CAS Problems

Kevin Jordan kmj7777 at gmail.com
Wed Sep 27 21:35:46 EDT 2006 

Yeah, and with a cacert.org certificate I get:
Sep 27, 2006 12:00:00 AM org.apache.tomcat.util.net.PoolTcpEndpoint
acceptSocket
SEVERE: Endpoint [SSL: ServerSocket[addr=
0.0.0.0/0.0.0.0,port=0,localport=8443]<http://0.0.0.0/0.0.0.0,port=0,localport=8443%5D>]
ignored exception: java.net.SocketException: SSL handshake
errorjavax.net.ssl.
SSLException: No available certificate corresponds to the SSL cipher suites
which are enabled.
java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No
available certificate corresponds to the SSL cipher suites which are
enabled.
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket (
JSSESocketFactory.java:113)
        at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(
PoolTcpEndpoint.java:407)
        at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(
LeaderFollowerWorkerThread.java :70)
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(
ThreadPool.java:684)
        at java.lang.Thread.run(Thread.java:534)

And it didn't even like the p12 one, said something about RSA modulus size
being wrong.


On 9/27/06, Scott Battaglia <scott.battaglia at gmail.com> wrote:
>
> So you're saying you have normal CPU utilization with the self-signed
> certificate?  Have you googled for anything related to that?  We generally
> only use commercially signed certificates or self-signed here.
>
> -Scott
>
> On 9/27/06, Kevin Jordan <kmj7777 at gmail.com > wrote:
> >
> > No.  It only goes down when I use the self-signed certificate generated
> > by keytool.
> >
> > On 9/27/06, Scott Battaglia < scott.battaglia at gmail.com> wrote:
> > >
> > > Did your CPU utilization go down at all though?
> > >
> > > On 9/27/06, Kevin Jordan < kmj7777 at gmail.com> wrote:
> > > >
> > > > Switching it back over to a self-signed certificate in the keystore
> > > > fixed that.  I tried doing a p12 certificate, but it didn't like that much
> > > > either (something with the RSA modulus size).
> > > >
> > > > On 9/26/06, Kevin Jordan <kmj7777 at gmail.com> wrote:
> > > > >
> > > > > It's looking like in the logs this error is repeating over and
> > > > > over (and somehow generated 2.7GB worth):
> > > > >
> > > > > Sep 27, 2006 12:00:00 AM
> > > > > org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket
> > > > > SEVERE: Endpoint [SSL: ServerSocket[addr=
> > > > > 0.0.0.0/0.0.0.0,port=0,localport=8443]<http://0.0.0.0/0.0.0.0,port=0,localport=8443%5D>]
> > > > > ignored exception: java.net.SocketException: SSL handshake
> > > > > errorjavax.net.ssl.
> > > > > SSLException: No available certificate corresponds to the SSL
> > > > > cipher suites which are enabled.
> > > > > java.net.SocketException: SSL handshake
> > > > > errorjavax.net.ssl.SSLException: No available certificate
> > > > > corresponds to the SSL cipher suites which are enabled.
> > > > >         at
> > > > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket (
> > > > > JSSESocketFactory.java:113)
> > > > >         at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket
> > > > > (PoolTcpEndpoint.java:407)
> > > > >         at
> > > > > org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(
> > > > > LeaderFollowerWorkerThread.java :70)
> > > > >         at
> > > > > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(
> > > > > ThreadPool.java:684)
> > > > >         at java.lang.Thread.run(Thread.java:534)
> > > > >
> > > > > I'm not sure if this was the problem before I upgraded and started
> > > > > over, but it does seem to be now.  I've generated my certificates from
> > > > > cacert.org, so do you know where I set the cipher suites?
> > > > >
> > > > > On 9/26/06, Kevin Jordan < kmj7777 at gmail.com> wrote:
> > > > > >
> > > > > > Well, this is a fresh install with just mod_jk and SSL enabled
> > > > > > with CAS thrown in so I'm not sure what it is.  I'll look into JMX though.
> > > > > >
> > > > > > On 9/26/06, Scott Battaglia <scott.battaglia at gmail.com> wrote:
> > > > > > >
> > > > > > > That's strange. We're running Java 1.5 and Tomcat 5.5 in
> > > > > > > production (and in test under heavy load) and not seeing 100% Java CPU
> > > > > > > utilization.  Could there be some kind of misconfiguration?  Can you connect
> > > > > > > via JMX to the JVM or Tomcat and see if there is anything out of the
> > > > > > > ordinary going on?
> > > > > > >
> > > > > > > -Scott
> > > > > > >
> > > > > > > On 9/26/06, Kevin Jordan < kmj7777 at gmail.com> wrote:
> > > > > > > >
> > > > > > > > Yeah, it happens with Tomcat 5 with Java 1.5, Tomcat 5.5with Java
