Cas

From Newroco Tech Docs
Jump to navigationJump to search

Install Tomcat 8

apt-get install openjdk-8-jdk
apt-get install tomcat8

Copy certificates from proxy with rsync

Add the public key of the user that is going to copy the certificates to the /root directory. More details here http://docswiki.newro.co/index.php/SSHKeyAuth#Install_key_authentication_for_an_account. Create script /opt/bin/letsencrypt_sync: 

/usr/bin/rsync -rl --safe-links --rsync-path="/usr/bin/sudo /usr/bin/rsync" <user>@<proxy-ip>:/etc/letsencrypt/ /etc/letsencrypt-proxy/ 2>&1 >> /var/log/letsencrypt_sync.log

openssl pkcs12 -export -in /etc/letsencrypt/live/<domain>/fullchain.pem -inkey /etc/letsencrypt/live/<domain>/privkey.pem -out /opt/bin/fullchain_and_key.p12 -name tomcat -password pass:<password>

service tomcat8 restart

Make it executable 

chmod +x /opt/bin/letsencrypt_sync

Install rsync if not already 

apt-get install rsync

Run the script for initial copy 

/opt/bin/letsencrypt_sync

Create a crontab for automatic copy 

crontab -u root -e

And add this to the file: 

0 0 * * * /opt/bin/letsencrypt_sync

Enable SSL

Edit /etc/tomcat8/server.xml, uncomment and change appropriately the next section(change password with what you used in script above): 

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="/opt/bin/fullchain_and_key.p12" keystoreType="PKCS12"
               keystorePass="<password>"
               />

Restart tomcat (service tomcat8 restart) and you should be able to access it at https://server-ip:8443

Install CAS

First we need to install maven. 

apt-get install maven

Create a directory to download cas and in that directory create a file pom.xml. The content of pom.xml for the latest CAS version can be taken from https://github.com/apereo/cas-overlay-template/blob/master/pom.xml 

mkdir ~/cas
vi ~/cas/pom.xml

If you want CAS to use LDAP then add this to pom.xml inside <dependencies> tag: 

<dependency>
   <groupId>org.apereo.cas</groupId>
   <artifactId>cas-server-support-ldap</artifactId>
   <version>${cas.version}</version>
</dependency>

Now go to ~/cas directory, download CAS and copy cas.war to tomcats webapp folder. 

cd ~/cas
mvn clean package
cp target/cas.war /var/lib/tomcat8/webapps/
service tomcat8 restart

The CAS login page can be found at https://server-ip:8443/cas/login

Configure CAS

If the samba/LDAP server is using a self-signed certificate copy it (from /var/lib/samba/private/tls/samba-cert.pem) to the CAS server in /opt/bin/samba-cert.pem. Create a samba user for CAS to use. Back on the CAS server, add a line in /etc/hosts: 

samba-server-ip hostname.domain.local

Edit /var/lib/tomcat8/webapps/cas/WEB-INF/classes/application.properties file. Comment if you find a line like this: 

cas.authn.accept.users=casuser::Mellon

And add this at the end of the file, changing it for your case: 

cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://hostname.domain.local
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].baseDn=dc=DOMAIN,dc=LOCAL
cas.authn.ldap[0].userFilter=sAMAccountName={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].usePasswordPolicy=true
cas.authn.ldap[0].bindDn=cn=cas-user,cn=Users,dc=DOMAIN,dc=LOCAL
cas.authn.ldap[0].bindCredential=cas-user-passwords
cas.authn.ldap[0].trustCertificates=file:/opt/bin/samba-cert.pem

Change this line at the beginning of /var/lib/tomcat8/webapps/cas/WEB-INF/classes/log4j2.xml 

<Property name="baseDir">/etc/cas/logs</Property>

To 

<Property name="baseDir">/var/lib/tomcat8/webapps/cas/WEB-INF/classes/logs</Property>

Add a cronjob to delete old logs. 

#vi /etc/cron.daily/cas-old-logs

#!/bin/bash
find /var/lib/tomcat8/webapps/cas/WEB-INF/classes/logs -mtime +10 -type f -delete

Make it executable 

chmod +x /etc/cron.daily/cas-old-logs

Restart tomcat 

service tomcat8 restart

Note: tomcat8 and its apps take a long time to fully restart.

Service registry

By default CAS allows all services that come from HTTPS or IMAPS. If you want to change that you can modify /var/lib/tomcat8/webapps/cas/WEB-INF/classes/services/HTTPSandIMAPS-10000001.json or create a another file in the same folder with similar format.

If CAS says that the service is not authorized even if it is, add this line to /var/lib/tomcat8/webapps/cas/WEB-INF/classes/application.properties 

cas.serviceRegistry.initFromJson=true

If your LDAP server is case insensitive but one of your services is case sensitive you might want to transform login usernames to lowercase, as LDAP would accept "User.Name" even it is actually "user.name", but your service will see User.Name as a new user.

To do this add the following to the json file from /var/lib/tomcat8/webapps/cas/WEB-INF/classes/services that defines the service 

"usernameAttributeProvider": {
  "@class": "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
  "canonicalizationMode": "LOWER"
}

Ticket Experation

If you want to change the ticket expiration time you can add this to /var/lib/tomcat8/webapps/cas/WEB-INF/classes/application.properties 

cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=28800

Internal DNS recods

If the CAS server and other web services that use CAS for authentication are behind the same proxy they will probably need internal DNS records pointing to the internal IP of the proxy to avoid loops in the firewall routing.

Failover

If you want to have a failover CAS build a second server exactly as above and configure a floating IP with Keepalived as below.

Keepalived

To setup keepalived, install it on both servers: 

sudo apt-get install keepalived

Copy the nagios check "check_http" to /usr/local/bin, from the /usr/lib/nagios/plugins of a server that has nagios-plugins installed (please don't install nagios-plugins on the CAS servers, that package would install many dependencies).

Finally create the following /etc/keepalived/keepalived.conf on the master: 

global_defs {
        notification_email {
                <email>
        }

        notification_email_from <email>
        smtp_server 127.0.0.1
}

vrrp_script chk_apache {
        script "check_http -S -H 127.0.0.1 -u /cas/ -p 8443"
        interval 3                      # check every 3 seconds
        weight 2                        # add 2 points of prio if OK
}

vrrp_instance floating_ip {
        interface ens3
        state MASTER
        virtual_router_id 31
        priority 101
        authentication {
            auth_type PASS
            auth_pass justatestpass
        }
        virtual_ipaddress {
                <floating-IP>
        }

        track_script {
            chk_apache
        }
}

Create exactly the same file on the failover CAS, just change priority from 101 to 100.

Retrieved from "http://docswiki.newro.co/index.php?title=Cas&oldid=1435"