CAS clustering ?

Kothari, Amit Amit.Kothari at lionbridge.com
Mon Jul 3 08:55:22 EDT 2006 

Hi Marc,

This is certainly helpful. Thanks a lot for your reply.


Regards,

Amit


-----Original Message-----
From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
On Behalf Of Marc-Antoine Garrigue
Sent: Friday, June 30, 2006 7:49 PM
To: Yale CAS mailing list
Subject: Re: CAS clustering ?

Hi,
We have done some benchmark, but the final report is in french :(.
However, I can give you some figures :
Plateform :
-bi-Pentium III 1.4 Ghz with 3.8 Go RAM
-os : linux red hat
-sun jvm 1.4.2_09-b05  Xmx	2048m Xms	2048m
-jakarta-tomcat-5.0.28
-CAS 2 with 2 stacked handler (AD and LDAP)

The tests shows that under the following constraints :
* response time < 2 sec
* CPU < 70 %
* response flow > 13 requests/s

The platform can :

* deliver 360 000 login pages with 200 concurrent users.
* proceed 126 000 authentications and produce TGT with  40 concurrent
users.
* produce et validate 16 455 600 ST with  600 concurrent users.

We will now do some more stress testing on our new architecture :
Apache front end for static ressources (images and CSS)
CAS 3
same platform but with a 2 * 2 nodes cluster (jgroups implementation).

More figures to come...
Best regards




On 6/30/06, Kothari, Amit <Amit.Kothari at lionbridge.com> wrote:
> Hi Scott,
>
> Thanks for the quick reply.
>
> It's good to know CAS is not a process-intensive application.
> Post user authentication, to-fro communication between cas-client &
cas-server, led me to believe that CAS server response might slow-down
under heavy load. Are you aware of any benchmarks done on how many
requests CAS can handle, let's say, per minute or so ?
> For our application, the no. of users getting authenticated could go
upto 10K within a span of 5 minutes, in some cases.
> Any insight on this will be helpful.
>
> If possible, we may plan on setting up multiple CAS servers at
different sites, and a user authenticated by any one CAS, can browse
applications protected by other CAS. Without a cluster-setup or a load
balancer, will the ticket registry on 1 server be able to communicate
with other ticket registries ?
>
> Generating TicketIds with a suffix might work, but that means some
more customization/parameterization of the CAS server will be needed to
identify the appropriate server for redirection of user request, based
on suffix.
> Please correct me if I am wrong.
>
> Is this implementation on the roadmap for CAS ?
>
>
> Thanks,
>
> Amit
>
>
>
> -----Original Message-----
> From: cas-bounces at tp.its.yale.edu
[mailto:cas-bounces at tp.its.yale.edu]On
> Behalf Of Scott Battaglia
> Sent: Wednesday, June 28, 2006 8:02 PM
> To: Yale CAS mailing list
> Subject: Re: CAS clustering ?
>
>
> Amit,
>
> What kind of load are you expecting?  You may not need a cluster (if
> you're only interested in stopping excessive load).  CAS itself is not
a
> very process-intensive application.
>
> That said, its possible to cluster CAS (the easiest way is to use
sticky
> sessions on your load balancer and a distributed registry).  3.0.5
> includes an EhCacheDistributedRegistry.  This was tested by one group
> and they are having trouble optimizing it to prevent deadlock (the
> synchronous updates of EhCache caused deadlock while making them
> unsynchronized lost messages).  We have a JGroups implementation that
I
> can forward to you (we haven't included in the core because it uses a
> deprecated JGroups class).
>
> We also came up with another alternative at Rutgers (that we haven't
> implemented) if you're only interested in load balancing and not
> redundancy/high-availability.  Each TicketIdGenerator allows you to
> specify a suffix to a ticket.  So if each server specifies a unique
> suffix, then a load balancer that can read the request (if they can
> decrypt SSL) can look at the suffix and redirect the request to the
> proper server.
>
> -Scott
>
> Scott Battaglia
> Application Developer, Architecture & Engineering Team
> Enterprise Systems and Services, Rutgers University
> v: 732.445.0097 | f: 732.445.5493 | scott_battaglia at rutgers.edu
>
>
>
> Kothari, Amit wrote:
> > Greetings everybody,
> >
> > We are evaluating CAS for SSO-enabling our applications. Is
clustering
> > of CAS servers possible ?
> > To avoid excessive server load during high volume of authentication
> > requests, we plan to setup multiple CAS servers to handle
> > authentication requests.
> > Let's say our applications (cas-client)  and CAS servers will
> > be configured like this:
> >
> > Users redirecting to App1, App2 will be authenticated by CASServer1.
> > Users redirecting to App3 will be authenticated by CASServer2.
> > Users redirecting to App4 will be authenticated by CASServer3.
> >
> > Once a user gets authenticated by any one CASServer, the user should
> > be able to browse any other application protected by a different
> > CASServer.
> > *_E.g_*: Once user1 gets authenticated by CASServer1, user1 can
> > successfully browse App1 and App2. So far so good.
> > _Requirement_ --> user1 should be able to browse App3 and App4
without
> > being authenticated.
> >
> > Is this possible ? Has anybody tried something like this before ?
> > We are using Tomcat 5.0.x for CAS server & client deployments. CAS
> > Server --> 3.0.4 and Yale CAS Client --> 2.0.11
> >
> > Since CAS server 3.0.5 supports distributed ticket registries, can
we
> > use 3.0.5 ? How much code /configuration will be needed to achieve
the
> > desired functionality ?
> > I couldn't find any documentation about enabling distributed ticket
> > registries. Any pointers will be appreciated.
> >
> > Thanks in advance,
> >
> > - Amit
> >
> >
------------------------------------------------------------------------
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>


-- 
Best regards.

Marc-Antoine Garrigue
_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas

More information about the cas mailing list