cas-mfa with CAS 4.1.4 and ehcache

19 views
Skip to first unread message

Ted Fisher

unread,
Mar 31, 2016, 6:36:57 PM3/31/16
to cas-...@apereo.org

We have gotten cas-mfa with CAS 4.1.4 running and configured with an ldap auth handler and duo authenticating OK and we are getting service tickets generated.  Our next step was to get ehcache configured to use the same cache as our existing 3.5.0 CAs servers so that ST’s would go there and apps with CAS clients doing ticket validation could validate them there (this is all in our test env right now).  From the looks of things STs and TGTs are the same so we should be able to share them like that.

I was pleased to see that the wiki docs explained ehcache config as very similar to our exsiting – we are doing RMI replication now.  I configured it pretty much the same as what we have now with the cache names changed to match our existing.  It builds and no errors logged when running and I see packets being sent to the other RMI addresses, so it looks like STs are being sent out to ehcache.  But, when the apps try to validate the ST they are not there.  I tried turning logging up to debug and still I see no indications of any issue.

Any pointers how to troubleshoot this ehcache issue?  Is there a way for me to dump the STs in cache?  It’s test and I can see that there are only a few there.  I’d like to verify that they are making it there/.

 

Thanks.

 

Ted F. Fisher

Information Technology Services

Description: BGSU

 

From: Ted Fisher
Sent: Thursday, March 17, 2016 9:43 AM
To: 'cas-...@apereo.org' <cas-...@apereo.org>
Subject: cas-mfa with CAS 3.5.3

 

I haven’t been able to find any step-by docs for adding Unicon’s cas-mfa with duo to our CAS server.  I’ve tried following the instructions at https://github.com/Unicon/cas-mfa/ which results in a good build, but no duo authentication.  I would assume that is because those instructions are for CAS 4.1.X.  

Is there anything that will tell me what I need to have in place and what settings are needed for CAS 3.5.3? 

I am trying to use cas-mfa version 1.0.0-RC2 since that looks to be the last that supported 3.5.X.  I’ve tried quite a few variations based on posts I found from others, but nothing is leading to any progress here.

README.md in 1.0.0-RC2 points to https://github.com/Unicon/cas-mfa/  which has instructions for 4.1.X, so I’m not finding anything on what this should look like.

 

Any help would be appreciated.

 

Environment:

CAS 3.5.3  on Tomcat 7,  2 RHEL 6 servers using java version "1.7.0_95"

 

Thanks.

 

Ted F. Fisher

Server Administrator

323 Hayes Hall

Information Technology Services

Email:  tff...@bgsu.edu

Phone: 419.372.1626

Description: BGSU

 

Ted Fisher

unread,
Mar 31, 2016, 6:40:56 PM3/31/16
to cas-...@apereo.org

This is my other issue with our CAS 4.1.4 with cas-mfa which we have brought up to replace our old CAS 3.5.0.  I have been testing with the Apereo view that is stock, but now I’d like to put the view from our existing CAS 3.5.0  into the 4.1.4 instance.  I thought I  might be able to simple place the view dir from our 3.5.0 build into the build dir for the new one.  It builds and runs with no errors, but the pages do not display correctly.  Is the view that different in 4.X from 3.x that I cannot do that?  Are there any pointers how to migrate our old view into the new?

Misagh Moayyed

unread,
Apr 1, 2016, 6:15:13 AM4/1/16
to cas-...@apereo.org
First thing you want to do is upgrade your LOG levels for both Ehcache and CAS and trace the ticket activity. The logs should tell you why tickets fail to be located. Either it’s a replication/network/RMI issue, or some delay in the process which causes tickets to be expired and then removed. 

-- 
Misagh
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
image001.gif@01D18B6D.A9E3A6A0

Misagh Moayyed

unread,
Apr 1, 2016, 6:21:07 AM4/1/16
to cas-...@apereo.org


This is my other issue with our CAS 4.1.4 with cas-mfa which we have brought up to replace our old CAS 3.5.0.  I have been testing with the Apereo view that is stock, but now I’d like to put the view from our existing CAS 3.5.0  into the 4.1.4 instance. 

Do you mean the apereo theme which contains UI decorations to paint the login screen when you attempt to access CAS with service=apereo.org? Or the default login page? 

 I thought I  might be able to simple place the view dir from our 3.5.0 build into the build dir for the new one.  It builds and runs with no errors, but the pages do not display correctly.  

How so? 

Is the view that different in 4.X from 3.x that I cannot do that?  

There are changes yes, but likely the mostly affect CSS, etc. If the pages are structurally broken, then you may need to mod your CSS config and other related config files.

Are there any pointers how to migrate our old view into the new?

 

Thanks.

