Matt is spot on here. These were my thoughts: * Have you changed the CASCookieEntropy value?
* What is your /proc/sys/kernel/random/entropy_avail value (especially when seeing this slowdown? Try 'watch -n 0 cat /proc/sys/kernel/random/entropy_avail') * Is this being done in an isolated VM? If so, can you try it on a more active VM or 'real' machine that has entropy sources? -Phil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Matt Sent: Tuesday, December 18, 2007 1:17 PM To: Yale CAS mailing list Subject: Re: mod_auth_cas 'pause'. Robert- Three thoughts: 1) Are you running under virtualization (VMWare, Xen, etc)? We've seen a couple small problems with entropy generation in that scenario. You can try reducing CASCookieEntropy to something smaller than 32, say, 16. 2) Make sure the directory specified by CASCookiePath exists, has proper permissions, and has space. 3) Is CASCertificatePath pointing to a directory (the default is /etc/ssl/certs/)? If so, try pointing directly to the single cert representing your CAS server's signing CA. Sometimes the directory lookup takes some time. Please let us know if any of this seems to help. HTH, -Matt On Tue, 2007-12-18 at 11:37 -0600, robert.sanders wrote: > Having setup one CAS server for testing with a minimum of issues; I > now seem to be running into a well when attempting to get CAS + > mod_auth_cas > (1.0.4) working properly on a second server. The issue is that after > the user logs in (via CAS) the redirect back to the service url is > sent, but then the browser sits there for a long time (1 or 2 minutes) > before the protected service page loads. The Apache logs seem to > indicate that after the ticket is verified nothing happens for the > time of the pause, and then as if out of no where mod_auth_cas creates > a cookie and the page loads. > > My problematic setup: > Ubuntu Server 7.10 > Apache 2.2.4 (standard) > mod_jk (shipped w/ ubuntu, version 1.2.23) > Sun Java 1.6.0_03 (from apt repo) > Tomcat 6.0.14 > > Apache 'Error' Log showing pause: > > [Tue Dec 18 10:48:14 2007] [info] [client 192.168.5.151] Connection > closed to child 2 with standard shutdown (server test.server.com:443) > [Tue Dec 18 10:48:14 2007] [debug] mod_auth_cas.c(449): [client > 192.168.5.151] Modified r->args (old > 'ticket=ST-1-VofHoIblIwBO3ePjHixJ1hLlK5EFZdECa4T-20', new '') > [Tue Dec 18 10:48:14 2007] [debug] mod_auth_cas.c(386): [client > 192.168.5.151] CAS Service 'http%3a%2f%2ftest.server.com%2fprotected%2f' > [Tue Dec 18 10:48:14 2007] [debug] mod_auth_cas.c(1133): [client > 192.168.5.151] Validation request: GET > /cas/serviceValidate?service=http%3a%2f%2ftest.server.com%2fprotected%2f &ticket=ST-1-VofHoIblIwBO3ePjHixJ1hLlK5EFZdECa4T-20 > HTTP/1.1\nHost: localhost\nConnection: close\n\n > [Tue Dec 18 10:48:14 2007] [debug] mod_auth_cas.c(1140): [client > 192.168.5.151] Request successfully transmitted > [Tue Dec 18 10:48:14 2007] [debug] mod_auth_cas.c(1148): [client > 192.168.5.151] Received 373 bytes of response > [Tue Dec 18 10:48:14 2007] [debug] mod_auth_cas.c(1148): [client > 192.168.5.151] Received 0 bytes of response > [Tue Dec 18 10:48:14 2007] [debug] mod_auth_cas.c(1154): [client > 192.168.5.151] Validation response: HTTP/1.1 200 OK\r\nServer: > Apache-Coyote/1.1\r\nContent-Type: > text/html;charset=ISO-8859-1\r\nContent-Language: > en-US\r\nContent-Length: 181\r\nDate: Tue, 18 Dec 2007 16:48:14 > GMT\r\nConnection: close\r\n\r\n<cas:serviceResponse > xmlns:cas='http://www.yale.edu/tp/cas'>\r\n\t<cas:authenticationSuccess> \r\n\t\t<cas:user>test_user</cas:user>\r\n\r\n\r\n\t</cas:authentication Success>\r\n</cas:serviceResponse> > [Tue Dec 18 10:48:14 2007] [debug] mod_auth_cas.c(738): [client > 192.168.5.151] Insufficient time elapsed since last cache clean > [Tue Dec 18 10:48:29 2007] [debug] ssl_engine_io.c(1786): OpenSSL: > I/O error, 5 bytes expected to read on BIO#8390c38 [mem: 837ec38] > [Tue Dec 18 10:48:29 2007] [info] [client 192.168.5.151] (70007)The > timeout specified has expired: SSL input filter read failed. > [Tue Dec 18 10:48:29 2007] [debug] ssl_engine_kernel.c(1770): > OpenSSL: Write: SSL negotiation finished successfully > [Tue Dec 18 10:48:29 2007] [info] [client 192.168.5.151] Connection > closed to child 1 with standard shutdown (server test.server.com:443) > [Tue Dec 18 10:49:48 2007] [debug] mod_auth_cas.c(826): [client > 192.168.5.151] Cookie 'c0e1f3fb6531c7c002cdd9aacf19704e' created for > user 'test_user' > [Tue Dec 18 10:49:48 2007] [debug] mod_auth_cas.c(280): [client > 192.168.5.151] Determining CAS scope (path: /protected/, CASScope: > (null), CASRenew: (null), CASGateway: (null)) > [Tue Dec 18 10:49:48 2007] [debug] mod_auth_cas.c(555): [client > 192.168.5.151] Adding outgoing header: Set-Cookie: > MOD_AUTH_CAS=c0e1f3fb6531c7c002cdd9aacf19704e;Path=/protected/ > > > Any ideas? > > Thanks, > -- Matt Smith [EMAIL PROTECTED] University Information Technology Services (UITS) University of Connecticut PGP Key ID: 0xE9C5244E _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
