Cannot connect to mdq.incommon.org

[Juan María Reina Ortiz]

Good morning everybody

I'm trying to start cas-management and after a while, the process shows me the following:

ERROR [org.apereo.cas.util.HttpUtils] - <Connect to mdq.incommon.org:443 [mdq.incommon.org/13.33.232.95, mdq.incommon.org/13.33.232.10, mdq.incommon.org/13.33.232.66, mdq.incommon.org/13.33.232.102] failed: Expiró el tiempo de conexión (Connection timed out)>
org.apache.http.conn.HttpHostConnectException: Connect to mdq.incommon.org:443 [mdq.incommon.org/13.33.232.95, mdq.incommon.org/13.33.232.10, mdq.incommon.org/13.33.232.66, mdq.incommon.org/13.33.232.102] failed: Expiró el tiempo de conexión (Connection timed out)

My server is behind a proxy so I've configured the following:

cas.http-client.proxy-host=my_proxy_hostname
cas.http-client.proxy-port=my_proxy_port
cas.http-client.proxy-nonproxyihosts= domain_1,domain_2,domain_3
cas.https-client.proxy-host= my_proxy_hostname
cas.https-client.proxy-port= my_proxy_port
cas.https-client.proxy-nonproxyihosts=domain_1,domain_2,domain_3

But the situation persists. I've also tried to set the above when start the process

java -jar PATH_TO_CAS_MAN/cas-management.war -Dhttp.proxySet=true -Dhttps.proxySet=true -Dhttp.proxyHost=my_proxy_hostname...

It doesn't work

What I have to configure? What's happening?

Thanks in advance

[Juan María Reina Ortiz]

I did some research and I don't see traffic through proxy,  but through firewall, so I'm affraid proxy is not configured properly. I did it adding the above lines in management.properties...

Cheers

[Juan María Reina Ortiz]

Well, just changing "cas" to "mgmt" didn't work... I'm trying to configure proxy parameters when starting java, but, it neither doesn't work

Cheers!

El 02/03/2022 a las 13:18, Petr Fišer escribió:

Hello,
cas.* properties are meant to configure CAS, not the management app. Properties for management app start with "mgmt."
Skimming through https://github.com/apereo/cas-management/blob/6.3.x/api/cas-mgmt-api-configuration/src/main/java/org/apereo/cas/configuration/CasManagementConfigurationProperties.java there is no obvious property to configure a proxy.

Cheers,
Fiisch

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bf1b275f-4182-4708-8725-87818fb5adb2n%40apereo.org.

--

Juan María Reina Ortiz IT Project Manager +34 699 96 35 32 juanmaria.reina@soltel.es      www.soltel.es Soltel Group España: [Sevilla] - Madrid - Badajoz México: México D.F. Colombia: Bogotá

[Petr Fišer]

Hello,
cas.* properties are meant to configure CAS, not the management app. Properties for management app start with "mgmt."
Skimming through https://github.com/apereo/cas-management/blob/6.3.x/api/cas-mgmt-api-configuration/src/main/java/org/apereo/cas/configuration/CasManagementConfigurationProperties.java there is no obvious property to configure a proxy.

Cheers,
Fiisch

On 03/02/2022 01:00 PM, Juan María Reina Ortiz wrote:

--

[Ray Bon]

Juan,

I am unable to find proxy-host in the cas 6.4 docs. It is in 6.3.

Is it still a property in 6.4?

Some cas. ... properties are available in cas-management. I searched around the code but could not find a place where proxy-host is used.

In cas 6.3 docs, I see only these proxy options

# cas.http-client.proxy-host=

# cas.http-client.proxy-port=0 

I see that incommon is still hard coded into cas management app; which is a shame.

Are you trying to get the incommon metadata?

Is that failure preventing cas management from working?

As a work around, you could filter out those log messages.

Ray

On Wed, 2022-03-02 at 14:13 +0100, Juan María Reina Ortiz wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day.

[Juan María Reina Ortiz]

Hello everybody

Ray, first of all, I have to confirm that I'm using 6.3. And, yes, some of the options were probably wrong, so I stuck to the ones you've mentioned. Anyway, it doesn't work as the request are not passing through the proxy... And I have to say that proxy is working well as I've had to configure it to build the product (gradle.properties)

This failure prevent my cas-management to start

Thanks for your help.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---

You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/1NIV6j269I8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c06c58a6cfbf6cde3f2a124425f72231dfcbe8d1.camel%40uvic.ca.

[Juan María Reina Ortiz]

Hello everybody

Doesn't anybody have to deal with this? I mean, having a cas-management installed on a server behind a proxy... 

In that case, can anybody point me to a different place where I could find some help?

Cheers!

[Ray Bon]

Juan,

You can manage your services without cas-management.

