Documentation about administering our CAS server infrastructure.
- 1 Application Deployment
- 1.1 Setting up a development environment
- 1.2 Accessing the source code
- 1.3 Deploying to a new production host
- 1.4 Upgrading CAS to a new version
- 2 Run-time Administration
- 3 To-Do list
Setting up a development environment
- Install Apache Tomcat
- Install the MySQL connector JDBC driver
- Install Maven 2
- Setting up CAS development on OS X - Adam's cheat-sheet for OS X.
Accessing the source code
Our CAS source-code is maintained as a "Maven overlay" that includes just our customized files. All other (non-customized) files are automatically downloaded as part of the Maven build process.
To get our CAS source code, clone from our central Git repository on chisel. (if you don't have access, send Adam Franco your ssh public key.)
git clone firstname.lastname@example.org:midd-cas.git
Once you have cloned the Git repository, you should have a directory called
This directory contains the following files:
pom.xml- The Maven configuration file. This tells Maven which version of CAS and each library to use and where to find them.
src/- contains our customized source-code and configuration files.
target/- the directory where maven will put the compiled
Update the configuration if needed
The configuration file committed to the Git repository on chisel is almost identical to the one in production. If you commit and push changes to this file, then update production, these changes will come through.
The current development configuration (in the source repository) refers to a database on chisel that holds the ticket registry and the services configuration. It is fine to continue to use this database if you wish. If not, you can configure another database. Look for the following lines at the bottom of the
<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource" p:driverClassName="com.mysql.jdbc.Driver" p:url="jdbc:mysql://chisel.middlebury.edu:3306/db_name?autoReconnect=true" p:password="password" p:username="username" />
Build the war package
mvn clean package
Deploy the package
Deploying the package involves stopping tomcat, then deleting the CAS files from its
webapps/ directory and putting the new
war file in that directory. When tomcat is started, it will extract the various resources from the
war file and run the application.
sudo tomcatctl stop sudo rm -R /opt/local/share/java/tomcat5/webapps/cas* sudo cp target/cas.war /opt/local/share/java/tomcat5/webapps/cas.war sudo tomcatctl start
Deploying to a new production host
Tomcat, MySQL connector, Maven
Install Tomcat, the MySQL connector, and Maven as described above.
In production, CAS must be run under SSL. Since running Tomcat with SSL support is challenging, we let Tomcat run on its default port (8080) and then run Apache as a proxy with SSL support (listening on port 443).
... ProxyRequests Off ProxyVia On ProxyPass /cas http://localhost:8080/cas ProxyPassReverse /cas http://localhost:8080/cas ...
The CAS application must be able to validate (via Java/Tomcat) the certificates of any client applications that use it. Import certificate authority certificates into the Java environment using
keytool. See: https://wiki.jasig.org/display/CAS/Solving+SSL+issues for details.
The new server's ssh key needs to be granted access to the git repository on chisel:
ssh-keygen cat /root/.ssh/id_rsa.pub
Send Adam Franco the public key contents.
Clone the git repository:
git clone email@example.com:midd-cas.git
Configure the CAS server
You can see what configuration has been done on existing CAS hosts by cd'ing to the midd-cas directory and running:
git diff origin/master
There should only be a few lines changed in:
src/main/webapp/WEB-INF/cas.properties- The production URL and hostname need to be set
src/main/webapp/WEB-INF/deployerConfigContext.xml- The mysql database location will be changed to the production db.
src/main/webapp/WEB-INF/spring-configuration/ticketRegistry.xml- On all but one CAS host, the ticket-registry-cleaner needs to be commented out so that the clean-up operations don't collide:
diff --git a/src/main/webapp/WEB-INF/spring-configuration/ticketRegistry.xml b/src/main/webapp/WEB-INF/spring-configuration/ticketRegis index 96d958e..057841b 100644 --- a/src/main/webapp/WEB-INF/spring-configuration/ticketRegistry.xml +++ b/src/main/webapp/WEB-INF/spring-configuration/ticketRegistry.xml @@ -15,6 +15,7 @@ <tx:annotation-driven transaction-manager="transactionManager"/> <!-- TICKET REGISTRY CLEANER --> +<!-- <bean id="ticketRegistryCleaner" class="org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner" p:ticketRegistry-ref="ticketRegistry" @@ -41,5 +42,5 @@ p:startDelay="20000" p:repeatInterval="1800000" /> - +-->
Keep track of your config changes:
After you make changes to the CAS configuration, commit them to the local repository on the production host using git:
git status git diff git add file/that/was/changed git status git commit -m "Made such and such config change."
You can see a history of changes via
or with git 1.5.6 and later
git log --graph
Deployment is the same as listed above:
mvn package clean
- delete the files from tomcat's
- copy over the
warfile to tomcat's
Upgrading CAS to a new version
Allowed Services Configuration
Each application that authenticates with CAS needs to be added to the "Allowed Services" list. Currently this list is stored in a database table in the shared database that is also used as the ticket registry.
Services can be managed at: https://login.middlebury.edu/cas/services/
When new services are added, the CAS servers will pick them up within 5-10 minutes.
The CAS logs are stored at
- Multicast Ticket Registry for high availability - Currently the ticket-registry database is a single point of failure. Updating to a ticket-registry implementation that allows each CAS server to validate its peers without a single intermediary will help ensure high availability.