mod_auth_cas 'pause'.

Smith, Matt matt.smith at uconn.edu
Thu Feb 7 12:18:19 EST 2008 

James-

  As Phil says, CASCookieEntropy does not affect the entropy gather for
the SSL work internal to m-a-c.  I've been running into this problem
myself on some low-use boxes, and I'm planning (when time allows) to
look at the rng-tools for a solution.  If you have the chance, I'd
recommend taking a look at them - and if you do, please let us know your
results.

Thanks,
-Matt


On Wed, 2008-02-06 at 05:40 -0800, James Chabot-Weingart wrote:
> We are having similar problems with a Debian Etch server on OpenVZ
> (protecting AWstats).  I tried changing the CASCookieEntropy to 32, 16, and
> 8 (reloading apache each time), but it doesn't seem to have made a
> difference. I can still watch the entropy tick up until it passes 64, then
> goes back down to zero and slowly accumulates again.
> 
> I upgraded to mod_auth_cas version 1.0.6 (was 1.0.5), but it still does not
> seem to be respecting the directive.
> 
> Here is my auth_cas.conf:
> 
>  CASLoginURL https://login.uconn.edu/cas/login
>  CASValidateURL https://login.uconn.edu/cas/serviceValidate
>  CASCertificatePath /etc/ssl/certs/uconnCA.pem
>  CASTimeout 7200
>  CASIdleTimeout 3600
>  CASCookiePath /tmp/cas/
>  CASCookieEntropy 32
> 
> server-info shows the correct CASCookieEntropy value, so apache seems to
> know about it.  It seems like I must be missing something obvious, but I
> can't figure out what.  My next step is going to be tweaking the debugging
> code, so that I can get mod_auth_cas to tell me what it thinks
> CASCookieEntropy is at a couple of different spots.
> 
> I appreciate your time.
> 
> Thank you,
> -James
> 
> 
> 
> Matt is spot on here.  These were my thoughts:
> 
> * Have you changed the CASCookieEntropy value?
> 
> * What is your /proc/sys/kernel/random/entropy_avail value (especially
> when seeing this slowdown?  Try 'watch -n 0 cat
> /proc/sys/kernel/random/entropy_avail')
> 
> * Is this being done in an isolated VM?  If so, can you try it on a more
> active VM or 'real' machine that has entropy sources?
> 
> -Phil
> 
> -----Original Message-----
> From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
> On Behalf Of Smith, Matt
> Sent: Tuesday, December 18, 2007 1:17 PM
> To: Yale CAS mailing list
> Subject: Re: mod_auth_cas 'pause'.
> 
> Robert-
>   Three thoughts:
> 
> 1) Are you running under virtualization (VMWare, Xen, etc)?  We've seen
> a couple small problems with entropy generation in that scenario.  You
> can try reducing CASCookieEntropy to something smaller than 32, say, 16.
> 
> 2) Make sure the directory specified by CASCookiePath exists, has proper
> permissions, and has space.
> 
> 3) Is CASCertificatePath pointing to a directory (the default is
> /etc/ssl/certs/)?  If so, try pointing directly to the single cert
> representing your CAS server's signing CA.  Sometimes the directory
> lookup takes some time.
> 
> Please let us know if any of this seems to help.
> 
> HTH,
> -Matt
-- 
Matt Smith
matt.smith at uconn.edu
University Information Technology Services (UITS)
University of Connecticut
PGP Key ID: 0xE9C5244E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20080207/4f0678f2/attachment.bin

More information about the cas mailing list