[Shib-Users] IdP 2.1 and Terracotta
Greg Haverkamp
Terracotta following the instructions provided on the wiki. I did
eventually get it to run without too many headaches, I did have to
make several modifications of the tc-config.xml file that I have not
seen in other threads on the topic. I don't know enough about
Terracotta at this stage to know whether I was the cause of the
problem, or if the documentation or the included tc-config.xml file
needs some tweaks.
I started receiving errors as soon as authentication was completed by
the UsernamePassword handler, and I started getting errors (which
lived in log files I regrettably deleted) referencing
java.util.Vector. That was fixed by adding the tim-vector module:
<modules>
<module name="tim-vector" version="2.4.0-SNAPSHOT" group-
id="org.terracotta.modules"/>
</modules>
Then, I received some non-portable object errors. I fixed those by
adding some instrumented classes using the tips Terracotta gave:
<instrumented-classes>
...
<include>
<class-
expression
>
edu
.internet2
.middleware
.shibboleth
.common
.attribute.resolver.provider.attributeDefinition.TransientIdEntry</
class-expression>
</include>
<include>
<class-
expression
>edu.internet2.middleware.shibboleth.idp.authn.UsernamePrincipal</
class-expression>
</include>
</instrumented-classes>
Considering it took just a handful of extra lines to get everything up
and running, this is certainly not a big deal, assuming these are
suitable fixes. However, being new to Terracotta, it isn't clear to
me if I've messed up the configuration which is laid out as pretty
braindead in the documentation, or if there should be a note about
some possibility of these events occurring.
Greg
Russell Beall
get it working. I have been encountering the same error.
Thanks for posting your solutions. Would the shib developers agree on
his tc-config.xml changes?
Here is an example log message:
15:28:08.057 ERROR [org.apache.catalina.core.ContainerBase.
[Catalina].[shibboleth.usc.edu].[/idp].[AuthenticationEngine]:719] -
Servlet.service() for servlet AuthenticationEngine threw exception
com.tc.object.tx.UnlockedSharedObjectException:
*******************************************************************************
Attempt to access a shared object outside the scope of a shared lock.
All access to shared objects must be within the scope of one or more
shared locks defined in your Terracotta configuration.
Please alter the locks section of your Terracotta configuration so
that this access is auto-locked or protected by a named lock.
For more information on this issue, please visit our Troubleshooting
Guide at:
http://terracotta.org/kit/troubleshooting
Caused by Thread: TP-Processor18 in VM(3)
Shared Object Type: java.util.Vector
*******************************************************************************
at
com
.tc
.object
.tx
.ClientTransactionManagerImpl
.getTransaction(ClientTransactionManagerImpl.java:303)
15:28:08.060 ERROR [org.apache.catalina.core.ContainerBase.[Catalina].
[shibboleth.usc.edu].[/idp].[UsernamePasswordAuthHandler]:260] -
Servlet.service() for servlet UsernamePasswordAuthHandler threw
exception
com.tc.object.tx.UnlockedSharedObjectException:
*******************************************************************************
Attempt to access a shared object outside the scope of a shared lock.
All access to shared objects must be within the scope of one or more
shared locks defined in your Terracotta configuration.
Please alter the locks section of your Terracotta configuration so
that this access is auto-locked or protected by a named lock.
For more information on this issue, please visit our Troubleshooting
Guide at:
http://terracotta.org/kit/troubleshooting
Caused by Thread: TP-Processor18 in VM(3)
Shared Object Type: java.util.Vector
*******************************************************************************
at
com
.tc
.object
.tx
.ClientTransactionManagerImpl
.getTransaction(ClientTransactionManagerImpl.java:303)
Russell Beall
and specify my config file instead of running the boot-jar-path.sh as
specified in the wiki.
For the tim module, I had to run:
/var/local/terracotta/bin/tim-get.sh install tim-vector 2.4.0-SNAPSHOT
org.terracotta.modules
After that, it worked. I have clustered IdP sessions on two separate
boxes and I was even able to kill both tomcats and reload them and my
session information was reloaded. Very nice.
Russ.
Eitan Eibschutz
I've been trying to do the same thing, but my IDP is running on Websphere.
Is it physiable to run a Terracotta clustered IDP 2.1 on Websphere?
According to Terracotta integration guide, there is already a module for Websphere clients with a few limitations:
1. You have to add "-Xshareclasses:none" to the JVM which made me add quite a few jars to the instrumented-classes.
2. According to the integration guide, it says that Terracotta for Spring is not currently supported in the IBM JDK environment.(Does this mean that clustering the IDP using Terracotta on WebSphere can't be done?)
