Middlebury

Difference between revisions of "CAS Administration"

(Configure the CAS server)
(Allowed Services Configuration)
Line 139: Line 139:
  
 
== Allowed Services Configuration ==
 
== Allowed Services Configuration ==
 +
Each application that authenticates with CAS needs to be added to the "Allowed Services" list. Currently this list is stored in a database table in the shared database that is also used as the ticket registry.
 +
 +
Services can be managed at: [https://login.middlebury.edu/cas/services/ https://login.middlebury.edu/cas/services/]
 +
 +
When new services are added, the CAS servers will pick them up within 5-10 minutes.
  
 
== Troubleshooting Errors ==
 
== Troubleshooting Errors ==

Revision as of 15:42, 9 May 2011

Documentation about administering our CAS server infrastructure.

Application Deployment

Setting up a development environment

Accessing the source code

Our CAS source-code is maintained as a "Maven overlay" that includes just our customized files. All other (non-customized) files are automatically downloaded as part of the Maven build process.

To get our CAS source code, clone from our central Git repository on chisel. (if you don't have access, send Adam Franco your ssh public key.)

git clone git@chisel.middlebury.edu:midd-cas.git

Once you have cloned the Git repository, you should have a directory called midd-cas.

This directory contains the following files:

  • README.txt
  • pom.xml - The Maven configuration file. This tells Maven which version of CAS and each library to use and where to find them.
  • src/ - contains our customized source-code and configuration files.
  • target/ - the directory where maven will put the compiled war package.

Building/Running CAS

cd midd-cas/

Update the configuration if needed

vim src/main/webapp/WEB-INF/deployerConfigContext.xml

The configuration file committed to the Git repository on chisel is almost identical to the one in production. If you commit and push changes to this file, then update production, these changes will come through.

The current development configuration (in the source repository) refers to a database on chisel that holds the ticket registry and the services configuration. It is fine to continue to use this database if you wish. If not, you can configure another database. Look for the following lines at the bottom of the deployerConfigContext.xml:

    <bean
id="dataSource"
class="org.apache.commons.dbcp.BasicDataSource"
p:driverClassName="com.mysql.jdbc.Driver"

p:url="jdbc:mysql://chisel.middlebury.edu:3306/db_name?autoReconnect=true"
p:password="password"
p:username="username" />

Build the war package

mvn clean package

Deploy the package

Deploying the package involves stopping tomcat, then deleting the CAS files from its webapps/ directory and putting the new war file in that directory. When tomcat is started, it will extract the various resources from the war file and run the application.

sudo tomcatctl stop
sudo rm -R  /opt/local/share/java/tomcat5/webapps/cas*
sudo cp target/cas.war /opt/local/share/java/tomcat5/webapps/cas.war
sudo tomcatctl start

Deploying to a new production host

Tomcat, MySQL connector, Maven

Install Tomcat, the MySQL connector, and Maven as described above.

Apache

In production, CAS must be run under SSL. Since running Tomcat with SSL support is challenging, we let Tomcat run on its default port (8080) and then run Apache as a proxy with SSL support (listening on port 443).

/etc/httpd/conf.d/ssl.conf

...

ProxyRequests Off
ProxyVia On
ProxyPass               /cas    http://localhost:8080/cas
ProxyPassReverse        /cas    http://localhost:8080/cas

...

Certificates

The CAS application must be able to validate (via Java/Tomcat) the certificates of any client applications that use it. Import certificate authority certificates into the Java environment using keytool. See: https://wiki.jasig.org/display/CAS/Solving+SSL+issues for details.

CAS Source

The new server's ssh key needs to be granted access to the git repository on chisel:

ssh-keygen
cat /root/.ssh/id_rsa.pub

Send Adam Franco the public key contents.

Clone the git repository:

git clone git@chisel.middlebury.edu:midd-cas.git

Configure the CAS server

You can see what configuration has been done on existing CAS hosts by cd'ing to the midd-cas directory and running:

git diff origin/master

There should only be a few lines changed in:

  • src/main/webapp/WEB-INF/cas.properties - The production URL and hostname need to be set
  • src/main/webapp/WEB-INF/deployerConfigContext.xml - The mysql database location will be changed to the production db.
  • src/main/webapp/WEB-INF/spring-configuration/ticketRegistry.xml - On all but one CAS host, the ticket-registry-cleaner needs to be commented out so that the clean-up operations don't collide:
diff --git a/src/main/webapp/WEB-INF/spring-configuration/ticketRegistry.xml b/src/main/webapp/WEB-INF/spring-configuration/ticketRegis
index 96d958e..057841b 100644
--- a/src/main/webapp/WEB-INF/spring-configuration/ticketRegistry.xml
+++ b/src/main/webapp/WEB-INF/spring-configuration/ticketRegistry.xml
@@ -15,6 +15,7 @@
<tx:annotation-driven transaction-manager="transactionManager"/>

<!-- TICKET REGISTRY CLEANER -->
+<!--
<bean id="ticketRegistryCleaner"
class="org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner"
p:ticketRegistry-ref="ticketRegistry"
@@ -41,5 +42,5 @@
p:startDelay="20000"
p:repeatInterval="1800000"
/>
-
+-->

Keep track of your config changes:

After you make changes to the CAS configuration, commit them to the local repository on the production host using git:

git status
git diff
git add file/that/was/changed
git status
git commit -m "Made such and such config change."

You can see a history of changes via

git log

or with git 1.5.6 and later

git log --graph

.

Deploy

Deployment is the same as listed above:

  1. mvn package clean
  2. tomcatctl stop
  3. delete the files from tomcat's webapps/ directory
  4. copy over the war file to tomcat's webapps/ directory
  5. tomcatctl start


Upgrading CAS to a new version

Run-time Administration

Allowed Services Configuration

Each application that authenticates with CAS needs to be added to the "Allowed Services" list. Currently this list is stored in a database table in the shared database that is also used as the ticket registry.

Services can be managed at: https://login.middlebury.edu/cas/services/

When new services are added, the CAS servers will pick them up within 5-10 minutes.

Troubleshooting Errors

To-Do list

  • Multicast Ticket Registry for high availability - Currently the ticket-registry database is a single point of failure. Updating to a ticket-registry implementation that allows each CAS server to validate its peers without a single intermediary will help ensure high availability.