We use LDAP to store our service entries. The service JSON is in the description attribute.

If you are using a different storage system, you should be able to create/edit the service entries using the tools for that storage system.

I am using the 6.3.4 version and there are quirks/bugs with the UI that affect some features. Occasionally I have no choice but to make changes manually.

Ray

[Petr Fišer]

Hello,
If the proxy settings do not work, you still should be able to manipulate the URL of InCommon service... either to point it somewhere where it can reach the data or to disable it completely.
If i remember the source code correctly, you do not have to specify only an URL but a filesystem path (file:///somepath) might work too.

Check this thread https://groups.google.com/a/apereo.org/g/cas-user/c/8eJvw8oikPw/m/tNAH1jIKBgAJ

Cheers,
Fiisch

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/973a8aa7-61ce-44d5-b46f-4fb191f0b4c4n%40apereo.org.

[Juan María Reina Ortiz]

Thanks, Petr

Having read that tread, what I've understood is that disabling mdq would allow the process to start, but, what would be the consecuences? I don't have a knowledge deep enough to foresee what it will happen by not using this feature...

Thanks in advance

[Petr Fišer]

Hello,
MDQ metadata endpoint is basically one huge XML file (or a set of small ones) with SAML metadata of various organizations, in this case, members of InCommon community.
MDQ as a technical standard is an IETF thing.

But what it means for CAS and Mgmt apps... https://apereo.github.io/cas/6.5.x/installation/Configuring-SAML2-DynamicMetadata.html
- When you are creating a SAML registration in Mgmt app, the Mgmt app can give you a choice of ready-made SAML metadata configurations because it downloaded them upon its startup.
- CAS does not need to store the SAML metadata locally, it can gather them from MDQ endpoint. This implies that CAS administrator doesn't need to manage local metadata files of various connected 3rd parties.
- If you cannot access InCommon MDQ, you cannot consume 3rd party SAML metadata automatically. So you are back to manual management of metadata XML files. That is all.

Other than automating tasks around SAML metadata upkeeping, there is no impact on the functionality.

However, even without proxy access, you can work around the issue. You can, for example, periodically download the metadata with wget and let CAS read the file locally or from some internal webserver. You have a property (mgmt.in-common-mdq-url) which you can configure, so if there is a will, there is a way. :) But I would do it only if you really desperately need to access the InCommon MDQ registry.

Cheers,
Fiisch

[Juan María Reina Ortiz]

Leaving this parameter empty allowed me tyo start cas-management, but I'm still considering to have this xml locally downloaded. But, here's another thing I need to ask: What is the URL from I could download the xml file?

Again, thanks in advance. Your help is being very valuable

Cheers!

[Petr Fišer]

Hello,

Technically MDQ is an API so not really set of XML files, sorry for mistaking you a bit. But returning document is a valid XML, so... :)
If you do not need to use InCommon (or possibly other MDQ registry), you can leave the property empty.
Otherwise, https://github.com/apereo/cas-management/blob/0396f5a5a69af22845b4dd4e633cf74dda195e63/api/cas-mgmt-api-configuration/src/main/java/org/apereo/cas/configuration/CasManagementConfigurationProperties.java#L157

Cheers,
Fiisch

[Juan María Reina Ortiz]

Good morning

I've tried to use some config like this:

mgmt.in-common-mdq-url=file:/etc/cas/config/entities

But, I'm afraid what it expects is a URL... So, it doesn't work. Is there another option to take it from local?

Anyway, I am not sure of needing this. I don't know the purpose of these metadata and how not having it could impact on my enviroment. Could anybody of you guys provide me more info, at least at a basic level, to have a better understanding? Perhaps I'm struggling with something I don't need at all and therefore wasting my time...

Again, thank you very much

[Ray Bon]

Juan,

Unfortunately the InCommon requirement is hard coded into the management app; a serious flaw - it should be configurable like every other federation or provider.

You can read about and get InCommon metadata here, https://spaces.at.internet2.edu/display/federation/Metadata+Service

Then you can store it in a local web server and point that url property to the local copy.

You may need to have their signing cert locally as well, see https://spaces.at.internet2.edu/display/federation/consume-metadata-best-practice

If you do not need the contents of the file, then delete most of it, just keep the InCommon entries which are first.

Ray

[Juan María Reina Ortiz]

Thanks a lot for your answer, Ray

The point is that, after dealing with this issue, I 'm not sure of needing these metadata. Meaning, what are they for? The only IdPs that I have to use are our corporate LDAP and a local user database. I'm thinking I don't need it at all, but I'd rather if someone with a deeper knowledge and more experience could confirm that.

Kind regards

[Ray Bon]

I, too, do not need that metadata, and I am sure we are not alone. It is only required for organizations that use InCommon SAML2 services.

It is unfortunate that this requirement is built into the code. /(

Ray