1 概述
2 Build Cas Server
2.1 准备编译环境
2.2 下载
2.3 添加依赖
2.4 编译
3 部署到tomcat
3.1 部署第一个tomcat
[cas@status cas]$ tar -zxvf apache-tomcat-7.0.70.tar.gz
[cas@status cas]$ mv apache-tomcat-7.0.70 1#tomcat
[cas@BD-ERPCAS01 cas]$ vim 1#tomcat/conf/server.xml
1. ...
2. <Server port="8006" shutdown="SHUTDOWN">
3. ...
4. <Connector port="8081" protocol="HTTP/1.1"
5. connectionTimeout="20000"
6. redirectPort="8443" />
7. ...
8. <Connector port="8010" protocol="AJP/1.3" redirectPort="8443" />
9. ...
[cas@BD-ERPCAS01 cas]$ sh 1#tomcat/bin/startup.sh
查看catalina.out:vim 1#tomcat/logs/catalina.out
待启动结束,在浏览器中输入: http://<ip地址>:8081/cas 即可进入cas server页面。关闭tomcat:
sh 1#tomcat/bin/shutdown.sh
修改验证方式,编辑webapps/cas/WEB-INF/deployerConfigContext.xml
修改authenticationHandlers标签:
1. <property name="authenticationHandlers">
2. <list>
3. <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
4. p:httpClient-ref="httpClient" p:requireSecure= "false"/>
5. <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
6. p:filter="sAMAccountName=%u"
7. p:searchBase="dc=navchina,dc=com"
8. p:contextSource-ref="contextSource"
9. p:ignorePartialResultException="true" />
10. </list>
11. </property>
1. <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
2. <property name="pooled" value="false"/>
3. <property name="urls">
4. <list>
5. <value>ldap://192.168.0.2:389</value>
6. <value>ldap://192.168.0.3:389</value>
7. </list>
8. </property>
9. <property name="userDn" value="nnnchina\test001"/>
10. <property name="password" value="xxxxxx不给你看xxxxxxx"/>
11. <property name="baseEnvironmentProperties">
12. <map>
13. <entry key="com.sun.jndi.ldap.connect.timeout" value="3000" />
14. <entry key="com.sun.jndi.ldap.read.timeout" value="3000" />
15. <entry key="java.naming.security.authentication" value="simple" />
16. </map>
17. </property>
18. </bean>
<bean id="logoutController" class="org.jasig.cas.web.LogoutController" p:centralAuthenticationService-ref="centralAuthenticationService" p:logoutView="casLogoutView" p:warnCookieGenerator-ref="warnCookieGenerator" p:ticketGrantingTicketCookieGenerator-ref="ticketGrantingTicketCookieGenerator" p:servicesManager-ref="servicesManager" p:followServiceRedirects="${cas.logout.followServiceRedirects:true}"/>
3.2 部署第二个tomcat
1. [cas@status 1#tomcat]$ sh bin/shutdown.sh
清理一下日志:
1. [cas@status 1#tomcat]$ ll
2. 总用量 128
3. drwxr-xr-x. 2 cas cas 4096 8月 26 11:26 bin
4. -rw-rw-r--. 1 cas cas 7411 8月 26 11:49 cas.log
5. drwxr-xr-x. 3 cas cas 4096 8月 26 11:31 conf
6. drwxr-xr-x. 2 cas cas 4096 8月 26 11:26 lib
7. -rw-r--r--. 1 cas cas 56846 6月 16 00:41 LICENSE
8. drwxr-xr-x. 2 cas cas 4096 8月 26 11:31 logs
9. -rw-r--r--. 1 cas cas 1239 6月 16 00:41 NOTICE
10. -rw-rw-r--. 1 cas cas 2424 8月 26 11:49 perfStats.log
11. -rw-r--r--. 1 cas cas 8965 6月 16 00:41 RELEASE-NOTES
12. -rw-r--r--. 1 cas cas 16195 6月 16 00:41 RUNNING.txt
13. drwxr-xr-x. 2 cas cas 4096 8月 26 11:26 temp
14. drwxr-xr-x. 8 cas cas 4096 8月 26 11:31 webapps
15. drwxr-xr-x. 3 cas cas 4096 8月 26 11:31 work
16. [cas@status 1#tomcat]$ rm logs/*
17. [cas@status 1#tomcat]$ rm cas.log perfStats.log
18. [cas@status 1#tomcat]$ rm temp/*
19. [cas@status 1#tomcat]$ rm -r work/*
20. [cas@status 1#tomcat]$
1. [cas@status 1#tomcat]$ cd ..
2. [cas@status cas]$ cp -r 1#tomcat 2#tomcat
1. [cas@status cas]$ vim 2#tomcat/conf/server.xml
1. ...
