Middlebury

Difference between revisions of "CAS Administration"

(Troubleshooting Errors)
(Redirect user to Janus)
 
(18 intermediate revisions by 3 users not shown)
Line 1: Line 1:
Documentation about administering our CAS server infrastructure.
+
Content has been moved to: https://janus.middlebury.edu/display/WTASDOC/CAS+authentication
  
= Application Deployment =
+
[[Category:Web Application Development]]
 
+
[[Category:CAS]]
== Setting up a development environment ==
 
* General
 
** Install Apache Tomcat
 
** Install the [http://dev.mysql.com/downloads/connector/j/3.1.htmll MySQL connector] JDBC driver
 
** Install Maven 2
 
* [http://www.adamfranco.com/2009/06/19/setting-up-a-cas-development-on-os-x/ Setting up CAS development on OS X] - Adam's cheat-sheet for OS X.
 
 
 
== Accessing the source code ==
 
 
 
Our CAS source-code is maintained as a "[https://wiki.jasig.org/display/CASUM/Maintaining+local+customizations+using+Maven+2 Maven overlay]" that includes just our customized files. All other (non-customized) files are automatically downloaded as part of the Maven build process.
 
 
 
To get our CAS source code, clone from our central [http://git-scm.com/ Git] repository on chisel. (if you don't have access, send Adam Franco your ssh public key.)
 
<pre>git clone git@chisel.middlebury.edu:midd-cas.git</pre>
 
 
 
Once you have cloned the Git repository, you should have a directory called <code>midd-cas</code>.
 
 
 
This directory contains the following files:
 
* <code>README.txt</code>
 
* <code>pom.xml</code> - The Maven configuration file. This tells Maven which version of CAS and each library to use and where to find them.
 
* <code>src/</code> - contains our customized source-code and configuration files.
 
* <code>target/</code> - the directory where maven will put the compiled <code>war</code> package.
 
 
 
=== Building/Running CAS ===
 
 
 
<pre>cd midd-cas/</pre>
 
 
 
==== Update the configuration if needed ====
 
<pre>vim src/main/webapp/WEB-INF/deployerConfigContext.xml</pre>
 
The configuration file committed to the Git repository on chisel is almost identical to the one in production. If you commit and push changes to this file, then update production, these changes will come through.
 
 
 
The current development configuration (in the source repository) refers to a database on chisel that holds the ticket registry and the services configuration. It is fine to continue to use this database if you wish. If not, you can configure another database. Look for the following lines at the bottom of the <code>deployerConfigContext.xml</code>:
 
<pre>    <bean
 
id="dataSource"
 
class="org.apache.commons.dbcp.BasicDataSource"
 
p:driverClassName="com.mysql.jdbc.Driver"
 
 
 
p:url="jdbc:mysql://chisel.middlebury.edu:3306/db_name?autoReconnect=true"
 
p:password="password"
 
p:username="username" />
 
</pre>
 
 
 
==== Build the war package ====
 
<pre>mvn clean package</pre>
 
 
 
==== Deploy the package ====
 
Deploying the package involves stopping tomcat, then deleting the CAS files from its <code>webapps/</code> directory and putting the new <code>war</code> file in that directory. When tomcat is started, it will extract the various resources from the <code>war</code> file and run the application.
 
 
 
<pre>sudo tomcatctl stop
 
sudo rm -R  /opt/local/share/java/tomcat5/webapps/cas*
 
sudo cp target/cas.war /opt/local/share/java/tomcat5/webapps/cas.war
 
sudo tomcatctl start
 
</pre>
 
 
 
== Deploying to a new production host ==
 
 
 
=== Tomcat, MySQL connector, Maven ===
 
Install Tomcat, the MySQL connector, and Maven as described above.
 
 
 
=== Apache ===
 
In production, CAS must be run under SSL. Since running Tomcat with SSL support is challenging, we let Tomcat run on its default port (8080) and then run Apache as a proxy with SSL support (listening on port 443).
 
 
 
<code>/etc/httpd/conf.d/ssl.conf</code>
 
<pre>...
 
