Blog from April, 2011

CAS High Availability Upgrade
Brian Donnelly posted on Apr 08, 2011

At 6 p.m. 4/14, campus will cut over to high availability CAS

Starting at 6 p.m. on Thursday, April 14, the campus will cut over to a high availability version of CAS. The upgrade will include an IP address and DNS change for the CAS service.

IMPACT:

Client applications can expect service instability for 5 to 30 minutes after the cutover begins. This instability is caused by DNS propagation delays between client browsers and applications.

The major campus services affected include, but are not limited to, MyUCDavis, SmartSite, and Sympa. They will be unavailable for a few minutes during the cutover. End users should not have to do anything but wait for access to resume.

Many clients will also be affected in at least one of two additional ways:

  • Clients with DNS caching issues must modify their applications to sustain authentication services.
  • Clients with firewall whitelists for the CAS servers will also need to modify their applications.

Information and Educational Technology has created a test to help clients determine how the cutover will affect them. Read more about the test, plus solutions, below.

Note: The high availability cluster will use the same SSL certificate as the current service. No SSL-related changes should be necessary.

CAS-TEST SERVICE

IET has created a testing implementation of the high availability cluster at https://cas-test.ucdavis.edu/cas. It is the actual server cluster that will be placed into production on April 14. The cas-test service will be available through Monday, April 11. Then it will be brought down and reconfigured into production mode.

See more about the cas-test service at https://confluence.ucdavis.edu/confluence/x/OZg_AQ   

ACTIONS REQUIRED INVOLVING DNS:

Clients that perform persistent DNS caching will not pick up the DNS change of the upgraded CAS service. These clients must either:

  • Be modified so that they periodically refresh their DNS cache.
  • Restart their services to pick up the new DNS address of the CAS service.

Known affected clients: Java-based Cold Fusion and CAS clients running on a JDK prior to 1.6.0 .

To test an application to determine if it performs persistent DNS caching, use the cas-test service (see testing section, above). For information on how to modify Java configurations, see "Java DNS Caching Solutions" at https://confluence.ucdavis.edu/confluence/x/V4fvAQ   .

IET encourages clients to test their applications before April 14.

ACTIONS REQUIRED INVOLVING IP RESTRICTIONS:

Servers running egress firewalls that have whitelisted the current CAS servers must update their firewall configurations to allow access for the new server pool. They may do this before or after April 14. 

The new IPs for the CAS service are:

128.120.41.54

128.120.41.56

128.120.41.57

128.120.41.58

CONTACT:

Please direct questions about this change to the IT Express Computing Services Help Desk at 530 754-HELP (4357).