[cas-user] Hazelcast-Ticket Registry config

[M.Pedis]

  Hi Everyone ,

I have two nodes of CAS server . They have LDAP auth method . Seperately they work well. ( For both , i am able to login with our active directory accounts and cas-management sites also work properly . ) . I just want to take this two node behind HA - cluster. I add hazelcast-ticket-registry dependincie but could not configured it well. Could anyone share me or help me about configuration of hazelcast? What should be in cas.properties_?

I just add that config as shown below but not worked . Could anyone can help? Thanks.

-
#For node1
#cas.cluster.members=cas01,cas02
#cas.cluster.instanceName=cas01.xxxx.edu
#cas.cluster.port=5701

#For node2
#cas.cluster.members=cas01,cas02
#cas.cluster.instanceName=cas02.xxxx.edu
#cas.cluster.port=5701

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e83f4a0d-3cc8-42d3-a5a0-c180c305a71c%40apereo.org.

[David Curry]

Your properties should be named cas.ticket.registry.hazelcast.cluster.<whatever>, not cas.cluster.<whatever>. See here:

https://apereo.github.io/cas/development/configuration/Configuration-Properties.html#hazelcast-ticket-registry 

For example, this is what we're using in our  three-server development environment:

cas.ticket.registry.hazelcast.cluster.members:          casdev-srv01.newschool.edu,casdev-srv02newschool.edu,casdev-srv03.newschool.edu
cas.ticket.registry.hazelcast.cluster.asyncBackupCount: 2
cas.ticket.registry.hazelcast.cluster.backupCount:      0
cas.ticket.registry.hazelcast.cluster.port:             5701
cas.ticket.registry.hazelcast.cluster.portAutoIncrement:        false
cas.ticket.registry.hazelcast.crypto.encryption.key:    feAIxxxxSBU5xxxxAVTKxx==
cas.ticket.registry.hazelcast.crypto.signing.key:       EHdmxxxxT_MXxxxxYLTexxxxOaklxxxxlY2VxxxxAHuhxxxxPdQxxxxxtTA3xxxxs8TUxxxxL9nYxxxx5RqcvA
cas.ticket.registry.hazelcast.crypto.enabled:           true

Our five-server production environment is exactly the same, except the list of servers has 5 hosts in it and asyncBackupCount=4 (it should always be N-1). And of course, different crypto keys.

For initial testing, you can skip the crypto stuff (cas.ticket.registry.crypto.<whatever>); it's optional (but recommended for production).

The above is for CAS 5.2.x, but the settings should be the same for CAS 5.3.x and CAS 6.x.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR • INFORMATION SECURITY & PRIVACY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david...@newschool.edu

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAO7QygDNDO-wmnn7ZsawsL7SEK7pW9%3DL5jr_f-Nk72nmg%40mail.gmail.com.

[M.Pedis]

Hi Dave ,

Thaks for your reply. I have configured my env. as you say  and it works . But i have some warning messages , i dont know how to get rid of them. One more , how can i test it , it works properly or not ? It seems everything ok , but how can i test hazelcast , i dont know how hazelcast replicates tickets and how can i verify each node can has same ticket? Simply i want to test it by stopping one of the cas node's tomcat service ,then refresh the browser but other node couldnt send any reply, my session has end and it forced me login to active node again. You or someone could please help me about that? Thank you. 

15 Ekim 2019 Salı 15:00:56 UTC+3 tarihinde David Curry yazdı:

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e83f4a0d-3cc8-42d3-a5a0-c180c305a71c%40apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f7d1ae32-544c-42f0-a462-49ade3a79921%40apereo.org.

[M.Pedis]

Hi Dave ,

Thaks for your reply. I have configured my env. as you say  and it works . But i have some warning messages , i dont know how to get rid of them. One more , how can i test it , it works properly or not ? It seems everything ok , but how can i test hazelcast , i dont know how hazelcast replicates tickets and how can i verify each node can has same ticket? Simply i want to test it by stopping one of the cas node's tomcat service ,then refresh the browser but other node couldnt send any reply, my session has end and it forced me login to active node again. You or someone could please help me about that? Thank you. 

