Please ignore that last input – that was a different ticket received. My peers are not receiving STs.
Thanks. Ted F. Fisher Information Technology Services [Description: BGSU] From: Ted Fisher Sent: Monday, April 04, 2016 12:07 PM To: cas-user@apereo.org Subject: RE: [cas-user] cas-mfa with CAS 4.1.4 and ehcache Actually it looks like the ST is getting sent to the other nodes, but way to late. On the peer node that got the validate request, here is what was logged: INFO 2016-04-04 11:27:10,875 [http-8080-1][] com.github.inspektr.audit.support. Slf4jLoggingAuditTrailManager - Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: ST-2-pZPuh27Kqyo1VWoBD2m1-authtest3.bgsu.edu ACTION: SERVICE_TICKET_VALIDATE_FAILED APPLICATION: CAS WHEN: Mon Apr 04 11:27:10 EDT 2016 CLIENT IP ADDRESS: 129.1.12.237 SERVER IP ADDRESS: 129.1.12.86 ============================================================= DEBUG 2016-04-04 11:28:03,031 [RMI TCP Connection(127)-129.1.12.85][] net.sf.ehc ache.distribution.RMICachePeer - RMICachePeer for cache org.jasig.cas.ticket.Ser viceTicket: remote put received. Element is: [ key = ST-42-5aUKlkWE4HOVL5Oaeaus- authtest1.bgsu.edu, value=ST-42-5aUKlkWE4HOVL5Oaeaus-authtest1.bgsu.edu, version =1, hitCount=0, CreationTime = 1459783684000, LastAccessTime = 1459783683031 ] So, the ST was received but almost a full minute after the validate request. These nodes are in the same subnet and STs are set for synchronous replication. Ted F. Fisher Information Technology Services [Description: BGSU] From: cas-user@apereo.org<mailto:cas-user@apereo.org> [mailto:cas-user@apereo.org] On Behalf Of Ted Fisher Sent: Monday, April 04, 2016 11:02 AM To: Misagh Moayyed <mmoay...@unicon.net<mailto:mmoay...@unicon.net>>; cas-user@apereo.org<mailto:cas-user@apereo.org> Subject: RE: [cas-user] cas-mfa with CAS 4.1.4 and ehcache I did up the logging and am finding this: ERROR [http-bio-8080-exec-16] [net.sf.ehcache.distributi on.RMISynchronousCacheReplicator] - Exception on replication of putNotification. error marshalling arguments; nested exception is There are similar entries for asynchronous for the TGT as well. But, I had tcpdump running on all three nodes and I can see data on port 41001 where the new node is sending to both of the older nodes Ted F. Fisher Information Technology Services [Description: BGSU] From: cas-user@apereo.org<mailto:cas-user@apereo.org> [mailto:cas-user@apereo.org] On Behalf Of Misagh Moayyed Sent: Friday, April 01, 2016 6:15 AM To: cas-user@apereo.org<mailto:cas-user@apereo.org> Subject: Re: [cas-user] cas-mfa with CAS 4.1.4 and ehcache First thing you want to do is upgrade your LOG levels for both Ehcache and CAS and trace the ticket activity. The logs should tell you why tickets fail to be located. Either it’s a replication/network/RMI issue, or some delay in the process which causes tickets to be expired and then removed. -- Misagh From: Ted Fisher <tffi...@bgsu.edu><mailto:tffi...@bgsu.edu> Reply: Ted Fisher <tffi...@bgsu.edu><mailto:tffi...@bgsu.edu> Date: March 31, 2016 at 3:37:02 PM To: cas-user@apereo.org<mailto:cas-user@apereo.org> <cas-user@apereo.org><mailto:cas-user@apereo.org> Subject: [cas-user] cas-mfa with CAS 4.1.4 and ehcache We have gotten cas-mfa with CAS 4.1.4 running and configured with an ldap auth handler and duo authenticating OK and we are getting service tickets generated. Our next step was to get ehcache configured to use the same cache as our existing 3.5.0 CAs servers so that ST’s would go there and apps with CAS clients doing ticket validation could validate them there (this is all in our test env right now). From the looks of things STs and TGTs are the same so we should be able to share them like that. I was pleased to see that the wiki docs explained ehcache config as very similar to our exsiting – we are doing RMI replication now. I configured it pretty much the same as what we have now with the cache names changed to match our existing. It builds and no errors logged when running and I see packets being sent to the other RMI addresses, so it looks like STs are being sent out to ehcache. But, when the apps try to validate the ST they are not there. I tried turning logging up to debug and still I see no indications of any issue. Any pointers how to troubleshoot this ehcache issue? Is there a way for me to dump the STs in cache? It’s test and I can see that there are only a few there. I’d like to verify that they are making it there/. Thanks. Ted F. Fisher Information Technology Services [Description: BGSU] From: Ted Fisher Sent: Thursday, March 17, 2016 9:43 AM To: 'cas-user@apereo.org' <cas-user@apereo.org<mailto:cas-user@apereo.org>> Subject: cas-mfa with CAS 3.5.3 I haven’t been able to find any step-by docs for adding Unicon’s cas-mfa with duo to our CAS server. I’ve tried following the instructions at https://github.com/Unicon/cas-mfa/ which results in a good build, but no duo authentication. I would assume that is because those instructions are for CAS 4.1.X. Is there anything that will tell me what I need to have in place and what settings are needed for CAS 3.5.3? I am trying to use cas-mfa version 1.0.0-RC2 since that looks to be the last that supported 3.5.X. I’ve tried quite a few variations based on posts I found from others, but nothing is leading to any progress here. README.md in 1.0.0-RC2 points to https://github.com/Unicon/cas-mfa/ which has instructions for 4.1.X, so I’m not finding anything on what this should look like. Any help would be appreciated. Environment: CAS 3.5.3 on Tomcat 7, 2 RHEL 6 servers using java version "1.7.0_95" Thanks. Ted F. Fisher Server Administrator 323 Hayes Hall Information Technology Services Email: tffi...@bgsu.edu<mailto:tffi...@bgsu.edu> Phone: 419.372.1626 [Description: BGSU] -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN1PR0501MB201505290D704E32C198E0B9C09D0%40SN1PR0501MB2015.namprd05.prod.outlook.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN1PR0501MB201505290D704E32C198E0B9C09D0%40SN1PR0501MB2015.namprd05.prod.outlook.com?utm_medium=email&utm_source=footer>. For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/SN1PR0501MB2015F0DCDAA0A419172E0EEFC09D0%40SN1PR0501MB2015.namprd05.prod.outlook.com. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
