James, Based on your OpenVZ remark, I assume this is a virtual server... Where are you placing the CASCookieEntropy statement? In the global server config, or in a vhost config? Whereever it is, try placing it in the opposite container. You can also add some debugging statements to spit out the value of CASCookieEntropy at various points if you want to ensure that the value you set is being honored. Even though your CASCookieEntropy may only be 32 bits, since some SSL communication occurs (to validate the tickets and/or transmit data to the user) that eats up entropy as well. Is it safe to assume that this is a development/non-production environment? When developing mod_auth_cas on a virtualized platform, I always struggle with entropy issues, but when we rolled it into production on virtualized platforms there is enough entropy generated based on users interaction with the system that there is no pause.
-Phil -----Original Message----- From: [EMAIL PROTECTED] on behalf of James Chabot-Weingart Sent: Wed 2/6/2008 8:40 AM To: [email protected] Subject: RE: mod_auth_cas 'pause'. We are having similar problems with a Debian Etch server on OpenVZ (protecting AWstats). I tried changing the CASCookieEntropy to 32, 16, and 8 (reloading apache each time), but it doesn't seem to have made a difference. I can still watch the entropy tick up until it passes 64, then goes back down to zero and slowly accumulates again. I upgraded to mod_auth_cas version 1.0.6 (was 1.0.5), but it still does not seem to be respecting the directive. Here is my auth_cas.conf: CASLoginURL https://login.uconn.edu/cas/login CASValidateURL https://login.uconn.edu/cas/serviceValidate CASCertificatePath /etc/ssl/certs/uconnCA.pem CASTimeout 7200 CASIdleTimeout 3600 CASCookiePath /tmp/cas/ CASCookieEntropy 32 server-info shows the correct CASCookieEntropy value, so apache seems to know about it. It seems like I must be missing something obvious, but I can't figure out what. My next step is going to be tweaking the debugging code, so that I can get mod_auth_cas to tell me what it thinks CASCookieEntropy is at a couple of different spots. I appreciate your time. Thank you, -James Matt is spot on here. These were my thoughts: * Have you changed the CASCookieEntropy value? * What is your /proc/sys/kernel/random/entropy_avail value (especially when seeing this slowdown? Try 'watch -n 0 cat /proc/sys/kernel/random/entropy_avail') * Is this being done in an isolated VM? If so, can you try it on a more active VM or 'real' machine that has entropy sources? -Phil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Matt Sent: Tuesday, December 18, 2007 1:17 PM To: Yale CAS mailing list Subject: Re: mod_auth_cas 'pause'. Robert- Three thoughts: 1) Are you running under virtualization (VMWare, Xen, etc)? We've seen a couple small problems with entropy generation in that scenario. You can try reducing CASCookieEntropy to something smaller than 32, say, 16. 2) Make sure the directory specified by CASCookiePath exists, has proper permissions, and has space. 3) Is CASCertificatePath pointing to a directory (the default is /etc/ssl/certs/)? If so, try pointing directly to the single cert representing your CAS server's signing CA. Sometimes the directory lookup takes some time. Please let us know if any of this seems to help. HTH, -Matt -- View this message in context: http://www.nabble.com/mod_auth_cas-%27pause%27.-tp14402025p15306646.html Sent from the CAS Users mailing list archive at Nabble.com. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
<<winmail.dat>>
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