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2019-10-16 09:19:50,525 INFO [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] - <Configuration files found at [/etc/cas/config] are [[file [/etc/cas/config/cas.properties]]] under profile(s) [[standalone]]>
2019-10-16 09:19:50,595 INFO [org.apereo.cas.web.CasWebApplicationServletInitializer] - <The following profiles are active: standalone>
2019-10-16 09:19:56,393 INFO [org.apereo.cas.services.resource.AbstractResourceBasedServiceRegistry] - <Watching service registry directory at [/etc/cas/services-repo]>
2019-10-16 09:19:56,401 INFO [org.apereo.cas.util.io.PathWatcherService] - <Watching directory at [/etc/cas/services-repo]>
2019-10-16 09:19:58,088 INFO [org.apereo.cas.config.LdapAuthenticationConfiguration] - <Registering LDAP authentication for [LdapAuthenticationHandler]>


16-Oct-2019 09:19:58.727 WARNING [main] com.hazelcast.instance.HazelcastInstanceFactory.null Hazelcast is starting in a Java modular environment (Java 9 and newer) but without proper access to required Java packages. Use additional Java arguments to provide Hazelcast access to Java internal API. The internal API access is used to get the best performance results. Arguments to be used:
 --add-modules java.se --add-exports java.base/jdk.internal.ref=ALL-UNNAMED --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.nio=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.management/sun.management=ALL-UNNAMED --add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED
2019-10-16 09:19:58,818 WARN [com.hazelcast.instance.AddressPicker] - <[LOCAL] [dev] [3.12.3] You configured your member address as host name. Please be aware of that your dns can be spoofed. Make sure that your dns configurations are correct.>
2019-10-16 09:19:58,819 WARN [com.hazelcast.instance.AddressPicker] - <[LOCAL] [dev] [3.12.3] You configured your member address as host name. Please be aware of that your dns can be spoofed. Make sure that your dns configurations are correct.>
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.hazelcast.internal.networking.nio.SelectorOptimizer (file:/opt/tomcat/webapps/cas/WEB-INF/lib/hazelcast-3.12.3.jar) to field sun.nio.ch.SelectorImpl.selectedKeys
WARNING: Please consider reporting this to the maintainers of com.hazelcast.internal.networking.nio.SelectorOptimizer
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
2019-10-16 09:20:09,517 INFO [org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration] - <

Using generated security password: 2ab6b74e-418b-4915-8094-82415aa231ca
>
2019-10-16 09:20:09,672 INFO [org.springframework.security.web.access.channel.ChannelProcessingFilter] - <Validated configuration attributes>
2019-10-16 09:20:09,691 INFO [org.springframework.security.web.DefaultSecurityFilterChain] - <Creating filter chain: any request, [org.springframework.security.web.access.channel.ChannelProcessingFilter@db39fa0, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@4af9870a, org.springframework.security.web.context.SecurityContextPersistenceFilter@f39f9ba, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@62ee18dc, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@316b31c6, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@69305443, org.springframework.security.web.session.SessionManagementFilter@16bef812, org.springframework.security.web.access.ExceptionTranslationFilter@75bc3bd9, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@746567be]>
2019-10-16 09:20:10,860 INFO [org.apereo.cas.web.CasWebApplicationServletInitializer] - <Started CasWebApplicationServletInitializer in 22.663 seconds (JVM running for 108.313)>
2019-10-16 09:20:10,873 INFO [org.apereo.cas.web.CasWebApplication] - <>
2019-10-16 09:20:10,876 INFO [org.apereo.cas.web.CasWebApplication] - <

  ____    _____      _      ____   __   __
 |  _ \  | ____|    / \    |  _ \  \ \ / /
 | |_) | |  _|     / _ \   | | | |  \ V /
 |  _ <  | |___   / ___ \  | |_| |   | |
 |_| \_\ |_____| /_/   \_\ |____/    |_|

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0858edd5-8f0b-4684-a56d-5f1462f8f7f2%40apereo.org.

[David Curry]

The way I usually test things, since we have a cluster of CAS servers, is:

1. Start an incognito/private mode browser so there are no cookies
2. Log in to Application 1 through CAS
3. Check the CAS logs to figure out which server handled my login
4. Shut that CAS server down
5. Go back to the browser and access another CAS-protected service -- if it lets me in without username/password then Hazelcast is at least nominally working; if I get prompted again, then something is wrong

The warnings you're seeing are not familiar to me but seem to suggest something's wrong with your Java configuration. But since they're warnings and not errors, things should(?) still work.