2. <Server port="8007" shutdown="SHUTDOWN">
3. ...
4. <Connector port="8082" protocol="HTTP/1.1"
5. connectionTimeout="20000"
6. redirectPort="8443" />
7. ...
8. <Connector port="80011" protocol="AJP/1.3" redirectPort="8443" />
9. ...
4 搭建集群
4.1 安装apache
1. yum install -y gcc gcc-c++ make
1. [root@status httpd-2.4.23]# ./configure \
--with-expat=builtin --prefix=/u01/cas/apache \
--with-mpm=worker --enable-mods-shared=all \
--enable-module=all --enable-module=so \
--enable-rule=SHARED_CORE --with-apr=/usr/local/apr \
--with-apr-util=/usr/local/apr --with-pcre=/usr/local/pcre \
--enable-proxy --enable-proxy-ajp --enable-proxy-balancer \
--enable-so --enable-ssl&& make && make install
更改apache所属用户和组:1. [root@status cas]# chown -R cas:cas apache/
顺便把hans.com添加到hosts里:(这里假如给的单点登录的域名是hans.com)1. [root@status cas]# vim /etc/hosts
4.2 安装memcached
1. yum install memcached
启动memcached:(使用cas用户)1. [cas@status apache]$ memcached -d -m 1024 -p 11211 -u cas -c 512 -P /tmp/memcached.pid
参数需要改动,至少要改个用户,我是以cas用户在操作。1. [cas@status apache]$ ps -aux | grep 'memcache'
2. Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ
3. cas 11800 0.0 0.0 318560 720 ? Ssl 10:31 0:00 memcached -d -m 1024 -p 11211 -u cas -c 512 -P /tmp/memcached.pid
4.3 设置jvm共享session和上下文无关
1. [cas@status cas]$ ll
2. 总用量 55484
3. drwxrwxr-x. 9 cas cas 4096 8月 26 11:50 1#tomcat
4. drwxrwxr-x. 9 cas cas 4096 8月 26 11:53 2#tomcat
5. drwxr-xr-x. 14 root root 4096 8月 26 14:30 apache
6. -rw-rw-r--. 1 cas cas 8924465 8月 26 11:05 apache-tomcat-7.0.70.tar.gz
7. drwxr-xr-x. 28 1000 1000 4096 8月 26 14:21 apr-1.5.2
8. -rw-rw-r--. 1 cas cas 1031613 8月 16 17:03 apr-1.5.2.tar.gz
9. drwxr-xr-x. 20 1000 1000 4096 8月 26 14:22 apr-util-1.5.4
10. -rw-rw-r--. 1 cas cas 874044 8月 16 17:04 apr-util-1.5.4.tar.gz
11. -rw-rw-r--. 1 cas cas 502864 8月 29 14:21 cas.log
12. drwxr-xr-x. 12 oracle games 4096 8月 26 14:27 httpd-2.4.23
13. -rw-rw-r--. 1 cas cas 8406575 8月 16 15:53 httpd-2.4.23.tar.gz
14. drwxr-xr-x. 9 1169 1169 12288 8月 26 14:23 pcre-8.38
15. -rw-rw-r--. 1 cas cas 2053336 8月 16 17:18 pcre-8.38.tar.gz
16. -rw-rw-r--. 1 cas cas 789066 8月 29 14:22 perfStats.log
17. drwxr-xr-x. 9 cas cas 4096 8月 21 04:00 tomcat
18. drwxr-x---. 8 cas cas 4096 8月 15 09:52 webapp
19. -rw-rw-r--. 1 cas cas 34165488 8月 22 08:44 webapp.tar.gz
20. [cas@status cas]$ vim 1#tomcat/conf/server.xml
1. [cas@status cas]$ mv 1#tomcat/webapps/cas ./webapp
查看路径并配置tomcat:1. [cas@status cas]$ pwd
2. /u01/cas
3. [cas@status cas]$ ll
4. 总用量 55492
5. drwxrwxr-x. 9 cas cas 4096 8月 26 11:50 1#tomcat
6. drwxrwxr-x. 9 cas cas 4096 8月 26 11:53 2#tomcat
7. drwxr-xr-x. 14 root root 4096 8月 26 14:30 apache
8. -rw-rw-r--. 1 cas cas 8924465 8月 26 11:05 apache-tomcat-7.0.70.tar.gz
9. drwxr-xr-x. 28 1000 1000 4096 8月 26 14:21 apr-1.5.2
10. -rw-rw-r--. 1 cas cas 1031613 8月 16 17:03 apr-1.5.2.tar.gz
11. drwxr-xr-x. 20 1000 1000 4096 8月 26 14:22 apr-util-1.5.4
12. -rw-rw-r--. 1 cas cas 874044 8月 16 17:04 apr-util-1.5.4.tar.gz
13. -rw-rw-r--. 1 cas cas 504808 8月 29 14:39 cas.log
14. drwxr-xr-x. 12 oracle games 4096 8月 26 14:27 httpd-2.4.23
15. -rw-rw-r--. 1 cas cas 8406575 8月 16 15:53 httpd-2.4.23.tar.gz
16. drwxr-xr-x. 9 1169 1169 12288 8月 26 14:23 pcre-8.38
17. -rw-rw-r--. 1 cas cas 2053336 8月 16 17:18 pcre-8.38.tar.gz
18. -rw-rw-r--. 1 cas cas 792252 8月 29 14:40 perfStats.log
19. drwxr-xr-x. 9 cas cas 4096 8月 21 04:00 tomcat
20. drwxrwxr-x. 8 cas cas 4096 8月 26 11:31 webapp
