Paul, That is helpful. We have our CAS logs slurped into Splunk. I can probably set up something to alert us based on hazelcast errors.
Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College ----- Original Message ----- From: "Paul B. Henson" <[email protected]> To: "cas-user" <[email protected]> Sent: Thursday, October 29, 2015 3:15:51 PM Subject: Re: [cas-user] Hazelcast deployment architecture - secure tunnel between nodes? On Mon, Oct 26, 2015 at 11:16:42AM -0400, Waldbieser, Carl wrote: > For those of you who have deployed Hazelcast, are you using a secure > tunnel between CAS nodes (e.g. ipsec)? If so, do you monitor that the > tunnel stays up, and how do you do that? I initially tried using the built-in hazelcast encryption but found that totally unreliable, so we ended up setting up point to point ipsec links between the nodes. We are using strongswan under linux, it was a bit tricky to get the configuration just right but once we got it working it's been really stable. I don't specifically monitor the ipsec tunnel, but we do have a real time log analyzer watching the cas logs, which generates alerts if any of the nodes get hazelcast errors (which they would if the tunnel failed, as the firewall rules only allow node communication through the tunnel, not directly). -- Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ Operating Systems and Network Analyst | [email protected] California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
