shibboleth-dev - Re: Shib 2 IdP clustering
Subject: Shibboleth Developers
List archive
- From: Karsten Huneycutt <>
- To:
- Subject: Re: Shib 2 IdP clustering
- Date: Wed, 28 May 2008 12:04:13 -0400
Hello --
You're right -- at least the 2.6.0 version (released the other day) doesn't barf when run inside of JBoss 4.2.2. I haven't tried deploying the other application yet, so I don't know if it will interfere with its use of Hibernate and EHCache (though I haven't told it to pay attention to that, so I hope not).
So, I have the DSO servers up and running, the boot jar successfully generated, and the clients inside of JBoss successfully connecting to the servers and reading their configurations. However, clustering still doesn't work (and I'm testing it the only way I know how -- trying over and over again until the load balancer shifts servers...). Here's the application portion of my configuration file for terracotta.
<spring>
<jee-application name="idp">
<session-support>false</session-support>
<application-contexts>
<application-context>
<paths>
<path>/opt/local/shibboleth/conf/internal.xml</path>
<path>/opt/local/shibboleth/conf/service.xml</path>
</paths>
<beans>
<bean name="shibboleth.StorageService"/>
</beans>
<distributed-events>
<distributed- event>edu.internet2.middleware.shibboleth.common.session.*</ distributed-event>
</distributed-events>
</application-context>
</application-contexts>
</jee-application>
</spring>
I've tried many different things for the "jee-application name" including idp.war, /idp, shibboleth...
What am I doing wrong?
KH
On 24 May, 2008, at 07:12, Chad La Joie wrote:
I need to test this but I believe that the use of Terracotta is okay here. I *think* what isn't supported is JBoss state/session replication but Shib doesn't use container managed sessions. As you already pointed out, it's just the storage service that needs to be replicated. I need to do some testing, but I think we're okay.
Karsten Huneycutt wrote:
Hello --
Of course, since it seems that nothing except the replay cache implements Serializable, I can't easily use the JBoss TreeCache, so it seems that I can't do what I need to do without a lot of work (ie, reimplement the session manager and the artifact map). That is unfortunate.
Are there options I'm not seeing?
KH
On 23 May, 2008, at 09:58, Karsten Huneycutt wrote:
Hello --
http://jira.terracotta.org/jira/browse/CDV-573
Unfortunately the bug is a little light on details. Note also that the supported containers lists only JBoss 3.2.8 and 4.0.5:
http://terracotta.org/confluence/display/docs1/Platform+Support
KH
On 23 May, 2008, at 00:07, Chad La Joie wrote:
Karsten, can you give me a link to the bug that you're referencing?
Karsten Huneycutt wrote:
Hello --
I'm working to prepare the Shibboleth 2 IdP for production status, and I need to get clustering to work before we can go live. We're behind a load balancer, so we have failover and actual load balancing solved, but of course the two IdPs have to share state.
We are running the IdP in JBoss 4.2.2, and Terracotta doesn't work with JBoss 4.2.x. It's an issue in the TC 2.5.x release version that has yet to be fixed, according to their Jira. We are running one other application on those servers that requires JBoss 4.2.2, so changing versions and/or running plain Tomcat are not options.
So, that leaves me searching for other options. JBoss, of course, has perfectly good clustering functionality built into it, so unless there are other options, I'd like to go ahead and use it.
From looking around, the Spring bean that really needs to be clustered is shibboleth.StorageService, since everything else seems to use it as the, well, storage service. Is that correct? If so, I think I can probably write something that uses the JBoss clustering support and implements the appropriate interface for the IdP code to use, sort of like HA-Shib for 1.3. Does that sound like a sane, reasonable option, or am I missing something?
Are there options I'm missing?
Thanks!
KH PS: the setup instructions for JBoss are incorrect and incomplete. JBoss still requires the security provider manipulation, and the connector information isn't correct. If I use the information in the Tomcat page, all seems to work.
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
--
Karsten Huneycutt
Systems Specialist, ITS Identity Management
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
--
Karsten Huneycutt
Systems Specialist, ITS Identity Management
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- Shib 2 IdP clustering, Karsten Huneycutt, 05/22/2008
- Re: Shib 2 IdP clustering, Chad La Joie, 05/23/2008
- Re: Shib 2 IdP clustering, Karsten Huneycutt, 05/23/2008
- Re: Shib 2 IdP clustering, Karsten Huneycutt, 05/23/2008
- Re: Shib 2 IdP clustering, Chad La Joie, 05/24/2008
- Re: Shib 2 IdP clustering, Karsten Huneycutt, 05/28/2008
- Re: Shib 2 IdP clustering, Chad La Joie, 05/24/2008
- Re: Shib 2 IdP clustering, Karsten Huneycutt, 05/23/2008
- Re: Shib 2 IdP clustering, Karsten Huneycutt, 05/23/2008
- Re: Shib 2 IdP clustering, Chad La Joie, 05/23/2008
Archive powered by MHonArc 2.6.16.