This is the exception I'm getting when trying to login to the idp:
2008-11-03 20:23:05,804 [WebContainer : 0] ERROR com.tc.object.bytecode.Manager - Exception thrown
java.lang.IllegalStateException: Classloader name not set, instances defined from this loader not supported in Terracotta (loader: org.eclipse.osgi.internal.baseadaptor.DefaultClassLoader)
at java.lang.ClassLoader.__tc_getClassLoaderName(ClassLoader.java)
at com.tc.object.loaders.StandardClassProvider.getName(StandardClassProvider.java:67)
at com.tc.object.loaders.StandardClassProvider.getLoaderDescriptionFor(StandardClassProvider.java:79)
at com.tc.object.loaders.StandardClassProvider.getLoaderDescriptionFor(StandardClassProvider.java:74)
at com.tc.object.TCClassFactoryImpl.getOrCreate(TCClassFactoryImpl.java:59)
at com.tc.object.ClientObjectManagerImpl.getPortableObjects(ClientObjectManagerImpl.java:219)
at com.tc.object.Traverser.addReferencedObjects(Traverser.java:37)
at com.tc.object.Traverser.traverse(Traverser.java:89)
at com.tc.object.ClientObjectManagerImpl.addToManagedFromRoot(ClientObjectManagerImpl.java:910)
at com.tc.object.ClientObjectManagerImpl.create(ClientObjectManagerImpl.java:267)
at com.tc.object.ClientObjectManagerImpl.lookupOrCreateIfNecesary(ClientObjectManagerImpl.java:331)
at com.tc.object.ClientObjectManagerImpl.lookupOrCreate(ClientObjectManagerImpl.java:304)
at com.tc.object.tx.ClientTransactionManagerImpl.logicalInvoke(ClientTransactionManagerImpl.java:746)
at com.tc.object.TCObjectLogical.logicalInvoke(TCObjectLogical.java:20)
at com.tc.object.bytecode.ManagerImpl.logicalInvoke(ManagerImpl.java:229)
at com.tc.object.bytecode.ManagerUtil.logicalInvoke(ManagerUtil.java:247)
at java.util.concurrent.ConcurrentHashMap$Segment.put(ConcurrentHashMap.java:445)
at java.util.concurrent.ConcurrentHashMap.put(Unknown Source)
at edu.internet2.middleware.shibboleth.common.util.EventingMapBasedStorageService.put(EventingMapBasedStorageService.java:104)
If it is not physiable to cluster the idp with Terracotta on WebSphere, is it possible to use the WebSphere built-in clustering capabilities(Network Deployment)?
Thanks,
Eitan
-----Original Message-----
From: be...@usc.edu [mailto:be...@usc.edu]
Sent: Thursday, November 06, 2008 11:52 AM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] IdP 2.1 and Terracotta
I followed Greg's instructions, but also had to run make-boot-jar.sh and specify my config file instead of running the boot-jar-path.sh as specified in the wiki.
For the tim module, I had to run:
/var/local/terracotta/bin/tim-get.sh install tim-vector 2.4.0-SNAPSHOT org.terracotta.modules
After that, it worked. I have clustered IdP sessions on two separate boxes and I was even able to kill both tomcats and reload them and my session information was reloaded. Very nice.
Russ.
On Nov 5, 2008, at 1:50 PM, Russell Beall wrote:
> I spent much of yesterday trying to put together a clean install and
> get it working. I have been encountering the same error.
>
> Thanks for posting your solutions. Would the shib developers agree on
> his tc-config.xml changes?
>
> Here is an example log message:
>
> 15:28:08.057 ERROR [org.apache.catalina.core.ContainerBase.
> [Catalina].[shibboleth.usc.edu].[/idp].[AuthenticationEngine]:719] -
> Servlet.service() for servlet AuthenticationEngine threw exception
> com.tc.object.tx.UnlockedSharedObjectException:
> **********************************************************************
> ********* Attempt to access a shared object outside the scope of a
> ********* Attempt to access a shared object outside the scope of a
> shared lock.
> All access to shared objects must be within the scope of one or more
> shared locks defined in your Terracotta configuration.
> Please alter the locks section of your Terracotta configuration so
> that this access is auto-locked or protected by a named lock.