 
 
ProxyRequests Off
 
ProxyVia On
 
ProxyPass              /cas    http://localhost:8080/cas
 
ProxyPassReverse        /cas    http://localhost:8080/cas
 
 
 
...</pre>
 
 
 
=== Certificates ===
 
The CAS application must be able to validate (via Java/Tomcat) the certificates of any client applications that use it. Import certificate authority certificates into the Java environment using <code>keytool</code>. See: [https://wiki.jasig.org/display/CAS/Solving+SSL+issues https://wiki.jasig.org/display/CAS/Solving+SSL+issues] for details.
 
 
 
=== CAS Source ===
 
The new server's ssh key needs to be granted access to the git repository on chisel:
 
<pre>ssh-keygen
 
cat /root/.ssh/id_rsa.pub</pre>
 
Send Adam Franco the public key contents.
 
 
 
Clone the git repository:
 
<pre>git clone git@chisel.middlebury.edu:midd-cas.git</pre>
 
 
 
=== Configure the CAS server ===
 
You can see what configuration has been done on existing CAS hosts by cd'ing to the midd-cas directory and running:
 
<pre>git diff origin/master</pre>
 
 
 
There should only be a few lines changed in:
 
* <code>src/main/webapp/WEB-INF/cas.properties</code> - The production URL and hostname need to be set
 
* <code>src/main/webapp/WEB-INF/deployerConfigContext.xml</code> - The mysql database location will be changed to the production db.
 
* <code>src/main/webapp/WEB-INF/spring-configuration/ticketRegistry.xml</code> - On all but one CAS host, the ticket-registry-cleaner needs to be commented out so that the clean-up operations don't collide:
 
<pre>diff --git a/src/main/webapp/WEB-INF/spring-configuration/ticketRegistry.xml b/src/main/webapp/WEB-INF/spring-configuration/ticketRegis
 
index 96d958e..057841b 100644
 
--- a/src/main/webapp/WEB-INF/spring-configuration/ticketRegistry.xml
 
+++ b/src/main/webapp/WEB-INF/spring-configuration/ticketRegistry.xml
 
@@ -15,6 +15,7 @@
 
<tx:annotation-driven transaction-manager="transactionManager"/>
 
 
 
<!-- TICKET REGISTRY CLEANER -->
 
+<!--
 
<bean id="ticketRegistryCleaner"
 
class="org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner"
 
p:ticketRegistry-ref="ticketRegistry"
 
@@ -41,5 +42,5 @@
 
p:startDelay="20000"
 
p:repeatInterval="1800000"
 
/>
 
-
 
+--></pre>
 
 
 
'''Keep track of your config changes:'''
 
 
 
After you make changes to the CAS configuration, commit them to the local repository on the production host using git:
 
<pre>git status
 
git diff
 
git add file/that/was/changed
 
git status
 
git commit -m "Made such and such config change."</pre>
 
 
 
You can see a history of changes via <pre>git log</pre> or with git 1.5.6 and later <pre>git log --graph</pre>.
 
 
 
=== Deploy ===
 
Deployment is the same as listed above:
 
# <code>mvn package clean</code>
 
# <code>tomcatctl stop
 
# delete the files from tomcat's <code>webapps/</code> directory
 
# copy over the <code>war</code> file to tomcat's <code>webapps/</code> directory
 
# <code>tomcatctl start</code>
 
 
 
 
 
== Upgrading CAS to a new version ==
 
 
 
 
 
= Run-time Administration =
 
 
 
== Allowed Services Configuration ==
 
Each application that authenticates with CAS needs to be added to the "Allowed Services" list. Currently this list is stored in a database table in the shared database that is also used as the ticket registry.
 
 
 
Services can be managed at: [https://login.middlebury.edu/cas/services/ https://login.middlebury.edu/cas/services/]
 
 
 
When new services are added, the CAS servers will pick them up within 5-10 minutes.
 
 
 
== Troubleshooting Errors ==
 
 
 
The CAS logs are stored at <code>/usr/share/tomcat5/logs/catalina.out</code>.
 
 
 
= To-Do list =
 
* [https://wiki.jasig.org/display/CASUM/EhcacheTicketRegistry Multicast Ticket Registry for high availability] - Currently the ticket-registry database is a single point of failure. Updating to a ticket-registry implementation that allows each CAS server to validate its peers without a single intermediary will help ensure high availability.
 

Latest revision as of 13:10, 1 March 2018

Powered by MediaWiki