CAS Problems
Kevin Jordan
kmj7777 at gmail.com
Fri Sep 29 07:34:52 EDT 2006
Well, I tried to, but every time I did, it said that it was an invalid X509
certificate. I tried the PEM file on their site, the DER file on their
site, the PEM file Gentoo includes, and converting said files to X509, but
it didn't like any of them.
On 9/28/06, Scott Battaglia <scott.battaglia at gmail.com> wrote:
>
> Are you importing the cacert.org certificate correctly? (I'm not too
> familiar with it). I remember having trouble importing one of their Root CA
> certificates.
>
> On 9/27/06, Kevin Jordan <kmj7777 at gmail.com> wrote:
> >
> > Yeah, and with a cacert.org certificate I get:
> > Sep 27, 2006 12:00:00 AM org.apache.tomcat.util.net.PoolTcpEndpoint
> > acceptSocket
> > SEVERE: Endpoint [SSL: ServerSocket[addr=
> > 0.0.0.0/0.0.0.0,port=0,localport=8443]<http://0.0.0.0/0.0.0.0,port=0,localport=8443%5D>]
> > ignored exception: java.net.SocketException: SSL handshake
> > errorjavax.net.ssl.
> > SSLException: No available certificate corresponds to the SSL cipher
> > suites which are enabled.
> > java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException:
> > No available certificate corresponds to the SSL cipher suites which are
> > enabled.
> > at
> > org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket (
> > JSSESocketFactory.java:113)
> > at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(
> > PoolTcpEndpoint.java:407)
> > at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(
> > LeaderFollowerWorkerThread.java :70)
> > at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run
> > (ThreadPool.java:684)
> > at java.lang.Thread.run(Thread.java:534)
> >
> > And it didn't even like the p12 one, said something about RSA modulus
> > size being wrong.
> >
> >
> > On 9/27/06, Scott Battaglia < scott.battaglia at gmail.com> wrote:
> > >
> > > So you're saying you have normal CPU utilization with the self-signed
> > > certificate? Have you googled for anything related to that? We generally
> > > only use commercially signed certificates or self-signed here.
> > >
> > > -Scott
> > >
> > > On 9/27/06, Kevin Jordan <kmj7777 at gmail.com > wrote:
> > > >
> > > > No. It only goes down when I use the self-signed certificate
> > > > generated by keytool.
> > > >
> > > > On 9/27/06, Scott Battaglia < scott.battaglia at gmail.com> wrote:
> > > > >
> > > > > Did your CPU utilization go down at all though?
> > > > >
> > > > > On 9/27/06, Kevin Jordan < kmj7777 at gmail.com> wrote:
> > > > > >
> > > > > > Switching it back over to a self-signed certificate in the
> > > > > > keystore fixed that. I tried doing a p12 certificate, but it didn't like
> > > > > > that much either (something with the RSA modulus size).
> > > > > >
> > > > > > On 9/26/06, Kevin Jordan <kmj7777 at gmail.com> wrote:
> > > > > > >
> > > > > > > It's looking like in the logs this error is repeating over and
> > > > > > > over (and somehow generated 2.7GB worth):
> > > > > > >
> > > > > > > Sep 27, 2006 12:00:00 AM
> > > > > > > org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket
> > > > > > > SEVERE: Endpoint [SSL: ServerSocket[addr=
> > > > > > > 0.0.0.0/0.0.0.0,port=0,localport=8443]<http://0.0.0.0/0.0.0.0,port=0,localport=8443%5D>]
> > > > > > > ignored exception: java.net.SocketException: SSL handshake
> > > > > > > errorjavax.net.ssl.
> > > > > > > SSLException: No available certificate corresponds to the SSL
> > > > > > > cipher suites which are enabled.
> > > > > > > java.net.SocketException: SSL handshake
> > > > > > > errorjavax.net.ssl.SSLException: No available certificate
> > > > > > > corresponds to the SSL cipher suites which are enabled.