>
> For more information on this issue, please visit our Troubleshooting
> Guide at:
> http://terracotta.org/kit/troubleshooting
>
>
> Caused by Thread: TP-Processor18 in VM(3)
> Shared Object Type: java.util.Vector
> **********************************************************************
> *********
>
Chad La Joie
The changes you propose are correct. I've updated, and I think cleaned
up, the documentation and made the changes to the tc-config.xml file so
that they'll show up in the next release of Shib. I've also placed the
updated file on the wiki until such time as the next release is available.
Greg Haverkamp wrote:
> I'm curious if others have done clean IdP 2.1 installations with
> Terracotta following the instructions provided on the wiki. I did
> eventually get it to run without too many headaches, I did have to make
> several modifications of the tc-config.xml file that I have not seen in
> other threads on the topic. I don't know enough about Terracotta at
> this stage to know whether I was the cause of the problem, or if the
> documentation or the included tc-config.xml file needs some tweaks.
>
> I started receiving errors as soon as authentication was completed by
> the UsernamePassword handler, and I started getting errors (which lived
> in log files I regrettably deleted) referencing java.util.Vector. That
> was fixed by adding the tim-vector module:
>
> <modules>
> <module name="tim-vector" version="2.4.0-SNAPSHOT"
> group-id="org.terracotta.modules"/>
> </modules>
>
> Then, I received some non-portable object errors. I fixed those by
> adding some instrumented classes using the tips Terracotta gave:
>
> <instrumented-classes>
> ...
> <include>
>
> <class-expression>edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.TransientIdEntry</class-expression>
>
> </include>
> <include>
>
> <class-expression>edu.internet2.middleware.shibboleth.idp.authn.UsernamePrincipal</class-expression>
>
> </include>
> </instrumented-classes>
>
>
> Considering it took just a handful of extra lines to get everything up
> and running, this is certainly not a big deal, assuming these are
> suitable fixes. However, being new to Terracotta, it isn't clear to me
> if I've messed up the configuration which is laid out as pretty
> braindead in the documentation, or if there should be a note about some
> possibility of these events occurring.
>
> Greg
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad....@switch.ch, http://www.switch.ch
Chad La Joie
the IdP does NOT using Spring clustering. So that shouldn't be an issue.
--
Russell Beall
It appears that in the time we have worked to get this set up,
Terracotta has released the 2.7.1 version, and in that version, the
instructions for tim-vector do not work.
In the latest version it appears they have backed off the tim-vector
version to 2.3.1.
So, it appears that a different config will be needed for 2.7.1.
I made some notes about this in the IdPCluster page.
Russ.
Liam Hoekenga
having any luck with TC 2.7.0 either.
Liam
Quoting Russell Beall <be...@usc.edu>:
> !DSPAM:491a05e434161726595536!
>
>
>
>
Bill Kuker
I am new to the list today. I am working on using shib at the Rochester
Institute of Technology in Rochester, NY, USA.
I am starting a new installation of IDP 2.1 using terracotta 2.7. I two
instances of Tomcat starting up using the terracotta jars and connecting
to the terracotta servers.
I've only started today, so I have not tried too hard to debug this; If
only one of my IDPs is online everything works right, but if they are
both online MOD_JK* sends the first request for
/profile/SAML2/Redirect/SSO to IDP A and the second request for
/idp/Authn/RemoteUser to IDP B and then B fails for reasons I am not
sure of yet.
If you are having trouble getting everything started I may be able to
help because I have just done it today and it is fresh in my mind.
-Bill Kuker
*I have a network based load balancer pointed at 2 apaches. Each apache
has MOD_JK configured to point to two IDPs. Mod_jk is not set up to be
sticky right now, and that is helping me shake some bugs out.
-----Original Message-----
From: Liam Hoekenga [mailto:li...@umich.edu]
Sent: Wednesday, November 12, 2008 3:06 PM
To: shibbole...@internet2.edu
Subject: Re: [Shib-Users] IdP 2.1 and Terracotta
Liam Hoekenga
see a copy of your tc-config.xml
Liam Hoekenga
University of Michigan
Quoting Bill Kuker <wck...@rit.edu>:
> !DSPAM:491b3fe5125989744838903!
>
>
>
>
Bill Kuker
If you check https://spaces.internet2.edu/display/SHIB2/IdPCluster under
step 2 you'll see a note to download an updated tc-config. I have
exactly this file, but I replaced $IDP_HOME$ with the proper directory
and added two server sections. This is a very new addition to the
instructions.
I followed step 3 exactly. I think it is important to re-run the
make-boot-jar command after you change tc-config.xml.