Did you remember to open the firewall on the CAS servers to let them communicate with each other over port 5701/udp and 5701/tcp?

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR • INFORMATION SECURITY & PRIVACY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david...@newschool.edu

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPY20OinXTNZyE%2BN5p0jwQacqMsfawfxd_mkTJvwkfoYA%40mail.gmail.com.

[M.Pedis]

Hi Dave ,

Thanks for your reply . I have tested if it works or not with as you mentioned before , but it didnt work. Also i have newly errors about other sites . Briefly explain my env. ;

- I have two CAS -- casuno.example.edu.tr and casdos.example.edu.tr  and one virtual ip behind netscaler LB - casnlb.xxxxx.edu.tr  ( they have proper DNS A records , they are all in same subnet/vlan ,their ufw has disabled -- their OS Ubuntu 1804 ) ;

•          Both they have  openjdk 11.0.4 2019-07-16  and tomcat 9.0.26 , with https: - ssl 8443 and http : 8080
  
•          Both they have ; nginx ; i use them as reverse proxy ;   casuno.example.edu.tr:8443 redirects https://casnlb.example.edu.tr  ( casnlb has virtual ip behind netscaler LB , and roundrobin tcp 443 -  )
•          Both they have ; cas-overlay--- build.gradle --
  
• compile "org.apereo.cas:cas-server-support-ldap:${casServerVersion}"
• compile "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}"
• compile "org.apereo.cas:cas-server-support-hazelcast-ticket-registry:${casServerVersion}
•         Both they have ; cas-management-overlay--- build.gradle -- ( default )
  

Below my cas.properties ; ( differences between are just crypto keys ! )

#
cas.server.name:https://casnlb.xxxx.edu.tr
server.prefix=${server.name}/cas
logging.config: file:/etc/cas/config/log4j2.xml
cas.authn.accept.users=
##########################################TGC-Secure###########################################################################
cas.tgc.secure:true
cas.tgc.crypto.encryption.key:MXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXs
cas.tgc.crypto.signing.key:BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXQ
cas.webflow.crypto.encryption.key:jXXXXXXXXXXXXXXXXXXXXXXXX==
cas.webflow.crypto.signing.key:MXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXA
##########################################LDAP#################################################################################
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].principalAttributeList=cn,givenName,userPrincipalName,description
#cas.authn.ldap[0].bindDn=cn=Users,DC=example,DC=edu,DC=tr
cas.authn.ldap[0].ldapUrl=ldap://adc.example.edu.tr:389
#cas.authn.ldap[0].searchFilter=cn={user}
cas.authn.ldap[0].searchFilter=(userPrincipalName={user})
cas.authn.ldap[0].bindDn=cn=CAS ldap,cn=users,dc=xxxx,dc=edu,dc=tr
cas.authn.ldap[0].bindCredential=HXXXXXXXXHHH
cas.authn.ldap[0].baseDn=OU=Users,DC=xxxxxxxxx,DC=edu,DC=tr
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].useSsl=false
##########################################Services##############################################################################
cas.serviceRegistry.json.location=file:/etc/cas/services
##########################################Hazelcast#############################################################################
cas.ticket.registry.hazelcast.cluster.members:          casuno.xxxxx.edu.tr,casdos.xxxxx.edu.tr
cas.ticket.registry.hazelcast.cluster.asyncBackupCount: 1

cas.ticket.registry.hazelcast.cluster.backupCount:      0
cas.ticket.registry.hazelcast.cluster.port:             5701
cas.ticket.registry.hazelcast.cluster.portAutoIncrement:false

cas.ticket.registry.hazelcast.crypto.encryption.key:    KXxxXXXXXXXXXXXXXXXXXx==
cas.ticket.registry.hazelcast.crypto.signing.key:       oXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxxxxxxxxxxxxXXXxfSkw
cas.ticket.registry.hazelcast.crypto.enabled:           true

Below management.properties; ( both same , casuno and casdos )

cas.server.name=https://casnlb.xxxx.edu.tr
cas.server.prefix=${cas.server.name}:/cas

mgmt.serverName=https://casnlb.xxxxx.edu.tr/cas-management
mgmt.adminRoles[0]=ROLE_ADMIN
mgmt.userPropertiesFile=file:/etc/cas/config/users.json

logging.config=file:/etc/cas/config/log4j2-management.xml

Below cas/services --- cas-management web app json --- ( both same casuno and casdos , json names are different , their id s are different   )