21. -rw-rw-r--. 1 cas cas 34165488 8月 22 08:44 webapp.tar.gz
22. [cas@status cas]$
1. [cas@status cas]$ vim 1#tomcat/conf/server.xml
2. [cas@status cas]$ vim 2#tomcat/conf/server.xml
<Context path="/mascloud" docBase="/u01/cas/webapp" reloadable="false" />
Session同步 在1#tomcat找到<Engine name="Catalina" defaultHost="localhost" >替换为<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1" >
在2#tomcat找到<Engine name="Catalina" defaultHost="localhost" >替换为<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm2" >
4.4 配置apache:
Listen 8008
<!-- 取消以下行开头的#号 -->
#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
<!-- 增加以下行开头的#号 -->
#ServerAdmin you@example.com
<!-- 取消以下行开头的#号,并修改servername -->
ServerName hans.com:8008
<!-- 末尾追加如下行,配置负载均衡 -->
AcceptFilter http none
AcceptFilter https none
EnableSendfile Off
EnableMMAP off
Timeout 6000
ProxyTimeout 6000
ProxyRequests off
ProxyPass /balancer-manager !
ProxyPass /server-status !
ProxyPass / balancer://my_cluster1/ stickysession=JSESSIONID nofailover=off
ProxyPassReverse / balancer://my_cluster1/
ProxyPreserveHost On
<proxy balancer://my_cluster1>
BalancerMember http://127.0.0.1:8081 route=jvm1
BalancerMember http://127.0.0.1:8082 route=jvm2
ProxySet lbmethod=bybusyness
</proxy>
<!-- 这是配置所有http端口转发的https,选择配置,非必要选项 -->
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [L,R]
4.5 设置cas Server把Ticket存到memcached中
1.找到webapp/WEB-INF/spring-configuration/ticketRegistry.xml原始文件<bean id="ticketRegistry" class="org.jasig.cas.ticket.registry.DefaultTicketRegistry" />
<bean id="ticketRegistry" class="org.jasig.cas.ticket.registry.MemCacheTicketRegistry">
<constructor-arg index="0" ref="memcachedClient" />
<!-- TGT timeout in seconds -->
<constructor-arg index="1" value="28800" />
<!-- ST timeout in seconds -->
<constructor-arg index="2" value="10" />
</bean>
<bean id="memcachedClient" class="net.spy.memcached.spring.MemcachedClientFactoryBean"
p:servers="host1:11211,host2:11211,host3:11211"
p:protocol="BINARY"
p:locatorType="CONSISTENT"
p:failureMode="Redistribute"
p:transcoder-ref="kryoTranscoder">
<property name="hashAlg">
<util:constant static-field="net.spy.memcached.DefaultHashAlgorithm.${memcached.hashAlgorithm}" />
</property>
</bean>
<bean id="kryoTranscoder"
class="org.jasig.cas.ticket.registry.support.kryo.KryoTranscoder" init-method="initialize">
<!-- initialBufferSize -->
<constructor-arg index="0" value="8192" />
</bean>
<!--Quartz -->
<!-- TICKET REGISTRY CLEANER -->
<bean
id="ticketRegistryCleaner" class="org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner"
p:ticketRegistry-ref="ticketRegistry" />
<bean
id="jobDetailTicketRegistryCleaner" class="org.springframework.scheduling.quartz.MethodInvokingJobDetailFactoryBean"
p:targetObject-ref="ticketRegistryCleaner"
p:targetMethod="clean" />
<bean
id="triggerJobDetailTicketRegistryCleaner" class="org.springframework.scheduling.quartz.SimpleTriggerBean"
p:jobDetail-ref="jobDetailTicketRegistryCleaner"
p:startDelay="20000"
p:repeatInterval="5000000" />
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.1.xsd">
cas-server-integration-memcached-3.5.2.jar
spymemcached-xxx.jar
kryo-xxx.jar
mockito-core-xxx.jar
4.6 配置防火墙(可选步骤)
1. iptables -L -n --line-numbers
没有的话清除所有规则:
# reset the default policies in the filter table.
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# reset the default policies in the nat table.
