[SR-Users] xcap server - http load–balancer: xcap authentication problem

laura testi lau.testi at gmail.com
Thu Jun 30 16:10:30 CEST 2011 

Thank you very much Daniel! It works!

Following your suggestion, I have set the following parameters in the
kamailio.cfg in both servers:

modparam("auth", "secret", "samesecretparam")
modparam("auth", "nonce_expire", 1800)
modparam("auth", "nonce_auth_max_drift", 300)
modparam("auth", "one_time_nonce", 0)


Now all xcap requests are authenticated successfully and works! Thanks
again!

After some tests, now we are facing another problem with multiple presence
servers integrated with XCAP servers in integrated mode. We have configured
2 kamailio servers as both presence server and xcap server with the same
backend DB in another machine (thank you for your great guide on
http://kb.asipto.com/kamailio:presence:k31-made-simple). In front we have
setup a dispatcher for SIP load balancing and apache for http (xcap) load
balancing.

It seems the presence server handle the publish/subscribe/notify events with
the following tables:
- active_watchers (using local cache and update the local cache to db
periodically)
- presentity (using local cache and update to db immediately)
- watchers (db)
- xcap (db)

we have meet 2 problems:

   1. when a subscription is created in one server (in active_watchers in
   local cache) and the publish related to the same subscription goes to
   another server (presentity), with fallback to db, only the first publish
   works (it generates a notify with C-SEQ increased by one). When it receives
   another publish, it always generate the notify with the same C-SEQ, and the
   SIP Client ignore it. The problem is that the subscription is in the cache
   of another server and it periodically update it to db. When the publish
   related to this subscription goes to another server, the C-SEQ in the local
   cache is not increased. To workaround it, we have configure the Dispatcher
   to use hashing over URI for all presence related messages. In this way, it
   seems all messages related to the same subscription go to the same presence
   server, so the c-seq is increased correctly. Is it correct way to work with
   multiple presence server?
   2. pres_refresh_watchers triggered by xcap message in another presence
   server: with the hashing over to uri in dispacther workaround, it seems
   solve the first problem for SIP/SIMPLE messages, but we have the same kind
   of problem for xcap message. For example, a subscription is in a local cache
   of one server, and the incomming xcap message related to the same
   subscription goes to another server, and this message trigger the
   pres_update_watchers pres_refresh_watchers presence functions from the
   configuration script in the server where there is no subscription in the
   local cache, then it send the wrong notify message. This can happen when a
   user add/remove a contact, and the SUBSCRIBE goes to one server and XCAP PUT
   goes to another server. Unfortunately there is no DB mode only in PRESENCE
   module like REGISTRAR module. The fallback to db can't help either for point
   1 or for point 2. Can you help please?



Thank you in advanced!



Best Regards,
Laura


On Tue, Jun 28, 2011 at 8:43 PM, Daniel-Constantin Mierla <miconda at gmail.com
> wrote:

>  Hello,
>
>
>
> On 6/28/11 6:33 PM, laura testi wrote:
>
> Hello all,
>
> I’m using two Kamailio Presence Servers that are also XCAP Servers for the
> presence and resources management and the Kamailio Dispatcher in order to
> balance the SIP requestes coming from SIP Client.
>
> Then I’m trying to configure a HTTP  load–balancer for the xcap/http
> traffic.
>
> I’m testing both Apache and INginx HTTP proxy but I’m facing with a problem
> related with the Xcap authentication:
>
> when a client sends the first xcap request to the http load-balancer, it
> forwards the request to one of the configured Xcap Server that replies with
> the 401 response in order to let the client authenticates. So, the client
> sends the second request with the Digest authentication to the http
> load-balancer. But, sometimes, the http load-balancer forwards the
> authenticate request to the second Xcap Server that is not able to
> authenticate the request.  Then the client receive the “Unauthorized”
> response…
>
>
>
> Could you please give us some hints about this problem?
>
>
> you have to set the same value to secret parameter of auth module:
> http://kamailio.org/docs/modules/stable/modules/auth.html#auth.secret
>
> Also be sure the two servers have the same time (use ntp or so) and the
> one_time_nonce parameter to auth module is off (not enabled).
>
> Then it should work.
>
> Cheers,
> Daniel
>
> --
> Daniel-Constantin Mierla -- http://www.asipto.comhttp://linkedin.com/in/miconda -- http://twitter.com/miconda
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20110630/390d637f/attachment-0001.htm>

More information about the sr-users mailing list