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https://casnlb.xxxxx.edu.tr/cas-management/*",
  "name" : "CAS Services Management",
  "id" : xxxxxxxxxxxxxxx,
  "description" : "CAS Services Management Webapp",
  "evaluationOrder" : 10
}

----------------------------------------------------------------------------

1. Start an incognito/private mode browser so there are no cookies  ( Done )
   
2. Log in to Application 1 through CAS (Done )
   
3. Check the CAS logs to figure out which server handled my login  ( -- casuno has grab/handle  request and i successfully login via my domain account ... https://casuno.xxx.edu.tr/cas  --- login successfull )
4. Shut that CAS server down (Done)
   

1. Go back to the browser and access another CAS-protected service -- if it lets me in without username/password then Hazelcast is at least nominally working; if I get prompted again, then something is wrong

First Error Log ;  ( both cas server have same )

07-Nov-2019 05:57:51.789 WARNING [main] com.hazelcast.instance.HazelcastInstanceFactory.null Hazelcast is starting in a Java modular environment (Java 9 and newer) but without proper access to required Java packages. Use additional Java arguments to provide Hazelcast access to Java internal API. The internal API access is used to get the best performance results. Arguments to be used:

 --add-modules java.se --add-exports java.base/jdk.internal.ref=ALL-UNNAMED --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.nio=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.management/sun.management=ALL-UNNAMED --add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED

2019-11-07 05:57:51,879 WARN [com.hazelcast.instance.AddressPicker] - <[LOCAL] [dev] [3.12.3] You configured your member address as host name. Please be aware of that your dns can be spoofed. Make sure that your dns configurations are correct.>
2019-11-07 05:57:51,881 WARN [com.hazelcast.instance.AddressPicker] - <[LOCAL] [dev] [3.12.3] You configured your member address as host name. Please be aware of that your dns can be spoofed. Make sure that your dns configurations are correct.>

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.hazelcast.internal.networking.nio.SelectorOptimizer (file:/opt/tomcat/webapps/cas/WEB-INF/lib/hazelcast-3.12.3.jar) to field sun.nio.ch.SelectorImpl.selectedKeys
WARNING: Please consider reporting this to the maintainers of com.hazelcast.internal.networking.nio.SelectorOptimizer
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

Second Error Log --- ( after login attemp via LB domain name -- casnlb.xxx.edu.tr/cas )

https://casnlb.xxxx.edu.tr/cas/login?exception.message=Error+decoding+flow+execution  ( on browser it writes , )



2019-11-07 06:02:21,471 ERROR [org.apereo.cas.web.flow.executor.EncryptedTranscoder] - <Null input buffer>
java.lang.IllegalArgumentException: Null input buffer
        at javax.crypto.Cipher.doFinal(Cipher.java:2198) ~[?:?]
        at org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:92) ~[cas-server-core-util-api-6.2.0-SNAPSHOT.jar:6.2.0-SNAPSHOT]
        at org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:33) ~[cas-server-core-util-api-6.2.0-SNAPSHOT.jar:6.2.0-SNAPSHOT]
        at org.apereo.cas.util.crypto.CipherExecutor.decode(CipherExecutor.java:105) ~[cas-server-core-api-util-6.2.0-SNAPSHOT.jar:6.2.0-SNAPSHOT]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
        at org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:279) ~[spring-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
        at org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499) ~[spring-cloud-context-2.2.0.RC1.jar:2.2.0.RC1]
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.2.1.RELEASE.jar:5.2.1.RELEASE]
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212) ~[spring-aop-5.2.1.RELEASE.jar:5.2.1.RELEASE]
        at com.sun.proxy.$Proxy333.decode(Unknown Source) ~[?:?]
        at org.apereo.cas.web.flow.executor.WebflowCipherBean.decrypt(WebflowCipherBean.java:35) ~[cas-server-core-webflow-api-6.2.0-SNAPSHOT.jar:6.2.0-SNAPSHOT]
        at org.apereo.cas.web.flow.executor.EncryptedTranscoder.decode(EncryptedTranscoder.java:103) ~[cas-server-core-webflow-api-6.2.0-SNAPSHOT.jar:6.2.0-SNAPSHOT]
        at org.apereo.cas.web.flow.executor.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:75) ~[cas-server-core-webflow-api-6.2.0-SNAPSHOT.jar:6.2.0-SNAPSHOT]
        at org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:167) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
        at org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:279) ~[spring-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
        at org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499) ~[spring-cloud-context-2.2.0.RC1.jar:2.2.0.RC1]
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.2.1.RELEASE.jar:5.2.1.RELEASE]
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212) ~[spring-aop-5.2.1.RELEASE.jar:5.2.1.RELEASE]
        at com.sun.proxy.$Proxy371.resumeExecution(Unknown Source) ~[?:?]
        at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:254) ~[spring-webflow-2.5.1.RELEASE.jar:2.5.1.RELEASE]
        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040) ~[spring-webmvc-5.2.1.RELEASE.jar:5.2.1.RELEASE]
        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943) ~[spring-webmvc-5.2.1.RELEASE.jar:5.2.1.RELEASE]
        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) ~[spring-webmvc-5.2.1.RELEASE.jar:5.2.1.RELEASE]
        at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909) ~[spring-webmvc-5.2.1.RELEASE.jar:5.2.1.RELEASE]