 

Ted F. Fisher

Information Technology Services

Description: BGSU

 

 

--
image001.gif@01D18B7C.D9A91F00

Ted Fisher

unread,
Apr 4, 2016, 11:02:25 AM4/4/16
to Misagh Moayyed, cas-...@apereo.org

I did up the logging and am finding this:

ERROR [http-bio-8080-exec-16] [net.sf.ehcache.distributi

on.RMISynchronousCacheReplicator] - Exception on replication of putNotification.

error marshalling arguments; nested exception is

 

There are similar entries for asynchronous for the TGT as well.  But, I had tcpdump running on all three nodes and I can see data on port 41001 where the new node is sending to both of the older nodes

 

Ted F. Fisher

Information Technology Services

Description: BGSU

 

Ted Fisher

unread,
Apr 4, 2016, 12:07:13 PM4/4/16
to cas-...@apereo.org

 

Actually it looks like the ST is getting sent to the other nodes, but way to late.

On the peer node that got the validate request, here is what was logged:

 

INFO 2016-04-04 11:27:10,875 [http-8080-1][] com.github.inspektr.audit.support.

Slf4jLoggingAuditTrailManager - Audit trail record BEGIN

=============================================================

WHO: audit:unknown

WHAT: ST-2-pZPuh27Kqyo1VWoBD2m1-authtest3.bgsu.edu

ACTION: SERVICE_TICKET_VALIDATE_FAILED

APPLICATION: CAS

WHEN: Mon Apr 04 11:27:10 EDT 2016

CLIENT IP ADDRESS: 129.1.12.237

SERVER IP ADDRESS: 129.1.12.86

=============================================================

 

DEBUG 2016-04-04 11:28:03,031 [RMI TCP Connection(127)-129.1.12.85][] net.sf.ehc

ache.distribution.RMICachePeer - RMICachePeer for cache org.jasig.cas.ticket.Ser

viceTicket: remote put received. Element is: [ key = ST-42-5aUKlkWE4HOVL5Oaeaus-

authtest1.bgsu.edu, value=ST-42-5aUKlkWE4HOVL5Oaeaus-authtest1.bgsu.edu, version

=1, hitCount=0, CreationTime = 1459783684000, LastAccessTime = 1459783683031 ]

 

So, the ST was received but almost a full minute after the validate request.  These nodes are in the same subnet and STs are set for synchronous replication.  

 

 

Ted F. Fisher

Information Technology Services

Description: BGSU

 

Ted Fisher

unread,
Apr 4, 2016, 12:32:50 PM4/4/16
to cas-...@apereo.org

Please ignore that last input – that was a different ticket received.   

My peers are not receiving STs.

 

Thanks.

 

Ted F. Fisher

Information Technology Services

Description: BGSU

 

From: Ted Fisher
Sent: Monday, April 04, 2016 12:07 PM
To: cas-...@apereo.org
Subject: RE: [cas-user] cas-mfa with CAS 4.1.4 and ehcache

 

 

Actually it looks like the ST is getting sent to the other nodes, but way to late.

On the peer node that got the validate request, here is what was logged:

 

INFO 2016-04-04 11:27:10,875 [http-8080-1][] com.github.inspektr.audit.support.

Slf4jLoggingAuditTrailManager - Audit trail record BEGIN

=============================================================

WHO: audit:unknown

WHAT: ST-2-pZPuh27Kqyo1VWoBD2m1-authtest3.bgsu.edu

ACTION: SERVICE_TICKET_VALIDATE_FAILED

APPLICATION: CAS

WHEN: Mon Apr 04 11:27:10 EDT 2016

CLIENT IP ADDRESS: 129.1.12.237

SERVER IP ADDRESS: 129.1.12.86

=============================================================

 

DEBUG 2016-04-04 11:28:03,031 [RMI TCP Connection(127)-129.1.12.85][] net.sf.ehc

ache.distribution.RMICachePeer - RMICachePeer for cache org.jasig.cas.ticket.Ser

viceTicket: remote put received. Element is: [ key = ST-42-5aUKlkWE4HOVL5Oaeaus-

authtest1.bgsu.edu, value=ST-42-5aUKlkWE4HOVL5Oaeaus-authtest1.bgsu.edu, version

=1, hitCount=0, CreationTime = 1459783684000, LastAccessTime = 1459783683031 ]

 

So, the ST was received but almost a full minute after the validate request.  These nodes are in the same subnet and STs are set for synchronous replication.  

 

 

Ted F. Fisher

Information Technology Services

Description: BGSU

 

From: cas-...@apereo.org [mailto:cas-...@apereo.org] On Behalf Of Ted Fisher


Sent: Monday, April 04, 2016 11:02 AM
To: Misagh Moayyed <mmoa...@unicon.net>; cas-...@apereo.org

Ted Fisher

unread,
Apr 6, 2016, 8:42:08 AM4/6/16
to cas-...@apereo.org

It ended up there was no problem with our view from old (3.5.0) CAS moved to CAS 4.1.4.  The reason it was not working was variables in our jsps that were replaced by ant scripts in the old.  When I put in the jsps that had the variables replaced already then it ran fine.

 

Ted F. Fisher

From: cas-...@apereo.org [mailto:cas-...@apereo.org] On Behalf Of Ted Fisher

--

Reply all
Reply to author
Forward
0 new messages