My tomcat.sh script has the following added:
TC_INSTALL_DIR=/home/shibweb/terracotta
TC_CONFIG_PATH=/home/shibweb/shibboleth/conf/tc-config.xml
. $TC_INSTALL_DIR/bin/dso-env.sh -q
JAVA_OPTS="$TC_JAVA_OPTS $JAVA_OPTS"
export JAVA_OPTS
which is pretty standard.
Once you have your terracotta servers running and your tomcats started
use terracotta/bin/admin.sh to connect to the master terracotta server.
You should see some number of clients (2 in my case). If you see zero
something is not quite right.
-Bill Kuker
Russell Beall
difference is the tim-vector module version. If you go with 2.7.1 you
have to edit the tc-config.xml to specify 2.3.1 instead of 2.4.0-
SNAPSHOT, as well as editing the tim-get.sh install command when you
run it.
I had problems using the $IDP_HOME$ variable in the tc-config.xml so I
also edited that to the full path.
Be sure to start with the tc-config.xml from the IdPCluster page.
Russ.
Russell Beall
message many times in catalina.out on start up and several times for
each authentication:
AW::WARNING - could not load class [org/mozilla/javascript/
NativeFunction] as a resource in loader
[org.mozilla.javascript.DefiningClassLoader@7b73e3]
AW::WARNING - could not load class [org/mozilla/javascript/Script] as
a resource in loader [org.mozilla.javascript.DefiningClassLoader@9d94ca]
This does not occur where the terracotta configuration has been
commented out. Services still appear to work despite this
classloading error.
Is this something which has been seen by anyone already?
We plan to be guinea pigs and phase this into production here at USC
in about a week or so, and I'd like to confirm that this message can
be fixed or can safely be ignored.
Thanks,
Russ.
Taylor Gautier
From: "Russell Beall" <be...@usc.edu>
To: shibbole...@internet2.edu
Sent: Wednesday, November 12, 2008 2:30:22 PM GMT -08:00 US/Canada Pacific
Subject: Re: [Shib-Users] IdP 2.1 and Terracotta
Russell Beall
Taylor Gautier
Liam Hoekenga
> difference is the tim-vector module version. If you go with 2.7.1
> you have to edit the tc-config.xml to specify 2.3.1 instead of
>
> I had problems using the $IDP_HOME$ variable in the tc-config.xml so
> I also edited that to the full path.
I've done that as well.
> Be sure to start with the tc-config.xml from the IdPCluster page.
I am. This is it, right?
https://spaces.internet2.edu/download/attachments/11926/tc-config.xml?version=2
I rebuilt the boot jar with...
whisper-root# $TC_HOME/bin/make-boot-jar.sh -f
/usr/local/idp/conf/tc-config.xml
... and get...
2008-11-13 10:30:30,319 INFO - Terracotta 2.7.0, as of 20081001-101049
(Revision 10251 by cruise@rh4mo0 from 2.7)
2008-11-13 10:30:31,028 INFO - Configuration loaded from the file at
'/usr/local/idp/conf/tc-config.xml'.
********************************* WARNING **********************************
* The following set of classes were automatically included in the boot jar
* since they are required super classes. Please add them in the
* <additional-boot-jar-classes> section of the terracotta config:
* [java.util.AbstractSet]
****************************************************************************
I've tried adding java.util.AbstractSet to the
additional-boot-jar-classes section, and it doesn't really help. If I
rebuild the boot jar with that line added to the
additional-boot-jar-classes section, it still tells me that I need to
add it to tc-config.xml, and still fails when I try to access the IdP
from an SP. Here are the relevant environment variables that I can
think of..
JAVA_HOME=/usr/local/jdk
JRE_HOME=/usr/local/jre
IDP_HOME=/usr/local/idp
TC_INSTALL=/usr/local/terracotta
TC_HOME=/usr/local/terracotta
Russell Beall
that the necessary classes were automatically included for you.
I have proceeded despite this warning to a successful setup without
trying to handle it.
Russ.
Russell Beall
Yes. This is the right one. Chad has recently edited it, as well as
the install instructions, so that it is set for Terracotta 2.7.1. It
already includes the change for tim-vector 2.3.1
Russ.
On Nov 13, 2008, at 7:48 AM, Liam Hoekenga wrote:
Taylor Gautier
----- Original Message -----
From: "Russell Beall" <be...@usc.edu>
To: shibbole...@internet2.edu
Sent: Thursday, November 13, 2008 9:43:32 AM GMT -08:00 US/Canada Pacific
Subject: Re: [Shib-Users] IdP 2.1 and Terracotta
Russell Beall
Chad La Joie
to there as it is the more appropriate venue. If you're not could you
join it and we'll continue there.
--