it forces me login again .

Third Error --- ( when we atttemp to import service json or create new one via cas-management web interface -UI )

2019-11-07 06:38:53,144 ERROR [org.springframework.boot.web.servlet.support.ErrorPageFilter] - <Forwarding to error page from request [/api/services/] due to exception [repository not found: /etc/cas/services-repo/.git]>
org.eclipse.jgit.errors.RepositoryNotFoundException: repository not found: /etc/cas/services-repo/.git
        at org.eclipse.jgit.storage.file.FileRepositoryBuilder.build(FileRepositoryBuilder.java:90) ~[org.eclipse.jgit-5.3.1.201904271842-r.jar:5.3.1.201904271842-r]
        at org.apereo.cas.mgmt.GitUtil.initializeGitRepository(GitUtil.java:1264) ~[cas-mgmt-support-version-control-6.1.0-RC4.jar:6.1.0-RC4]
        at org.apereo.cas.mgmt.GitUtil.<init>(GitUtil.java:108) ~[cas-mgmt-support-version-control-6.1.0-RC4.jar:6.1.0-RC4]
        at org.apereo.cas.mgmt.factory.RepositoryFactory.buildGitUtil(RepositoryFactory.java:82) ~[cas-mgmt-support-version-control-6.1.0-RC4.jar:6.1.0-RC4]
        at org.apereo.cas.mgmt.factory.RepositoryFactory.masterRepository(RepositoryFactory.java:72) ~[cas-mgmt-support-version-control-6.1.0-RC4.jar:6.1.0-RC4]
        at org.apereo.cas.mgmt.factory.VersionControlManagerFactory.createNewManager(VersionControlManagerFactory.java:129) ~[cas-mgmt-support-version-control-6.1.0-RC4.jar:6.1.0-RC4]
        at org.apereo.cas.mgmt.factory.VersionControlManagerFactory.getManagementServicesManager(VersionControlManagerFactory.java:114) ~[cas-mgmt-support-version-control-6.1.0-RC4.jar:6.1.0-RC4]
        at org.apereo.cas.mgmt.factory.VersionControlManagerFactory.from(VersionControlManagerFactory.java:97) ~[cas-mgmt-support-version-control-6.1.0-RC4.jar:6.1.0-RC4]
        at org.apereo.cas.mgmt.factory.VersionControlManagerFactory.from(VersionControlManagerFactory.java:40) ~[cas-mgmt-support-version-control-6.1.0-RC4.jar:6.1.0-RC4]
        at org.apereo.cas.mgmt.controller.ServiceController.saveService(ServiceController.java:107) ~[cas-mgmt-core-6.1.0-RC4.jar:6.1.0-RC4]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]



I really dont know how will i continue? Any suggest or advice for me?  Just i want to build a running HA CAS app .

Thanks for your all help and guidence.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a28c3353-ce1f-410f-8f77-ffb90d2a1c67%40apereo.org.

[Andy Ng]

From your error logs seems like you are using 6.2.0-SNAPSHOT version of CAS.

SNAPSHOT version is going to break sometimes, so better not relies on it for stability. One suggestion might be to use an latest stable version, something like 6.1.1.

Another thing is that for your latest properties file, you seems to remove the instanceName property.