> > > > > > > > 1.5, and Tomcat 5.5 with Java 1.4.
> > > > > > > >
> > > > > > > > On 9/26/06, Scott Battaglia < scott.battaglia at gmail.com>
> > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > Does this happen in a test/loadtest environment?  With
> > > > > > > > > Java 1.5?  We generally use Tomcat 5.5 with Java 1.5 (we
> > > > > > > > > also run on Solaris).
> > > > > > > > >
> > > > > > > > > -Scott
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On 9/25/06, Kevin Jordan <kmj7777 at gmail.com> wrote:
> > > > > > > > > >
> > > > > > > > > > At the time, around 10 or less, and it idles that high
> > > > > > > > > > as well.  We're running it on Tomcat 5.5 with Java 1.4.2on Gentoo Linux.
> > > > > > > > > >
> > > > > > > > > > On 9/25/06, Scott Battaglia <scott.battaglia at gmail.com>
> > > > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > That seems very high.  How many authentications are
> > > > > > > > > > > you doing?  What type of machine is it?
> > > > > > > > > > >
> > > > > > > > > > > On 9/25/06, Kevin Jordan < kmj7777 at gmail.com> wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > I ended up just deleting the cas directory and
> > > > > > > > > > > > having it restore itself from the war file and it seems to work now.
> > > > > > > > > > > > However, java is still at 99-100% CPU usage.
> > > > > > > > > > > >
> > > > > > > > > > > > On 9/25/06, Scott Battaglia <
> > > > > > > > > > > > scott.battaglia at gmail.com> wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > Are there any errors in your Tomcat log?   Did you
> > > > > > > > > > > > > do a thread dump before you restarted the server?  If so, please pass those
> > > > > > > > > > > > > along.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Thanks
> > > > > > > > > > > > > -Scott
> > > > > > > > > > > > >
> > > > > > > > > > > > > On 9/25/06, Kevin Jordan <kmj7777 at gmail.com>
> > > > > > > > > > > > > wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > >  My CAS was working well up until Friday and
> > > > > > > > > > > > > > then Java started taking 100% of the CPU (still is, and I changed JDKs and
> > > > > > > > > > > > > > upgraded Tomcat and CAS) which interferred with my LDAP on the same
> > > > > > > > > > > > > > machine.  Now I've moved LDAP off and that's fine, and it worked for the
> > > > > > > > > > > > > > first couple logins, but now I'm getting this error:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > 5AE5 .START ****************** [CAS.php:396]
> > > > > > > > > > > > > > 5AE5 .=> phpCAS::client('2.0', 'cerberus.xteconline.com
> > > > > > > > > > > > > > ', 443, '/cas', true) [headerCAS.php:32]
> > > > > > > > > > > > > > 5AE5 .|    => CASClient::CASClient(' 2.0',
> > > > > > > > > > > > > > false, 'cerberus.xteconline.com', 443, '/cas',
> > > > > > > > > > > > > > true) [CAS.php:297]
> > > > > > > > > > > > > > 5AE5 .|    |    ST
> > > > > > > > > > > > > > 'ST-14-eIdaNesjRgYwnbA6PRQgl11vRiOfKtFiH6k-20' found [
> > > > > > > > > > > > > > client.php:537]
> > > > > > > > > > > > > > 5AE5 .|    <= ''
> > > > > > > > > > > > > > 5AE5 .<= ''
> > > > > > > > > > > > > > 5AE5 .=> phpCAS::forceAuthentication() [
> > > > > > > > > > > > > > headerCAS.php:33]
> > > > > > > > > > > > > > 5AE5 .|    => CASClient::forceAuthentication() [
> > > > > > > > > > > > > > CAS.php:873]
> > > > > > > > > > > > > > 5AE5 .|    |    => CASClient::isAuthenticated()
> > > > > > > > > > > > > > [client.php:615]
> > > > > > > > > > > > > > 5AE5 .|    |    |    =>
> > > > > > > > > > > > > > CASClient::wasPreviouslyAuthenticated() [
> > > > > > > > > > > > > > client.php:670]
> > > > > > > > > > > > > > 5AE5 .|    |    |    |    no user found [
> > > > > > > > > > > > > > client.php:771]
> > > > > > > > > > > > > > 5AE5 .|    |    |    <= false
> > > > > > > > > > > > > > 5AE5 .|    |    |    ST
> > > > > > > > > > > > > > `ST-14-eIdaNesjRgYwnbA6PRQgl11vRiOfKtFiH6k-20' is present [
> > > > > > > > > > > > > > client.php:677]
> > > > > > > > > > > > > > 5AE5 .|    |    |    =>
> > > > > > > > > > > > > > CASClient::validateST('', NULL, NULL) [
> > > > > > > > > > > > > > client.php:678]
> > > > > > > > > > > > > > 5AE5 .|    |    |    |    => CASClient::getURL()
> > > > > > > > > > > > > > [client.php:366]
> > > > > > > > > > > > > > 5AE5 .|    |    |    |    <= 'http://apache01.xteconline.com/dmt/
> > > > > > > > > > > > > > '
> > > > > > > > > > > > > > 5AE5 .|    |    |    |    =>
> > > > > > > > > > > > > > CASClient::readURL('https://cerberus.xteconline.com:443/cas/serviceValidate?service=http://apache0
