mod_auth_cas 'pause'.
Ames, Phillip
phil.ames at uconn.edu
Wed Feb 6 22:49:29 EST 2008
James,
Based on your OpenVZ remark, I assume this is a virtual server... Where are you placing the CASCookieEntropy statement? In the global server config, or in a vhost config? Whereever it is, try placing it in the opposite container. You can also add some debugging statements to spit out the value of CASCookieEntropy at various points if you want to ensure that the value you set is being honored. Even though your CASCookieEntropy may only be 32 bits, since some SSL communication occurs (to validate the tickets and/or transmit data to the user) that eats up entropy as well. Is it safe to assume that this is a development/non-production environment? When developing mod_auth_cas on a virtualized platform, I always struggle with entropy issues, but when we rolled it into production on virtualized platforms there is enough entropy generated based on users interaction with the system that there is no pause.
-Phil
-----Original Message-----
From: cas-bounces at tp.its.yale.edu on behalf of James Chabot-Weingart
Sent: Wed 2/6/2008 8:40 AM
To: cas at tp.its.yale.edu
Subject: RE: mod_auth_cas 'pause'.
We are having similar problems with a Debian Etch server on OpenVZ
(protecting AWstats). I tried changing the CASCookieEntropy to 32, 16, and
8 (reloading apache each time), but it doesn't seem to have made a
difference. I can still watch the entropy tick up until it passes 64, then
goes back down to zero and slowly accumulates again.
I upgraded to mod_auth_cas version 1.0.6 (was 1.0.5), but it still does not
seem to be respecting the directive.
Here is my auth_cas.conf:
CASLoginURL https://login.uconn.edu/cas/login
CASValidateURL https://login.uconn.edu/cas/serviceValidate
CASCertificatePath /etc/ssl/certs/uconnCA.pem
CASTimeout 7200
CASIdleTimeout 3600
CASCookiePath /tmp/cas/
CASCookieEntropy 32
server-info shows the correct CASCookieEntropy value, so apache seems to
know about it. It seems like I must be missing something obvious, but I
can't figure out what. My next step is going to be tweaking the debugging
code, so that I can get mod_auth_cas to tell me what it thinks
CASCookieEntropy is at a couple of different spots.
I appreciate your time.
Thank you,
-James
Matt is spot on here. These were my thoughts:
* Have you changed the CASCookieEntropy value?
* What is your /proc/sys/kernel/random/entropy_avail value (especially
when seeing this slowdown? Try 'watch -n 0 cat
/proc/sys/kernel/random/entropy_avail')
* Is this being done in an isolated VM? If so, can you try it on a more
active VM or 'real' machine that has entropy sources?
-Phil
-----Original Message-----
From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
On Behalf Of Smith, Matt
Sent: Tuesday, December 18, 2007 1:17 PM
To: Yale CAS mailing list
Subject: Re: mod_auth_cas 'pause'.
Robert-
Three thoughts:
1) Are you running under virtualization (VMWare, Xen, etc)? We've seen
a couple small problems with entropy generation in that scenario. You
can try reducing CASCookieEntropy to something smaller than 32, say, 16.
2) Make sure the directory specified by CASCookiePath exists, has proper
permissions, and has space.
3) Is CASCertificatePath pointing to a directory (the default is
/etc/ssl/certs/)? If so, try pointing directly to the single cert
representing your CAS server's signing CA. Sometimes the directory
lookup takes some time.
Please let us know if any of this seems to help.
HTH,
-Matt
--
View this message in context: http://www.nabble.com/mod_auth_cas-%27pause%27.-tp14402025p15306646.html
Sent from the CAS Users mailing list archive at Nabble.com.
_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 4754 bytes
Desc: not available
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20080206/5d187d20/attachment.bin
More information about the cas
mailing list