Middlebury

Difference between revisions of "CAS Administration"

Line 56: Line 56:
 
</pre>
 
</pre>
  
 +
== Deploying to a new production host ==
  
== Updating the source code ==
+
=== Tomcat, MySQL connector, Maven ===
 +
Install Tomcat, the MySQL connector, and Maven as described above.
  
 +
=== Apache ===
 +
In production, CAS must be run under SSL. Since running Tomcat with SSL support is challenging, we let Tomcat run on its default port (8080) and then run Apache as a proxy with SSL support (listening on port 443).
  
== Deploying in production ==
+
<code>/etc/httpd/conf.d/ssl.conf</code>
 +
<pre>...
 +
 
 +
ProxyRequests Off
 +
ProxyVia On
 +
ProxyPass              /cas    http://localhost:8080/cas
 +
ProxyPassReverse        /cas    http://localhost:8080/cas
 +
 
 +
...</pre>
 +
 
 +
=== Certificates ===
 +
The CAS application must be able to validate (via Java/Tomcat) the certificates of any client applications that use it. Import certificate authority certificates into the Java environment using <code>keytool</code>. See: [https://wiki.jasig.org/display/CAS/Solving+SSL+issues https://wiki.jasig.org/display/CAS/Solving+SSL+issues] for details.
 +
 
 +
=== CAS Source ===
 +
The new server's ssh key needs to be granted access to the git repository on chisel:
 +
<pre>ssh-keygen
 +
cat /root/.ssh/id_rsa.pub</pre>
 +
Send Adam Franco the public key contents.
 +
 
 +
Clone the git repository:
 +
<pre>git clone git@chisel.middlebury.edu:midd-cas.git</pre>
 +
 
 +
=== Configure the CAS server ===
 +
You can see what configuration has been done on existing CAS hosts by cd'ing to the midd-cas directory and running:
 +
<pre>git diff origin/master</pre>
 +
 
 +
There should only be a few lines changed in:
 +
* <code>src/main/webapp/WEB-INF/cas.properties</code> - The production URL and hostname need to be set
 +
* <code>src/main/webapp/WEB-INF/deployerConfigContext.xml</code> - The mysql database location will be changed to the production db.
 +
* <code>src/main/webapp/WEB-INF/spring-configuration/ticketRegistry.xml</code> - On all but one CAS host, the ticket-registry-cleaner needs to be commented out so that the clean-up operations don't collide:
 +
<pre>diff --git a/src/main/webapp/WEB-INF/spring-configuration/ticketRegistry.xml b/src/main/webapp/WEB-INF/spring-configuration/ticketRegis
 +
index 96d958e..057841b 100644
 +
--- a/src/main/webapp/WEB-INF/spring-configuration/ticketRegistry.xml
 +
+++ b/src/main/webapp/WEB-INF/spring-configuration/ticketRegistry.xml
 +
@@ -15,6 +15,7 @@
 +
<tx:annotation-driven transaction-manager="transactionManager"/>
 +
 
 +
<!-- TICKET REGISTRY CLEANER -->
 +
+<!--
 +
<bean id="ticketRegistryCleaner"
 +
class="org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner"
 +
p:ticketRegistry-ref="ticketRegistry"
 +
@@ -41,5 +42,5 @@
 +
p:startDelay="20000"
 +
p:repeatInterval="1800000"
 +
/>
 +
-
 +
+--></pre>
 +
 
 +
=== Deploy ===
 +
Deployment is the same as listed above:
 +
# <code>mvn package clean</code>
 +
# <code>tomcatctl stop
 +
# delete the files from tomcat's <code>webapps/</code> directory
 +
# copy over the <code>war</code> file to tomcat's <code>webapps/</code> directory
 +
# <code>tomcatctl start</code>
 +
 
 +
 
 +
== Upgrading CAS to a new version ==
  
== Configuration ==
 
  
 
= Run-time Administration =
 
= Run-time Administration =

Revision as of 14:48, 9 May 2011

Documentation about administering our CAS server infrastructure.

Application Deployment

Setting up a development environment

Accessing the source code

Our CAS source-code is maintained as a "Maven overlay" that includes just our customized files. All other (non-customized) files are automatically downloaded as part of the Maven build process.

To get our CAS source code, clone from our central Git repository on chisel. (if you don't have access, send Adam Franco your ssh public key.)

git clone git@chisel.middlebury.edu:midd-cas.git

Once you have cloned the Git repository, you should have a directory called midd-cas.