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > 1.xteconline.com/dmt/&ticket=ST-14-eIdaNesjRgYwnbA6PRQgl11vRiOfKtFiH6k-20
> > > > > > > > > > > > > > ', '', NULL, NULL, NULL) [client.php:905]
> > > > > > > > > > > > > > 5AE5 .|    |    |    |    <= true
> > > > > > > > > > > > > > 5AE5 .|    |    |    |    bad XML root node
> > > > > > > > > > > > > > (should be `serviceResponse' instead of `' [
> > > > > > > > > > > > > > client.php:956]
> > > > > > > > > > > > > > 5AE5 .|    |    |    |    =>
> > > > > > > > > > > > > > CASClient::authError('ST not validated', '
> > > > > > > > > > > > > > https://cerberus.xteconline.com:443/cas/serviceValidate
> > > > > > > > > > > > > > ?
> > > > > > > > > > > > > > service=http://apache01.xteconline.com/dmt/&ticket=ST-14-eIdaNesjRgYwnbA6PRQgl11vRiOfKtFiH6k-20',
> > > > > > > > > > > > > > false, true, false) [client.p
> > > > > > > > > > > > > > hp:961]
> > > > > > > > > > > > > > 5AE5 .|    |    |    |    |    =>
> > > > > > > > > > > > > > CASClient::getURL() [client.php:1967]
> > > > > > > > > > > > > > 5AE5 .|    |    |    |    |    <= '
> > > > > > > > > > > > > > http://apache01.xteconline.com/dmt/'
> > > > > > > > > > > > > > 5AE5 .|    |    |    |    |    CAS URL:
> > > > > > > > > > > > > > https://cerberus.xteconline.com:443/cas/serviceValidate?service=http://apache01.xteconl
> > > > > > > > > > > > > > ine.com/dmt/&ticket=ST-14-eIdaNesjRgYwnbA6PRQgl11vRiOfKtFiH6k-20
> > > > > > > > > > > > > > [client.php:1968]
> > > > > > > > > > > > > > 5AE5 .|    |    |    |    |    Authentication
> > > > > > > > > > > > > > failure: ST not validated [client.php:1969]
> > > > > > > > > > > > > > 5AE5 .|    |    |    |    |    Reason: bad
> > > > > > > > > > > > > > response from the CAS server [client.php:1974]
> > > > > > > > > > > > > > 5AE5 .|    |    |    |    |    CAS response:  [
> > > > > > > > > > > > > > client.php:1988]
> > > > > > > > > > > > > > 5AE5 .|    |    |    |    |    exit()
> > > > > > > > > > > > > > 5AE5 .|    |    |    |    |    -
> > > > > > > > > > > > > > 5AE5 .|    |    |    |    -
> > > > > > > > > > > > > > 5AE5 .|    |    |    -
> > > > > > > > > > > > > > 5AE5 .|    |    -
> > > > > > > > > > > > > > 5AE5 .|    -
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > What happened?  Why am I getting an empty
> > > > > > > > > > > > > > serviceReponse?  I've upgraded phpCAS as well and I still get that error...
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > --
> > > > > > > > > > > > > > Kevin Jordan
> > > > > > > > > > > > > > _______________________________________________
> > > > > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > _______________________________________________
> > > > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > --
> > > > > > > > > > > > Kevin Jordan
> > > > > > > > > > > > _______________________________________________
> > > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > >  http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > _______________________________________________
> > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > Kevin Jordan
> > > > > > > > > >
> > > > > > > > > > _______________________________________________
> > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > _______________________________________________
> > > > > > > > > Yale CAS mailing list
> > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Kevin Jordan
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > Yale CAS mailing list
> > > > > > > > cas at tp.its.yale.edu
> > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Yale CAS mailing list
> > > > > > > cas at tp.its.yale.edu
> > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Kevin Jordan
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Kevin Jordan
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Kevin Jordan
> > > > _______________________________________________
> > > > Yale CAS mailing list
> > > > cas at tp.its.yale.edu
> > > >  http://tp.its.yale.edu/mailman/listinfo/cas
> > > >
> > > >
> > > >
> > >
> > > _______________________________________________
> > > Yale CAS mailing list
> > > cas at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > >
> > >
> > >
> >
> >
> > --
> > Kevin Jordan
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
> >
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>


-- 
Kevin Jordan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20060927/f8dd32cf/attachment-0001.html

More information about the cas mailing list