Hi Paul -- Did you get any decent response from this? I was just about to compose a similar email when I saw yours. I'm hoping I can just use an mmcache ticket registry and let a hardware Load Balancer take care of the session stuff, but the documentation is a little outdated and inconsistent.
Cheers, Aaron --- Aaron Bennett Manager of Systems Administration Clark University ITS W:508.793.7315 > -----Original Message----- > From: Paul B. Henson [mailto:[email protected]] > Sent: Friday, August 2, 2013 10:32 PM > To: [email protected] > Subject: [cas-user] fault-tolerant/redundant/HA CAS deployment > > I finished setting up an initial standalone CAS server, and am now > moving on to getting redundant servers set up behind a load balancer. > > The first page of the documentation > (https://wiki.jasig.org/display/CASUM/Home) says: > > ---- > Additionally, session state replication is unnecessary since tickets > stored in the registry contain the authenticated state of users, which > allows a CAS server node to fail without users losing their SSO session > state. > ---- > > OTOH, the documentation on clustering > (https://wiki.jasig.org/display/CASUM/Clustering+CAS) says: > > ---- > Since CAS stores the login information in the application session we > need to setup session replication between our Tomcat instances. > ---- > > It looks like the main page of the documentation was never updated after > the transition to Spring Webflow 2.0+, which per the clustering page > lost the ability to store sessions on the client side? > > > So my understanding of the current state is that you must replicate both > tomcat sessions as well as use a replicated ticket registry to > accomplish clustering? > > We are initially planning to deploy 2-3 instances in our local data > center, but eventually plan to deploy at least one at our remote DR > site. From an initial review of the available ticket registry > implementations, it looks like either the ehcache or memcache options > would best suit our needs (I don't really want to involve a database in > our CAS deployment). Is either of those better supported/more popular > than the other? > > It looks like the default for both ticket registry replication and > tomcat session registration uses multicast with autodiscovery, without > any apparent encryption/authentication/authorization layer? I wouldn't > be on board with that just in my own data center :), for replication to > the remote DR site that's definitely a no go. The cluster page says > "Implementing clustering introduces CAS server security concerns", which > is understandable, but I can't find any documentation or discussion as > far as alleviating them? For those people doing clustering, what > approaches are you taking to make the replication secure? > > Thanks for any feedback... > > -- > Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ > Operating Systems and Network Analyst | [email protected] > California State Polytechnic University | Pomona CA 91768 > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see http://www.ja- > sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