> > > > > > > at
> > > > > > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(
> > > > > > > JSSESocketFactory.java:113)
> > > > > > > at
> > > > > > > org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(
> > > > > > > PoolTcpEndpoint.java:407)
> > > > > > > at
> > > > > > > org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(
> > > > > > > LeaderFollowerWorkerThread.java :70)
> > > > > > > at
> > > > > > > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(
> > > > > > > ThreadPool.java:684)
> > > > > > > at java.lang.Thread.run(Thread.java:534)
> > > > > > >
> > > > > > > I'm not sure if this was the problem before I upgraded and
> > > > > > > started over, but it does seem to be now. I've generated my certificates
> > > > > > > from cacert.org, so do you know where I set the cipher suites?
> > > > > > >
> > > > > > > On 9/26/06, Kevin Jordan < kmj7777 at gmail.com> wrote:
> > > > > > > >
> > > > > > > > Well, this is a fresh install with just mod_jk and SSL
> > > > > > > > enabled with CAS thrown in so I'm not sure what it is. I'll look into JMX
> > > > > > > > though.
> > > > > > > >
> > > > > > > > On 9/26/06, Scott Battaglia <scott.battaglia at gmail.com>
> > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > That's strange. We're running Java 1.5 and Tomcat 5.5 in
> > > > > > > > > production (and in test under heavy load) and not seeing 100% Java CPU
> > > > > > > > > utilization. Could there be some kind of misconfiguration? Can you connect
> > > > > > > > > via JMX to the JVM or Tomcat and see if there is anything out of the
> > > > > > > > > ordinary going on?
> > > > > > > > >
> > > > > > > > > -Scott
> > > > > > > > >
> > > > > > > > > On 9/26/06, Kevin Jordan < kmj7777 at gmail.com> wrote:
> > > > > > > > > >
> > > > > > > > > > Yeah, it happens with Tomcat 5 with Java 1.5, Tomcat 5.5with Java
> > > > > > > > > > 1.5, and Tomcat 5.5 with Java 1.4.
> > > > > > > > > >
> > > > > > > > > > On 9/26/06, Scott Battaglia < scott.battaglia at gmail.com>
> > > > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > Does this happen in a test/loadtest environment? With
> > > > > > > > > > > Java 1.5? We generally use Tomcat 5.5 with Java 1.5(we also run on Solaris).
> > > > > > > > > > >
> > > > > > > > > > > -Scott
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > On 9/25/06, Kevin Jordan <kmj7777 at gmail.com> wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > At the time, around 10 or less, and it idles that
> > > > > > > > > > > > high as well. We're running it on Tomcat 5.5 with
> > > > > > > > > > > > Java 1.4.2 on Gentoo Linux.
> > > > > > > > > > > >
> > > > > > > > > > > > On 9/25/06, Scott Battaglia <
> > > > > > > > > > > > scott.battaglia at gmail.com> wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > That seems very high. How many authentications
> > > > > > > > > > > > > are you doing? What type of machine is it?
> > > > > > > > > > > > >
> > > > > > > > > > > > > On 9/25/06, Kevin Jordan < kmj7777 at gmail.com>
> > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > I ended up just deleting the cas directory and
> > > > > > > > > > > > > > having it restore itself from the war file and it seems to work now.