This directory contains the following files:

  • README.txt
  • pom.xml - The Maven configuration file. This tells Maven which version of CAS and each library to use and where to find them.
  • src/ - contains our customized source-code and configuration files.
  • target/ - the directory where maven will put the compiled war package.

Building/Running CAS

cd midd-cas/

Update the configuration if needed

vim src/main/webapp/WEB-INF/deployerConfigContext.xml

The configuration file committed to the Git repository on chisel is almost identical to the one in production. If you commit and push changes to this file, then update production, these changes will come through.

The current development configuration (in the source repository) refers to a database on chisel that holds the ticket registry and the services configuration. It is fine to continue to use this database if you wish. If not, you can configure another database. Look for the following lines at the bottom of the deployerConfigContext.xml:

    <bean
id="dataSource"
class="org.apache.commons.dbcp.BasicDataSource"
p:driverClassName="com.mysql.jdbc.Driver"

p:url="jdbc:mysql://chisel.middlebury.edu:3306/db_name?autoReconnect=true"
p:password="password"
p:username="username" />

Build the war package

mvn clean package

Deploy the package

Deploying the package involves stopping tomcat, then deleting the CAS files from its webapps/ directory and putting the new war file in that directory. When tomcat is started, it will extract the various resources from the war file and run the application.

sudo tomcatctl stop
sudo rm -R  /opt/local/share/java/tomcat5/webapps/cas*
sudo cp target/cas.war /opt/local/share/java/tomcat5/webapps/cas.war
sudo tomcatctl start

Deploying to a new production host

Tomcat, MySQL connector, Maven

Install Tomcat, the MySQL connector, and Maven as described above.

Apache

In production, CAS must be run under SSL. Since running Tomcat with SSL support is challenging, we let Tomcat run on its default port (8080) and then run Apache as a proxy with SSL support (listening on port 443).

/etc/httpd/conf.d/ssl.conf

...

ProxyRequests Off
ProxyVia On
ProxyPass               /cas    http://localhost:8080/cas
ProxyPassReverse        /cas    http://localhost:8080/cas

...

Certificates

The CAS application must be able to validate (via Java/Tomcat) the certificates of any client applications that use it. Import certificate authority certificates into the Java environment using keytool. See: https://wiki.jasig.org/display/CAS/Solving+SSL+issues for details.

CAS Source

The new server's ssh key needs to be granted access to the git repository on chisel:

ssh-keygen
cat /root/.ssh/id_rsa.pub

Send Adam Franco the public key contents.

Clone the git repository:

git clone git@chisel.middlebury.edu:midd-cas.git

Configure the CAS server

You can see what configuration has been done on existing CAS hosts by cd'ing to the midd-cas directory and running:

git diff origin/master

There should only be a few lines changed in:

  • src/main/webapp/WEB-INF/cas.properties - The production URL and hostname need to be set
  • src/main/webapp/WEB-INF/deployerConfigContext.xml - The mysql database location will be changed to the production db.
  • src/main/webapp/WEB-INF/spring-configuration/ticketRegistry.xml - On all but one CAS host, the ticket-registry-cleaner needs to be commented out so that the clean-up operations don't collide:
diff --git a/src/main/webapp/WEB-INF/spring-configuration/ticketRegistry.xml b/src/main/webapp/WEB-INF/spring-configuration/ticketRegis
index 96d958e..057841b 100644
--- a/src/main/webapp/WEB-INF/spring-configuration/ticketRegistry.xml
+++ b/src/main/webapp/WEB-INF/spring-configuration/ticketRegistry.xml
@@ -15,6 +15,7 @@
<tx:annotation-driven transaction-manager="transactionManager"/>

<!-- TICKET REGISTRY CLEANER -->
+<!--
<bean id="ticketRegistryCleaner"
class="org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner"
p:ticketRegistry-ref="ticketRegistry"
@@ -41,5 +42,5 @@
p:startDelay="20000"
p:repeatInterval="1800000"
/>
-
+-->

Deploy

Deployment is the same as listed above:

  1. mvn package clean
  2. tomcatctl stop
  3. delete the files from tomcat's webapps/ directory
  4. copy over the war file to tomcat's webapps/ directory
  5. tomcatctl start


Upgrading CAS to a new version

Run-time Administration

Allowed Services Configuration

Troubleshooting Errors

To-Do list

  • Multicast Ticket Registry for high availability - Currently the ticket-registry database is a single point of failure. Updating to a ticket-registry implementation that allows each CAS server to validate its peers without a single intermediary will help ensure high availability.