cosign-discuss at umich.edu
general discussion of cosign development and deployment
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: replication behind load balancer
I haven't started playing with replication part yet, but can see if the
BigIP part is involved - care to send me the relevant parts of your
/config/bigip.conf, as well as your 'ifconfig -a' and 'netstat -rn'
output from the 10.41.0.x units as well? Looks like they may be
routing through the BigIP instead of going direct, and the BigIP
is SNATting things.
We dealt with SNAT stuff already in order to get a single Cosign blade to
communicate properly with Shibboleth origin blades.
I added the opposite blade's IP address to the /etc/hosts file on each
blade. Now, communication between cosignd processes is not crossing the
load balancer, so I think I am just dealing with cosign configuration
issues at this point.
The documentation is a little thin on replication. What should the
consign.conf file contain on each host? Now that I can use the host names
of the individual blades, I created client certs for 'cosign11' and
'cosign12'. I have tried various permutations in the cosign.conf file, but
I still get the error "f_starttls: No access for cosign1" in the log
file. I get a "CHILD xxxxx talking to itself" error in the other host's
log file. I was also getting a "cosign is not a daemon" error at some
Can someone tell me more about these errors?