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# reset the default policies in the mangle table.
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
# flush all the rules in the filter and nat tables.
iptables -F
iptables -t nat -F
iptables -t mangle -F
# erase all chains that's not default in filter and nat table.
iptables -X
iptables -t nat -X
iptables -t mangle -X
1. iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8008
2. iptables -t nat -A PREROUTING -p udp -m udp --dport 80 -j REDIRECT --to-ports 8008
1. iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8009
2. iptables -t nat -A PREROUTING -p udp -m udp --dport 443 -j REDIRECT --to-ports 8009
1. /etc/init.d/iptables save
2. service iptables restart
1. [cas@status cas]$ ./apache/bin/apachectl stop
4.7 配置https
1. [cas@status cas]$ mkdir sslCert
2. [cas@status cas]$ cd sslCert/
3. ###步骤1:生成密钥###
4. [cas@status sslCert]$ openssl genrsa 1024 > server.key
5. Generating RSA private key, 1024 bit long modulus
6. .................++++++
7. .....++++++
8. e is 65537 (0x10001)
9. ###生成证书请求文件###
10. [cas@status sslCert]$ openssl req -new -key server.key > server.csr
11. You are about to be asked to enter information that will be incorporated
12. into your certificate request.
13. What you are about to enter is what is called a Distinguished Name or a DN.
14. There are quite a few fields but you can leave some blank
15. For some fields there will be a default value,
16. If you enter '.', the field will be left blank.
17. -----
18. Country Name (2 letter code) [XX]:cn
19. State or Province Name (full name) []:shanghai
20. Locality Name (eg, city) [Default City]:shanghai
21. Organization Name (eg, company) [Default Company Ltd]:hand
22. Organizational Unit Name (eg, section) []:mas
23. Common Name (eg, your name or your server's hostname) []:192.168.0.39
24. Email Address []:zihan.ding@hand-china.com
25.
26. Please enter the following 'extra' attributes
27. to be sent with your certificate request
28. A challenge password []:123456
29. An optional company name []:hand
30. ###生成证书###
31. [cas@status sslCert]$ openssl req -x509 -days 365 -key server.key -in server.csr > server.crt
32. [cas@status sslCert]$ ll
33. 总用量 12
34. -rw-rw-r--. 1 cas cas 1082 8月 30 14:22 server.crt
35. -rw-rw-r--. 1 cas cas 769 8月 30 14:22 server.csr
36. -rw-rw-r--. 1 cas cas 887 8月 30 14:19 server.key
1. [cas@ERPTEST-HEC cas]$ vim apache/conf/extra/httpd-ssl.conf
修改如下内容:LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
LoadModule rewrite_module modules/mod_rewrite.so
Listen 8009
<VirtualHost _default_:8009>
ServerName 192.168.0.39:8009
#ServerAdmin you@example.com
[cas@status cas]$ cp sslCert/* apache/conf/
启动apache:1. [cas@ERPTEST-HEC cas]$ ./apache/bin/apachectl start
1. [cas@ERPTEST-HEC cas]$ sh 1#tomcat/bin/shutdown.sh
在浏览器新的标签输入:192.168.0.391. [cas@ERPTEST-HEC cas]$ sh 1#tomcat/bin/startup.sh
1. [cas@ERPTEST-HEC cas]$ sh 2#tomcat/bin/shutdown.sh
1. [cas@ERPTEST-HEC cas]$ sh 1#tomcat/bin/shutdown.sh
5 优化
5.1 优化加载资源
1. [cas@ERPTEST-HEC cas]$ vim webapp/WEB-INF/view/jsp/default/ui/includes/bottom.jsp
可以看到页面需要从Google加载资源:嗯,果然是两个JS文件,分别右击,点击保存:
5.2 优化apache最大连接数
1. [cas@ERPTEST-HEC cas]$ vim ./apache/conf/extra/httpd-mpm.conf
解释:<IfModule mpm_prefork_module>
StartServers 20#推荐设置:小=默认 中=20~50 大=50~100
MinSpareServers 20#推荐设置:与StartServers保持一致
MaxSpareServers 30#推荐设置:小=20 中=30~80 大=80~120
ServerLimit 1000#该参数最好与MaxClients的值保持一致
MaxClients 1000 #推荐设置:小=500 中=500~1500 大型=1500~3000
MaxRequestsPerChild 10000 #推荐设置:小=10000 中或大=10000~500000
</IfModule>
1. [cas@ERPTEST-HEC cas]$ ./apache/bin/apachectl start
全文完。