-Scott
On 9/29/06, Kevin Jordan <
[EMAIL PROTECTED]> wrote:
Well, I tried to, but every time I did, it said that it was an invalid X509 certificate. I tried the PEM file on their site, the DER file on their site, the PEM file Gentoo includes, and converting said files to X509, but it didn't like any of them.On 9/28/06, Scott Battaglia < [EMAIL PROTECTED]> wrote:Are you importing the cacert.org certificate correctly? (I'm not too familiar with it). I remember having trouble importing one of their Root CA certificates.On 9/27/06, Kevin Jordan <[EMAIL PROTECTED]> wrote:Yeah, and with a cacert.org certificate I get:
Sep 27, 2006 12:00:00 AM org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket
SEVERE: Endpoint [SSL: ServerSocket[addr= 0.0.0.0/0.0.0.0,port=0,localport=8443]] ignored exception: java.net.SocketException: SSL handshake errorjavax.net.ssl.
SSLException: No available certificate corresponds to the SSL cipher suites which are enabled.
java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled.
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket (JSSESocketFactory.java:113)
at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java :70)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:534)
And it didn't even like the p12 one, said something about RSA modulus size being wrong.On 9/27/06, Scott Battaglia < [EMAIL PROTECTED]> wrote:So you're saying you have normal CPU utilization with the self-signed certificate? Have you googled for anything related to that? We generally only use commercially signed certificates or self-signed here.
-Scott
On 9/27/06, Kevin Jordan <[EMAIL PROTECTED] > wrote:No. It only goes down when I use the self-signed certificate generated by keytool.On 9/27/06, Scott Battaglia < [EMAIL PROTECTED]> wrote:Did your CPU utilization go down at all though?On 9/27/06, Kevin Jordan < [EMAIL PROTECTED]> wrote:Switching it back over to a self-signed certificate in the keystore fixed that. I tried doing a p12 certificate, but it didn't like that much either (something with the RSA modulus size).--On 9/26/06, Kevin Jordan <[EMAIL PROTECTED]> wrote:It's looking like in the logs this error is repeating over and over (and somehow generated 2.7GB worth):
Sep 27, 2006 12:00:00 AM org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket
SEVERE: Endpoint [SSL: ServerSocket[addr= 0.0.0.0/0.0.0.0,port=0,localport=8443]] ignored exception: java.net.SocketException: SSL handshake errorjavax.net.ssl.
SSLException: No available certificate corresponds to the SSL cipher suites which are enabled.
java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled.
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket (JSSESocketFactory.java:113)
at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java :70)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:534)
I'm not sure if this was the problem before I upgraded and started over, but it does seem to be now. I've generated my certificates from cacert.org, so do you know where I set the cipher suites?--On 9/26/06, Kevin Jordan < [EMAIL PROTECTED]> wrote:Well, this is a fresh install with just mod_jk and SSL enabled with CAS thrown in so I'm not sure what it is. I'll look into JMX though.On 9/26/06, Scott Battaglia <[EMAIL PROTECTED]> wrote:That's strange. We're running Java 1.5 and Tomcat 5.5 in production (and in test under heavy load) and not seeing 100% Java CPU utilization. Could there be some kind of misconfiguration? Can you connect via JMX to the JVM or Tomcat and see if there is anything out of the ordinary going on?
-ScottOn 9/26/06, Kevin Jordan < [EMAIL PROTECTED]> wrote:Yeah, it happens with Tomcat 5 with Java 1.5, Tomcat 5.5 with Java 1.5, and Tomcat 5.5 with Java 1.4.On 9/26/06, Scott Battaglia < [EMAIL PROTECTED]> wrote:Does this happen in a test/loadtest environment? With Java 1.5? We generally use Tomcat 5.5 with Java 1.5 (we also run on Solaris).
-ScottOn 9/25/06, Kevin Jordan <[EMAIL PROTECTED]> wrote:At the time, around 10 or less, and it idles that high as well. We're running it on Tomcat 5.5 with Java 1.4.2 on Gentoo Linux.On 9/25/06, Scott Battaglia <[EMAIL PROTECTED]> wrote:That seems very high. How many authentications are you doing? What type of machine is it?On 9/25/06, Kevin Jordan < [EMAIL PROTECTED]> wrote:I ended up just deleting the cas directory and having it restore itself from the war file and it seems to work now. However, java is still at 99-100% CPU usage.--On 9/25/06, Scott Battaglia <[EMAIL PROTECTED]> wrote:Are there any errors in your Tomcat log? Did you do a thread dump before you restarted the server? If so, please pass those along.
