Thanks for your response. I was curious if the tomcat sessions would replicate using ssl. I guess from your response that they do not and I'll need to configure that separately. I am running it on windows servers, and can just use IPSec if I need to.
I thought that session affinity wouldn't work because the balancer would have no way of recognizing which server created the TGT when a service contacted it. The configuration I was planning on is to have two CAS servers: - Behind a load balancer, either in active/passive or active/active (haven't decided) - Using the same clustered SQL server as their ticket stores - Using Tomcat session replication secured via IPSec or some other method - CAS application configured with the same name to enable the servers to work on the other's tickets Does this sound like a workable plan or am I missing something? Geoff From: Jérôme LELEU [mailto:[email protected]] Sent: Wednesday, July 31, 2013 8:16 AM To: [email protected] Subject: Re: [cas-user] Clustering/HA with MSSQL Backend Hi, You're right, if your datastore is already resilient, you just need to integrate your second CAS server with your datastore. That said, you need session affinity during the login process : the server which sends the login page must be the same which will receive the credentials filled in the login form. Otherwise, the authentication will fail. About security, the communication between your CAS servers and your datastore must be secure as the TGTs and STs associated with the user identities will be conveyed between both systems. For example, the network traffic between your CAS servers and your datastore should never go through internet. Both systems should be in the same DMZ or secured network. This is something you need to talk about with your ops team. Best regards, Jérôme 2013/7/31 Whittaker, Geoffrey <[email protected]<mailto:[email protected]>> I have recently managed to get my test CAS server to use our MSSQL server for the JPA ticket registry backend using the instructions found here: https://wiki.jasig.org/display/CASUM/JpaTicketRegistry and here: https://lists.wisc.edu/read/archive?id=13452694 and some tweaks that I learned along the way. I have read through https://wiki.jasig.org/display/CASUM/Clustering+CAS and I have a couple of questions. Since we have a clustered SQL setup, I shouldn't need to replicate tickets between two data stores as our SQL infrastructure is already fault tolerant. Given, that it seems the only thing I'd need to do at this point is configure my other test server to work with the same data store and then configure Tomcat session replication. Is that correct or am I missing something? Are there any security issues I need watch out for such as unencrypted traffic between the servers? Any help would be much appreciated. Thanks, Geoff -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
