Versions Compared

Old Version 7

changes.mady.by.user Brian Donnelly

Saved on

compared with

New Version 8

changes.mady.by.user Brian Donnelly

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

Java

...

DNS

...

Caching

...

Solutions

...

CAS

...

will

...

be

...

changing

...

its

...

IP

...

address

...

on

...

April

...

14th,

...

2011.

...

This

...

change

...

will

...

be

...

carried

...

out

...

on

...

the

...

Campus

...

DNS

...

servers

...

which

...

will

...

have

...

their

...

outbound

...

TTL

...

for

...

the

...

cas.ucdavis.edu

...

hostname

...

set

...

to

...

10

...

minutes

...

prior

...

to

...

the

...

change.

...

However,

...

Java-based

...

CAS

...

clients

...

do

...

not

...

automatically

...

pick

...

up

...

the

...

DNS

...

changes.

...

This

...

is

...

caused

...

by

...

an

...

underlying

...

security

...

setting

...

of

...

the

...

Java

...

Virtual

...

Machine

...

that

...

caches

...

DNS

...

resolutions

...

permanently

...

between

...

restarts.

...

This

...

causes

...

those

...

clients

...

to

...

break

...

after

...

the

...

DNS

...

switch,

...

as

...

they

...

do

...

not

...

update

...

their

...

IP

...

address

...

to

...

the

...

new

...

setting.

...

Affected

...

Clients

...

Unaffected

...

Clients

If your service uses one of the following clients, YOU MUST use one of the workarounds listed below.

  • Ja-Sig Java CAS client (all versions)
  • JSP CAS Client
  • Cold Fusion (cas_auth_dbcache

...

  • and

...

  • cas_auth_filecache)

...

If

...

your

...

service

...

uses

...

one

...

of

...

the

...

following

...

clients

...

it

...

is

...

NOT

...

NECESSARY

...

to

...

implement

...

any

...

of

...

the

...

listed

...

workarounds

...

  • mod_auth_cas

...

  • .NET

...

  • CAS

...

  • clients

...

  • ASP

...

  • CAS

...

  • Clients

...

  • CASAuthN

...

  • ISAPI

...

  • Client

...

  • Zope

...

  • /

...

  • Plone

...

  • Client

Workaround #1 - Change the DNS TTL for the JVM

There are two ways to change the DNS behavior for a JVM. The most reliable method is to change the settings in the java.security file for the JVM. It is also possible to pass commandline parameters, but this is not guaranteed to work. Each of the options are outlined below:

Info
titleRestart Required

Please note that after applying either of these properties, you must restart Java in order for the changes to take effect.

Workarounds

The following workarounds and resolutions will allow your Java-based CASified application to properly authenticate to CAS after the Data Center upgrade.

Workaround #2 - Update JDK to 1.6.0 or greater

Java 1.6 introduced a change to the default DNS caching behaviour. The default value for networkaddress.cache.ttl changed from -1 (cache forever) to a system-dependent value, but only if you have no security manager installed. The idea was for this to work as a robustness against DNS cache poisoning.

Note
Check your local system configuration
Check your local system configuration

Please note that upgrading to JDK 1.6.0 may not resolve DNS caching issues if the system-dependent value is set to cache indefinitely. Please check your system settings for DNS caching before relying on this solution.

Workaround #3 - Perform a server restart after the CAS HA Upgrade

While this solution will not account for any future DNS changes, likely the easiest approach is to simply schedule a server restart after the CAS HA Upgrade is complete. We will clearly indentify the upgrade window for the HA upgrade so that you may schedule your server restart with confidence.