 |
cosign-discuss at umich.edu
|
|
general discussion of cosign development and deployment
|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
replication behind load balancer
I am having trouble getting replication to work behind a load balancer. I
have two Linux blades with addresses 10.41.0.11 and 10.41.0.12 behind a F5
load balancer. I configured cosign so that it works on either blade, but I
am having problems getting the cosignd processes to talk to each other. I
started cosignd and monster with the following commands:
On 10.41.0.11:
cosignd -d -F local5 -h 10.41.0.12
monster -d -F local5 -h 10.41.0.12
On 10.41.0.12:
cosignd -d -F local5 -h 10.41.0.11
monster -d -F local5 -h 10.41.0.11
Here is the error from /var/log/cosignd.log on 10.41.0.12:
Mar 23 15:03:48 cosign12 cosignd[14293]: connect: 132.235.51.142
Mar 23 15:03:48 cosign12 cosignd[14293]: f_starttls: No access for
10.41.0.11
Mar 23 15:03:48 cosign12 cosignd[11950]: child 14293 exited with 1
The 132.235.51.142 address is a virtual address for outgoing traffic from
the load balancer that originated on one of the blades.
One problem is the client certificate. Originally, I had certificates with
CN=weblogin.ohio.edu, which is the host name associated with the load
balanced pool. This caused a problem when I started cosignd on each blade
because the CN didn't match the hostname/IP address of the individual
blade. I created new client certs on each host with the IP address of the
host as the CN.
Here is the contents of my cosign.conf file on each host:
cgi weblogin.ohio.edu
service shibboleth.ohio.edu 0
service weblogin.ohio.edu 0
cosignHostname weblogin.ohio.edu
Has anyone been able to get cosign to work behind a F5 load balancer? Is
this even how cosign replication is intended to work?
Thanks,
Dave
| 