Thanks
-ScottOn 9/25/06, Kevin Jordan <[EMAIL PROTECTED]> wrote:My CAS was working well up until Friday and then Java started taking 100% of the CPU (still is, and I changed JDKs and upgraded Tomcat and CAS) which interferred with my LDAP on the same machine. Now I've moved LDAP off and that's fine, and it worked for the first couple logins, but now I'm getting this error:_______________________________________________
5AE5 .START ****************** [CAS.php:396]
5AE5 .=> phpCAS::client('2.0', 'cerberus.xteconline.com ', 443, '/cas', true) [headerCAS.php:32]
5AE5 .| => CASClient::CASClient(' 2.0', false, 'cerberus.xteconline.com', 443, '/cas', true) [CAS.php:297]
5AE5 .| | ST 'ST-14-eIdaNesjRgYwnbA6PRQgl11vRiOfKtFiH6k-20' found [ client.php:537]
5AE5 .| <= ''
5AE5 .<= ''
5AE5 .=> phpCAS::forceAuthentication() [headerCAS.php:33]
5AE5 .| => CASClient::forceAuthentication() [CAS.php:873]
5AE5 .| | => CASClient::isAuthenticated() [client.php:615]
5AE5 .| | | => CASClient::wasPreviouslyAuthenticated() [client.php:670]
5AE5 .| | | | no user found [client.php:771]
5AE5 .| | | <= false
5AE5 .| | | ST `ST-14-eIdaNesjRgYwnbA6PRQgl11vRiOfKtFiH6k-20' is present [ client.php:677]
5AE5 .| | | => CASClient::validateST('', NULL, NULL) [client.php:678]
5AE5 .| | | | => CASClient::getURL() [client.php:366]
5AE5 .| | | | <= ' http://apache01.xteconline.com/dmt/'
5AE5 .| | | | => CASClient::readURL(' https://cerberus.xteconline.com:443/cas/serviceValidate?service=http://apache0
1.xteconline.com/dmt/&ticket=ST-14-eIdaNesjRgYwnbA6PRQgl11vRiOfKtFiH6k-20 ', '', NULL, NULL, NULL) [client.php:905]
5AE5 .| | | | <= true
5AE5 .| | | | bad XML root node (should be `serviceResponse' instead of `' [client.php:956]
5AE5 .| | | | => CASClient::authError('ST not validated', ' https://cerberus.xteconline.com:443/cas/serviceValidate?
service= http://apache01.xteconline.com/dmt/&ticket=ST-14-eIdaNesjRgYwnbA6PRQgl11vRiOfKtFiH6k-20', false, true, false) [client.p
hp:961]
5AE5 .| | | | | => CASClient::getURL() [client.php:1967]
5AE5 .| | | | | <= ' http://apache01.xteconline.com/dmt/'
5AE5 .| | | | | CAS URL: https://cerberus.xteconline.com:443/cas/serviceValidate?service=http://apache01.xteconl
ine.com/dmt/&ticket=ST-14-eIdaNesjRgYwnbA6PRQgl11vRiOfKtFiH6k-20 [client.php:1968]
5AE5 .| | | | | Authentication failure: ST not validated [client.php:1969]
5AE5 .| | | | | Reason: bad response from the CAS server [client.php:1974]
5AE5 .| | | | | CAS response: [ client.php:1988]
5AE5 .| | | | | exit()
5AE5 .| | | | | -
5AE5 .| | | | -
5AE5 .| | | -
5AE5 .| | -
5AE5 .| -
What happened? Why am I getting an empty serviceReponse? I've upgraded phpCAS as well and I still get that error...
--
Kevin Jordan
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
Kevin Jordan
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
--
Kevin Jordan
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
--
Kevin Jordan
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
--
Kevin Jordan
Kevin Jordan
Kevin Jordan
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
--
Kevin Jordan
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
--
Kevin Jordan
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
--
Kevin Jordan
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
