Good morning. We have a similar architecture, but slightly different. We run an internal/ external view of DNS that routes one to either an on-prem load balancer if they are on-prem or an off-prem load balancer if they are off-prem. Behind each LB we run two CAS servers. All four CAS servers replicate tickets via Hazelcast and have a local copy of services (SAML, CAS, OIDC) that is shipped to them via Azure DevOps release pipeline. That being said, we have experienced Hazelcast issues that manifest themselves as pegged CPU typically on two CAS servers (one on and one off prem); when this happens we also see Hazelcast heartbeat error messages. I have talked to the Hazelcast folks and they do not recommend using Hazelcast in this manner. Instead, they only recommend using Hazelcast if your CAS servers are in the same datacenter. We are considering moving to an all off-prem authentication infrastructure as a result.
Thanks, Jay ________________________________ Jason Rappaport (he/him) Identity and Access Management Analyst Office of Information Technology Email: <mailto:jason...@princeton.edu> jason...@princeton.edu Office: 609-258-8464 From: cas-user@apereo.org <cas-user@apereo.org> On Behalf Of Baba Ndiaye Sent: Saturday, February 5, 2022 10:37 AM To: Ray Bon <r...@uvic.ca> Cc: cas-user@apereo.org Subject: Re: [cas-user] CAS High Availability Ok, thanks for the clarification. So something i have this error /cas/login?exception.message=Error+decoding+flow+execution HTTP/1.1" i have this architecture currently The haproxy has the same domain name devcas.mydomain.com <http://devcas.mydomain.com> but each server has her own IP address. But if my haproxy1 is down (FAI is down Ip public is down) we have a answer of the second but something i have this error on page login page devcas.mydomain.com/cas/login?exception.message=Error+decoding+flow+execution <http://devcas.mydomain.com/cas/login?exception.message=Error+decoding+flow+execution> HTTP/1.1" How can I solve it???? Le ven. 28 janv. 2022 à 17:30, Ray Bon <r...@uvic.ca <mailto:r...@uvic.ca> > a écrit : Baba, Each cas server will start its own hazelcast node (no need to install). Hazelcast has some capability to maintain itself if a node goes down (and comes up). I have not tested that since it is a minor inconvenience for a user to log in again if a session is lost Ray On Fri, 2022-01-14 at 08:54 -0800, Baba Ndiaye wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Thank you Ray for your answer I would also like to know if hazelcast must be installed on each node and also for the instanceName which name should we choose? a name of a node where it must be different and we add it to the DNS if this is the case on the name (InstanceName) is down my nodes will no longer be accessible ???? Le vendredi 10 décembre 2021 à 16:42:34 UTC, Ray Bon a écrit : Baba, We use round robin with 4 cas servers and use hazelcast for ticket storage. Round robin is managed by the load balancer in prod. Whatever you use for ticket storage has to be fast enough so that the second server knows about the tickets before they are validated by the services. On my local I use apache config for clustering (this config will work with only one of the cas servers started). <VirtualHost *:443> <Proxy balancer://cascluster> # BalancerMember http://localhost:8087 BalancerMember ajp://localhost:8010 BalancerMember ajp://localhost:8011 </Proxy> DocumentRoot "/var/www/html" SSLEngine on SSLCertificateFile /etc/ssl/certs/local.uvic.ca.chain.pem SSLCertificateKeyFile /etc/ssl/private/local.uvic.ca.key.pem SSLProxyEngine on #Bypassing certicate checking on self-signed client cert SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyPreserveHost On ProxyPass /cas balancer://cascluster/cas ProxyPassReverse /cas balancer://cascluster/cas #ProxyPass /cas ajp://localhost:8010/cas #ProxyPassReverse /cas ajp://localhost:8010/cas ProxyPass /cas-management ajp://localhost:8017/cas-management ProxyPassReverse /cas-management ajp://localhost:8017/cas-management ProxyPass /sp ajp://localhost:8016/sp ProxyPassReverse /sp ajp://localhost:8016/sp ProxyPass /app0 http://localhost:12080/app0 ProxyPassReverse /app0 http://localhost:12080/app0 ProxyPass /app1 http://localhost:12080/app1 ProxyPassReverse /app1 http://localhost:12080/app1 ProxyPass /Shibboleth.sso http://localhost:12080/Shibboleth.sso ProxyPassReverse /Shibboleth.sso http://localhost:12080/Shibboleth.sso ProxyPass /nodejs https://localhost:8443 ProxyPassReverse /nodejs https://localhost:8443 ServerName local.uvic.ca <http://local.uvic.ca> <IfModule mod_headers> RequestHeader set X-HTTPS 1 Header set Referrer-Policy "no-referrer-when-downgrade" </IfModule> </VirtualHost> Ray On Fri, 2021-12-10 at 03:57 -0800, Baba Ndiaye wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. I want to set up a high availability solution for my CAS servers and i want some solutions for that i want to use DNS round Robin *cluster (cas1.myorganisation.edu <http://cas1.myorganisation.edu> cas2.myorganisation.edu <http://cas2.myorganisation.edu> ) *DNS round robin If you already implement it i need your help please. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 <tel:(250)%20721-8831> | CLE 019 | rb...@uvic.ca <mailto:rb...@uvic.ca> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | r...@uvic.ca <mailto:r...@uvic.ca> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org <mailto:cas-user+unsubscr...@apereo.org> . To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFu1ZRsC1M8WP4etkoauNzkj%2Bjo2SMgFbF%3DptDfPQPGXBuE9ig%40mail.gmail.com <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFu1ZRsC1M8WP4etkoauNzkj%2Bjo2SMgFbF%3DptDfPQPGXBuE9ig%40mail.gmail.com?utm_medium=email&utm_source=footer> . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BL0PR04MB51568BB5A5C973F184295C6FCC2C9%40BL0PR04MB5156.namprd04.prod.outlook.com.
smime.p7s
Description: S/MIME cryptographic signature