Re: replication behind load balancer

[David Alexander <alexandd@xxxxxxxx>]

> I haven't started playing with replication part yet, but can see if the
> BigIP part is involved - care to send me the relevant parts of your
> /config/bigip.conf, as well as your 'ifconfig -a' and 'netstat -rn'
> output from the 10.41.0.x units as well?  Looks like they may be
> routing through the BigIP instead of going direct, and the BigIP
> is SNATting things.

We dealt with SNAT stuff already in order to get a single Cosign blade to 
communicate properly with Shibboleth origin blades.

I added the opposite blade's IP address to the /etc/hosts file on each 
blade.  Now, communication between cosignd processes is not crossing the 
load balancer, so I think I am just dealing with cosign configuration 
issues at this point.

The documentation is a little thin on replication.  What should the 
consign.conf file contain on each host?  Now that I can use the host names 
of the individual blades, I created client certs for 'cosign11' and 
'cosign12'.  I have tried various permutations in the cosign.conf file, but 
I still get the error "f_starttls: No access for cosign1[12]" in the log 
file.  I get a "CHILD xxxxx talking to itself" error in the other host's 
log file.  I was also getting a "cosign[12] is not a daemon" error at some 
point.

Can someone tell me more about these errors?

Thanks,
Dave