> > > > > > > > > > > > > > However, java is still at 99-100% CPU usage.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > On 9/25/06, Scott Battaglia <
> > > > > > > > > > > > > > scott.battaglia at gmail.com> wrote:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Are there any errors in your Tomcat log? Did
> > > > > > > > > > > > > > > you do a thread dump before you restarted the server? If so, please pass
> > > > > > > > > > > > > > > those along.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Thanks
> > > > > > > > > > > > > > > -Scott
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > On 9/25/06, Kevin Jordan <kmj7777 at gmail.com>
> > > > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > My CAS was working well up until Friday and
> > > > > > > > > > > > > > > > then Java started taking 100% of the CPU (still is, and I changed JDKs and
> > > > > > > > > > > > > > > > upgraded Tomcat and CAS) which interferred with my LDAP on the same
> > > > > > > > > > > > > > > > machine. Now I've moved LDAP off and that's fine, and it worked for the
> > > > > > > > > > > > > > > > first couple logins, but now I'm getting this error:
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > 5AE5 .START ****************** [CAS.php:396]
> > > > > > > > > > > > > > > > 5AE5 .=> phpCAS::client('2.0', 'cerberus.xteconline.com
> > > > > > > > > > > > > > > > ', 443, '/cas', true) [headerCAS.php:32]
> > > > > > > > > > > > > > > > 5AE5 .| => CASClient::CASClient(' 2.0',
> > > > > > > > > > > > > > > > false, 'cerberus.xteconline.com', 443,
> > > > > > > > > > > > > > > > '/cas', true) [CAS.php:297]
> > > > > > > > > > > > > > > > 5AE5 .| | ST
> > > > > > > > > > > > > > > > 'ST-14-eIdaNesjRgYwnbA6PRQgl11vRiOfKtFiH6k-20' found [
> > > > > > > > > > > > > > > > client.php:537]
> > > > > > > > > > > > > > > > 5AE5 .| <= ''
> > > > > > > > > > > > > > > > 5AE5 .<= ''
> > > > > > > > > > > > > > > > 5AE5 .=> phpCAS::forceAuthentication() [
> > > > > > > > > > > > > > > > headerCAS.php:33]
> > > > > > > > > > > > > > > > 5AE5 .| =>
> > > > > > > > > > > > > > > > CASClient::forceAuthentication() [CAS.php
> > > > > > > > > > > > > > > > :873]
> > > > > > > > > > > > > > > > 5AE5 .| | =>
> > > > > > > > > > > > > > > > CASClient::isAuthenticated() [client.php:615]
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > 5AE5 .| | | =>
> > > > > > > > > > > > > > > > CASClient::wasPreviouslyAuthenticated() [
> > > > > > > > > > > > > > > > client.php:670]
> > > > > > > > > > > > > > > > 5AE5 .| | | | no user found [
> > > > > > > > > > > > > > > > client.php:771]
> > > > > > > > > > > > > > > > 5AE5 .| | | <= false
> > > > > > > > > > > > > > > > 5AE5 .| | | ST
> > > > > > > > > > > > > > > > `ST-14-eIdaNesjRgYwnbA6PRQgl11vRiOfKtFiH6k-20' is present [
> > > > > > > > > > > > > > > > client.php:677]
> > > > > > > > > > > > > > > > 5AE5 .| | | =>
> > > > > > > > > > > > > > > > CASClient::validateST('', NULL, NULL) [
> > > > > > > > > > > > > > > > client.php:678]
> > > > > > > > > > > > > > > > 5AE5 .| | | | =>
> > > > > > > > > > > > > > > > CASClient::getURL() [client.php:366]
> > > > > > > > > > > > > > > > 5AE5 .| | | | <= 'http://apache01.xteconline.com/dmt/
> > > > > > > > > > > > > > > > '
> > > > > > > > > > > > > > > > 5AE5 .| | | | =>
> > > > > > > > > > > > > > > > CASClient::readURL('https://cerberus.xteconline.com:443/cas/serviceValidate?service=http://apache0
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > 1.xteconline.com/dmt/&ticket=ST-14-eIdaNesjRgYwnbA6PRQgl11vRiOfKtFiH6k-20
> > > > > > > > > > > > > > > > ', '', NULL, NULL, NULL) [client.php:905]
> > > > > > > > > > > > > > > > 5AE5 .| | | | <= true
> > > > > > > > > > > > > > > > 5AE5 .| | | | bad XML root node
> > > > > > > > > > > > > > > > (should be `serviceResponse' instead of `' [
> > > > > > > > > > > > > > > > client.php:956]
> > > > > > > > > > > > > > > > 5AE5 .| | | | =>
> > > > > > > > > > > > > > > > CASClient::authError('ST not validated', '
> > > > > > > > > > > > > > > > https://cerberus.xteconline.com:443/cas/serviceValidate
> > > > > > > > > > > > > > > > ?
