We are having similar problems with a Debian Etch server on OpenVZ (protecting AWstats). I tried changing the CASCookieEntropy to 32, 16, and 8 (reloading apache each time), but it doesn't seem to have made a difference. I can still watch the entropy tick up until it passes 64, then goes back down to zero and slowly accumulates again.
I upgraded to mod_auth_cas version 1.0.6 (was 1.0.5), but it still does not seem to be respecting the directive. Here is my auth_cas.conf: CASLoginURL https://login.uconn.edu/cas/login CASValidateURL https://login.uconn.edu/cas/serviceValidate CASCertificatePath /etc/ssl/certs/uconnCA.pem CASTimeout 7200 CASIdleTimeout 3600 CASCookiePath /tmp/cas/ CASCookieEntropy 32 server-info shows the correct CASCookieEntropy value, so apache seems to know about it. It seems like I must be missing something obvious, but I can't figure out what. My next step is going to be tweaking the debugging code, so that I can get mod_auth_cas to tell me what it thinks CASCookieEntropy is at a couple of different spots. I appreciate your time. Thank you, -James Matt is spot on here. These were my thoughts: * Have you changed the CASCookieEntropy value? * What is your /proc/sys/kernel/random/entropy_avail value (especially when seeing this slowdown? Try 'watch -n 0 cat /proc/sys/kernel/random/entropy_avail') * Is this being done in an isolated VM? If so, can you try it on a more active VM or 'real' machine that has entropy sources? -Phil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Matt Sent: Tuesday, December 18, 2007 1:17 PM To: Yale CAS mailing list Subject: Re: mod_auth_cas 'pause'. Robert- Three thoughts: 1) Are you running under virtualization (VMWare, Xen, etc)? We've seen a couple small problems with entropy generation in that scenario. You can try reducing CASCookieEntropy to something smaller than 32, say, 16. 2) Make sure the directory specified by CASCookiePath exists, has proper permissions, and has space. 3) Is CASCertificatePath pointing to a directory (the default is /etc/ssl/certs/)? If so, try pointing directly to the single cert representing your CAS server's signing CA. Sometimes the directory lookup takes some time. Please let us know if any of this seems to help. HTH, -Matt -- View this message in context: http://www.nabble.com/mod_auth_cas-%27pause%27.-tp14402025p15306646.html Sent from the CAS Users mailing list archive at Nabble.com. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
