1000) + (2 * 1000) ] =5000 + 25000 = 30000 ms --> <!-- Client server keeping tabs on Terracotta Servers --> <!-- The health checker declares the client dead in 25 seconds --> <!-- Max Time = (ping.idletime) + socketConnectCount * [(ping.interval * ping.probes) + (socketConnectTimeout * ping.interval)] --> <property name="l1.healthcheck.l2.ping.enabled" value="true" /> <property name="l1.healthcheck.l2.ping.idletime" value="5000" /> <property name="l1.healthcheck.l2.ping.interval" value="1000" /> <property name="l1.healthcheck.l2.ping.probes" value="3" /> <property name="l1.healthcheck.l2.socketConnect" value="true" /> <property name="l1.healthcheck.l2.socketConnectTimeout" value="2" /> <property name="l1.healthcheck.l2.socketConnectCount" value="5" /> <property name="l2.nha.tcgroupcomm.reconnect.enabled" value="true" /> <property name="l2.nha.tcgroupcomm.reconnect.timeout" value="15000" /> <property name="l2.l1reconnect.enabled" value="true" /> <property name="l2.l1reconnect.timeout.millis" value="15000" /> </tc-properties> <servers> <!-- Replicate server entry for all nodes running cas/terracotta --> <server name="test1" host="XXX" bind="IP"> <dso-port>9510</dso-port> <jmx-port>9520</jmx-port> <data>cluster/data</data> <logs>cluster/logs</logs> <dso> <persistence> <mode>permanent-store</mode> </persistence> </dso> </server> <!-- High Availability for multiple servers (used in DEV & TEST ENVs) --> <ha> <mode>networked-active-passive</mode> <networked-active-passive> <election-time></election-time> </networked-active-passive> </ha> </servers> <clients> <logs>/cluster/clients</logs> <!-- Tomcat module is dependent on tomcat version Spring webflow and security also necessary --> <modules> <module name="tim-vector" version="2.6.3" group-id="org.terracotta.modules"/> <module name="tim-tomcat-5.5"/> <module name="tim-spring-webflow-2.0"/> <module name="tim-spring-security-2.0"/> </modules> </clients> <application> <dso> <web-applications> <web-application>cas</web-application> </web-applications> <roots> <!-- Defined Shared Roots --> <root> <!--The In-Memory Ticket Registry--> <field-name>org.jasig.cas.ticket.registry.DefaultTicketRegistry.cache</field-name> </root> <root> <!--The registered Services --> <field-name>org.jasig.cas.services.DefaultServicesManagerImpl.services</field-name> </root> </roots> <locks> <!--Locks for the shared Tickets--> <named-lock> <method-expression>* org.jasig.cas.ticket.registry.DefaultTicketRegistry.*(..)</method-expression> <lock-level>write</lock-level> <lock-name>ticketRegistryLock</lock-name> </named-lock> <named-lock> <method-expression>* org.jasig.cas.ticket.AbstractTicket.updateState(..)</method-expression> <lock-level>write</lock-level> <lock-name>ticketWriteLock</lock-name> </named-lock> <named-lock> <method-expression>* org.jasig.cas.ticket.AbstractTicket.*(..)</method-expression> <lock-level>read</lock-level> <lock-name>ticketReadLock</lock-name> </named-lock> <named-lock> <method-expression>* org.jasig.cas.CentralAuthenticationServiceImpl.*(..)</method-expression> <lock-level>write</lock-level> <lock-name>casWriteLock</lock-name> </named-lock> <named-lock> <method-expression>* org.jasig.cas.ticket.TicketGrantingTicketImpl.grantServiceTicket(..) </method-expression> <lock-level>write</lock-level> <lock-name>tgtWriteLock2</lock-name> </named-lock> <named-lock> <method-expression>* org.jasig.cas.ticket.TicketGrantingTicketImpl.expire(..)</method-expression> <lock-level>write</lock-level> <lock-name>tgtWriteLock2</lock-name> </named-lock> <named-lock> <method-expression>* org.jasig.cas.ticket.ServiceTicketImpl.grantTicketGrantingTicket(..) </method-expression> <lock-level>write</lock-level> <lock-name>tgtWriteLock2</lock-name> </named-lock> <!-- Service Registry Distribution Locks --> <named-lock> <method-expression>* org.jasig.cas.services.DefaultServicesManagerImpl.findServiceBy(..) </method-expression> <lock-level>read</lock-level> <lock-name>serviceFindReadLock</lock-name> </named-lock> <named-lock> <method-expression>* org.jasig.cas.services.DefaultServicesManagerImpl.getAllServices(..) </method-expression> <lock-level>read</lock-level> <lock-name>serviceReadLock</lock-name> </named-lock> <named-lock> <method-expression>* org.jasig.cas.services.DefaultServicesManagerImpl.*(..)</method-expression> <lock-level>write</lock-level> <lock-name>serviceWriteLock</lock-name> </named-lock> <named-lock> <method-expression>* org.jasig.cas.web.flow.GenerateServiceTicketAction.doExecute(..) </method-expression> <lock-level>write</lock-level> <lock-name>stActionWriteLock</lock-name> </named-lock> </locks> <instrumented-classes> <include> <class-expression>org.jasig.cas.ticket.*</class-expression> </include> <include> <class-expression>org.jasig.cas.ticket.support.*</class-expression> </include> <include> <class-expression>org.jasig.cas.authentication.principal.*</class-expression> </include> <include> <class-expression>org.jasig.cas.util.*</class-expression> </include> <include> <class-expression>org.jasig.cas.authentication.*</class-expression> </include> <include> <class-expression>org.jasig.cas.services.RegisteredServiceImpl</class-expression> </include> </instrumented-classes> </dso> </application> </tc:tc-config> ---tc-config.xml--- Raymond Walker Software Systems Engineer Sr. ITS Northern Arizona University [email protected] Phone 928-523-0334 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
