JBossTicketRegistry injection of servicetickets
Stephen A. Cochran
stephen.a.cochran at Dartmouth.EDU
Mon Nov 6 10:44:55 EST 2006
On Nov 6, 2006, at 9:35 AM, Scott Battaglia wrote:
> The JBossTicketRegistry utilizes multi-casting in order to
> efficiently deliver the cache. First, we obviously only recommend
> you do multi-casting on a "trusted network" (i.e. one you
> control). Second, you can enable encryption in the JGroups
> configuration. More information on that can be found here:
>
> http://www.jgroups.org/javagroupsnew/docs/javadoc/org/jgroups/
> protocols/ENCRYPT.html
>
> Does that help? We should probably update our javadocs to reflect
> this information.
JBossTicketRegistry is often set up using mulit-casting, but that is
not the only method. Multi-casting makes sense when you have lots of
machines in the cluster, to keep the network traffic from growing
exponentially.
My guess is that most sites only want 2-3 CAS servers. In this case,
I think using direct tcp connections instead of multi-cast is a
better configuration option. The HA-Shibboleth extension (also using
JBossTicketRegistry) recommends this configuration as well:
http://middleware.georgetown.edu/dokuwiki/doku.php/
projects:hashib:usagedoc#identifying_the_network_connection_to_use
This should decrease the likelihood of unauthorized insertion of data
into the cluster and removes the need for encryption which introduces
a noticeable performance decrease:
http://middleware.georgetown.edu/dokuwiki/doku.php/
projects:hashib:usagedoc#encrypting_your_traffic
I'm in the process of switching over to a clustered setup, and once I
have the configuration set I'll post it back to the list.
Steve Cochran
Dartmouth College
More information about the cas
mailing list