> > > > > > > > > > > > > > > > service=http://apache01.xteconline.com/dmt/&ticket=ST-14-eIdaNesjRgYwnbA6PRQgl11vRiOfKtFiH6k-20',
> > > > > > > > > > > > > > > > false, true, false) [client.p
> > > > > > > > > > > > > > > > hp:961]
> > > > > > > > > > > > > > > > 5AE5 .| | | | | =>
> > > > > > > > > > > > > > > > CASClient::getURL() [client.php:1967]
> > > > > > > > > > > > > > > > 5AE5 .| | | | | <= '
> > > > > > > > > > > > > > > > http://apache01.xteconline.com/dmt/'
> > > > > > > > > > > > > > > > 5AE5 .| | | | | CAS URL:
> > > > > > > > > > > > > > > > https://cerberus.xteconline.com:443/cas/serviceValidate?service=http://apache01.xteconl
> > > > > > > > > > > > > > > > ine.com/dmt/&ticket=ST-14-eIdaNesjRgYwnbA6PRQgl11vRiOfKtFiH6k-20
> > > > > > > > > > > > > > > > [client.php:1968]
> > > > > > > > > > > > > > > > 5AE5 .| | | | |
> > > > > > > > > > > > > > > > Authentication failure: ST not validated [
> > > > > > > > > > > > > > > > client.php:1969]
> > > > > > > > > > > > > > > > 5AE5 .| | | | | Reason: bad
> > > > > > > > > > > > > > > > response from the CAS server [client.php
> > > > > > > > > > > > > > > > :1974]
> > > > > > > > > > > > > > > > 5AE5 .| | | | | CAS
> > > > > > > > > > > > > > > > response: [ client.php:1988]
> > > > > > > > > > > > > > > > 5AE5 .| | | | | exit()
> > > > > > > > > > > > > > > > 5AE5 .| | | | | -
> > > > > > > > > > > > > > > > 5AE5 .| | | | -
> > > > > > > > > > > > > > > > 5AE5 .| | | -
> > > > > > > > > > > > > > > > 5AE5 .| | -
> > > > > > > > > > > > > > > > 5AE5 .| -
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > What happened? Why am I getting an empty
> > > > > > > > > > > > > > > > serviceReponse? I've upgraded phpCAS as well and I still get that error...
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > --
> > > > > > > > > > > > > > > > Kevin Jordan
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > _______________________________________________
> > > > > > > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > _______________________________________________
> > > > > > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > --
> > > > > > > > > > > > > > Kevin Jordan
> > > > > > > > > > > > > > _______________________________________________
> > > > > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > _______________________________________________
> > > > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > --
> > > > > > > > > > > > Kevin Jordan
> > > > > > > > > > > >
> > > > > > > > > > > > _______________________________________________
> > > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > _______________________________________________
> > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > Kevin Jordan
> > > > > > > > > >
> > > > > > > > > > _______________________________________________
> > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > _______________________________________________
> > > > > > > > > Yale CAS mailing list
> > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Kevin Jordan
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Kevin Jordan
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Kevin Jordan
> > > > > > _______________________________________________
> > > > > > Yale CAS mailing list
> > > > > > cas at tp.its.yale.edu
> > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Yale CAS mailing list
> > > > > cas at tp.its.yale.edu
> > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Kevin Jordan
> > > >
> > > > _______________________________________________
> > > > Yale CAS mailing list
> > > > cas at tp.its.yale.edu
> > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > >
> > > >
> > > >
> > >
> > > _______________________________________________
> > > Yale CAS mailing list
> > > cas at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > >
> > >
> > >
> >
> >
> > --
> > Kevin Jordan
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
> >
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
--
Kevin Jordan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20060929/b13ea77f/attachment.html
More information about the cas
mailing list