I use hazelcast for our production deployment, and I configured instanceName property for it to work, so you should try adding back the instanceName.

Of course, instanceName need to be different for each server, that part I think you already know. 

Hope it helps,

- Andy

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5812eb6f-f4c7-4425-b597-86050d0e0535%40apereo.org.

[David Curry]

I have not done this with Tomcat 9 / Java 11 or CAS 6.x,  but it seems to me you need to fix this:

07-Nov-2019 05:57:51.789 WARNING [main] com.hazelcast.instance.HazelcastInstanceFactory.null Hazelcast is starting in a Java modular environment (Java 9 and newer) but without proper access to required Java packages. Use additional Java arguments to provide Hazelcast access to Java internal API. The internal API access is used to get the best performance results. Arguments to be used:

 --add-modules java.se --add-exports java.base/jdk.internal.ref=ALL-UNNAMED --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.nio=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.management/sun.management=ALL-UNNAMED --add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED

Also, are you sure the port 5701 is open in the firewall on both hosts? If it's not, the Hazelcasts can't talk to each other.

Are the host names you're using to configure the Hazelcast members the actual names of the hosts that resolve to their direct IP addresses? Or do they resolve to the load balancer? You want them talking directly to each other, not through the load balancer (it's an entirely "back end" conversation that doesn't involve the client.

And see Andy's suggestions, as well.

--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR • INFORMATION SECURITY & PRIVACY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david...@newschool.edu

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPhmjneuMnKw6bHTqcd-T6_t8y6C64x_x5vABSEFPKLcA%40mail.gmail.com.

[M.Pedis]

Hi Andy ,

Thanks for your reply .

• From your error logs seems like you are using 6.2.0-SNAPSHOT version of CAS. -- Yes , u are right.  I have changed my version 6.1.1
  
• With your advice ; i cloned and build cas with version 6.1.1 ---  ( git clone -b 6.1 --single-branch https://github.com/apereo/cas-overlay-template.git , added dependincies , build ,etc.)
  
• Another thing is that for your latest properties file, you seems to remove the instanceName property  --- I hope i add this properties to right one ( cas.properties file ) , if not could you please warn / inform me ? 
  
• I add to cas.properties file --- cas.ticket.registry.hazelcast.cluster.instanceName:     casuno.xxxxx.edu.tr , ( for second one , cas.ticket.registry.hazelcast.cluster.instanceName:     casdos.xxxxxx.edu.tr )
  

After that changes , i tested but it forced me login again , redirect to home page -- ( i mean that , i logon casuno successfully then stop its service from netscaler , i hope casdos - the second cas - will handle the request and not ask me credentials but it asked again)

• I use hazelcast for our production deployment, and I configured instanceName property for it to work, so you should try adding back the instanceName. Of course, instanceName need to be different for each server, that part I think you already know.

• I understood that you have a running HA configured CAS SSO enviroment for your company/university or where you work for . If it is possible could you please share your env details . For ex , what is your LB , which method do you use , which version CAS do you have , also Cas-management , how your cas hazelcast configured , and similar things?
  

 I just try to catch my fault/ mistake . I think i have some misconfigurations but i couldn be able to point what are theys . And it become as trouble for me .


Many thanks for everyting , for you and Dave  Curry. 

I will be waiting for your reply and i believe that at the end , i will solve ,catch my faults / mistakes.

Thank you.  

 

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/73540485-587f-41a7-86f6-89c6ff4796fe%40apereo.org.

[Andy Ng]

Hi there,

Yup no problem, we are all helping each other at this group here :)

> it seems to me you need to fix this: 07-Nov-2019 05:57:51.789 WARNING [main] com.hazelcast.instance.HazelcastInstanceFactory.null

To David: I tried not fixing this warning and Hazelcast is still working. Although we do need to fix it at some point, but seems like it is not the factor that fatally affect Hazelcast.

> instantname.... need to be different per server

I would like to apology about this statement, I actually tried configured the instantName as `localhost` in both of my CAS server and it works just fine, seems like no need to use different name.

> If it is possible could you please share your env details

I am afraid I can't share most of the detail for you, because of security concern and part of the architecture is not configured by me...

I do built an complete working CAS 6.1.1 and Hazelcast example on github, but I built it using docker and docker-compose so you would need to installed both for you to test out my example.

If you are interested, you can check it out here: https://github.com/NgSekLong/SelectUrCAS/tree/test_hazelcast_example_20191108

And start the example using:

docker-compose -f docker-compose.yml -f ./source/authentication/json-whitelist/docker-compose.yml -f ./source/ticket-registry/hazelcast/docker-compose.yml -f ./source/cas-client/phpcas/docker-compose.yml -f ./source/service-registry/json-1001/docker-compose.yml -f ./source/nginx-load-balancer/docker-compose.yml up --scale cas_server=2

And you should see 2 cas servers, 1 nginx server, and 1 phpcas client by executing this command: docker ps -a

CONTAINER ID        IMAGE                        COMMAND                   CREATED             STATUS              PORTS                            NAMES

7abb965242fb        nginx:1.17                   "nginx -g 'daemon of…"    54 seconds ago      Up 48 seconds       80/tcp, 0.0.0.0:8443->8443/tcp   project-all-cas_nginx_1

51e7bef94e28        project-all-cas_cas_server   "/bin/sh -c \"/cas-ov…"   59 seconds ago      Up 54 seconds       8080/tcp, 8443/tcp               project-all-cas_cas_server_2

1465fbbe230f        project-all-cas_phpcas       "docker-php-entrypoi…"    59 seconds ago      Up 52 seconds       0.0.0.0:51515->80/tcp            project-all-cas_phpcas_1

4a3194e0a187        project-all-cas_cas_server   "/bin/sh -c \"/cas-ov…"   59 seconds ago      Up 54 seconds       8080/tcp, 8443/tcp               project-all-cas_cas_server_1

- Add 127.0.0.1 cas.example.org into your host file

- Go to http://cas.example.org:51515/  and click Log In

You can use docker stop and docker start to mimic server each server down one by one.

See if the above helps you...

Cheers!

Andy

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/57c93b39-e8c9-412d-8a8f-b4774e76f438%40apereo.org.

[M.Pedis]

Hi Dave ,

Thanks for your reply .

• I have not done this with Tomcat 9 / Java 11 or CAS 6.x,  but it seems to me you need to fix this: --
•  I just wanted to build my env with latest versions and patches . Cause my aim , i used ubuntu 1804 , tomcat 9.0.26 and CAS latest branch/master deployment.
  

• Also, are you sure the port 5701 is open in the firewall on both hosts? If it's not, the Hazelcasts can't talk to each other.

• Yes , i am sure . I try to connect their ports ( casuno and casdos ) with port 5701 via telnet , both them connected. And they are in same subnet also , for ex ;
  
• VIP : LB : casnlb : 172.16.100.100 ( casnlb.xxxx.edu.tr --- telnet 5701 is unsuccessful . , is that normal , virtual ip should be listen port 5701 or not ? ) ( I understood that they dont need to communicate via LB ip or domain name , the just communicate each other via their cluster member name )
  
• casuno    : first cas server :      172.16.100.110  ( casunoxxxx.edu.tr --- telnet 5701 is successful .  from casdos to casuno and from casuno to casuno , they have proper dns A record and both sites telnet connections are successful )
  
• casdos    : second cas server : 172.16.100.120 ( casdosxxxx.edu.tr --- telnet 5701 is successful .  from casuno to casdos and from casdos to casdos , they have proper dns A record and both sites telnet connections are successful )

• Are the host names you're using to configure the Hazelcast members the actual names of the hosts that resolve to their direct IP addresses?  ( Yes , servers are Ubuntu 1804 and their hostname are casuno and casdos , They have DNS A record in our DNS Server , and they are able to communicate each other via their's domain name .  
  
• Or do they resolve to the load balancer?  ( LB also has DNS record . I mentioned about records above )
  
• You want them talking directly to each other, not through the load balancer (it's an entirely "back end" conversation that doesn't involve the client.) ( They are talking , communicate each other directly , not through LB , i tried telnet to LB domain name -- casnlb with port 5701 but it was unsuccessful )

Last ; --add-modules java.se --add-exports java.base/jdk.internal.ref=ALL-UNNAMED --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.nio=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.management/sun.management=ALL-UNNAMED --add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED

Yes you are right , it is totatly about configuration of java ,, i search in google and it is redirected me stackoverflow and some other sites , i also try to add these modules to java but couldnt add.

If it is possible could you please share your env details . For ex , what is your LB , which method do you use , which version CAS do you have , also Cas-management , how your cas hazelcast configured , and similar things?

Thanks for everything .

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3d44afe7-cc92-44ee-a1cc-c5a6ef560eb0%40apereo.org.

[Ray Bon]

As far as I understand hazelcast, it is distributed but not replicated (though their documentation is unclear to me). When a CAS node comes down, the tickets are lost. Ticket storage is done by hazelcast to even out the load on each hazelcast node.

Does this behaviour happen for every login, or ever other login (i.e., 50% of the time)?

It may be possible to set up hazelcast in a replicated state, or you could set up a separate hazelcast cluster that would be unaffected by CAS uptime.

Another thing to consider is CAS uptime/downtime. Most applications maintain their own session, so once a user has logged in, they will be good until the application session ends. How many users will experience the repeated login when a CAS node goes down? Annoying, yes, but infrequent.

Ray

On Fri, 2019-11-08 at 01:08 -0800, M.Pedis wrote:

Hi Andy ,

Thanks for your reply .

• From your error logs seems like you are using 6.2.0-SNAPSHOT version of CAS. -- Yes , u are right.  I have changed my version 6.1.1
  
  • With your advice ; i cloned and build cas with version 6.1.1 ---  ( git clone -b 6.1 --single-branch https://github.com/apereo/cas-overlay-template.git , added dependincies , build ,etc.)
    
• Another thing is that for your latest properties file, you seems to remove the instanceName property  --- I hope i add this properties to right one ( cas.properties file ) , if not could you please warn / inform me ? 
  
  • I add to cas.properties file --- cas.ticket.registry.hazelcast.cluster.instanceName:     casuno.xxxxx.edu.tr , ( for second one , cas.ticket.registry.hazelcast.cluster.instanceName:     casdos.xxxxxx.edu.tr )
    

After that changes , i tested but it forced me login again , redirect to home page -- ( i mean that , i logon casuno successfully then stop its service from netscaler , i hope casdos - the second cas - will handle the request and not ask me credentials but it asked again)

• I use hazelcast for our production deployment, and I configured instanceName property for it to work, so you should try adding back the instanceName. Of course, instanceName need to be different for each server, that part I think you already know.
  • I understood that you have a running HA configured CAS SSO enviroment for your company/university or where you work for . If it is possible could you please share your env details . For ex , what is your LB , which method do you use , which version CAS do you have , also Cas-management , how your cas hazelcast configured , and similar things?
    

 I just try to catch my fault/ mistake . I think i have some misconfigurations but i couldn be able to point what are theys . And it become as trouble for me .


Many thanks for everyting , for you and Dave  Curry. 

I will be waiting for your reply and i believe that at the end , i will solve ,catch my faults / mistakes.

Thank you.  

 

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0267e5dd5fcbb364a78df9f6c76c1247e0c0e2f.camel%40uvic.ca.

['Maksim Kopeyka' via CAS Community]

Hi M.Pedis,

Did you solve problem with Null input buffer? I have the same exception.

On Thursday, November 7, 2019 at 1:40:54 PM UTC+2, M.Pedis wrote:

Hi Dave ,

2019-11-07 06:02:21,471 ERROR [org.apereo.cas.web.flow.executor.EncryptedTranscoder] - <Null input buffer>

java.lang.IllegalArgumentException: Null input buffer
        at javax.crypto.Cipher.doFinal(Cipher.java:2198) ~[?:?]

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a6ab29ff-3ae7-486d-9379-4b9ecaaf05fa%40apereo.org.

[Morning Star]

Can anyone help me if you address the null issue?

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/18b50054-ae9e-444c-be92-f7c5cc15d64an%40apereo.org.

[Meysam Shirazi]

Hi everyone,

About "Null input buffer" issue, I think it can be solved by adding these two keys in your cluster nodes:

cas.webflow.crypto.signing.key=<Secret key for signing>

cas.webflow.crypto.encryption.key=<Secret key for encryption>

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3a839d04-9e3a-4c60-b2c0-58a12b453611n%40apereo.org.

[Baba Ndiaye]

Hi @Pedis

i'm working on hazelcast for CAS custer (I already have 4 CAS that works well) but i want an HA system.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1f288151-6de8-4b08-babd-3a6ebf60e7d5n%40apereo.org.