Cas

From Newroco tech docs
Jump to: navigation, search

Install Tomcat 8

  1.  
  2. apt-get install openjdk-8-jdk
  3. apt-get install tomcat8
  4.  

Copy certificates from proxy with rsync

Add the public key of the user that is going to copy the certificates to the /root directory. More details here http://docswiki.newro.co/index.php/SSHKeyAuth#Install_key_authentication_for_an_account. Create script /opt/bin/letsencrypt_sync:

  1. /usr/bin/rsync -rl --safe-links --rsync-path="/usr/bin/sudo /usr/bin/rsync" <user>@<proxy-ip>:/etc/letsencrypt/ /etc/letsencrypt-proxy/ 2>&1 >> /var/log/letsencrypt_sync.log
  2.  
  3. openssl pkcs12 -export -in /etc/letsencrypt/live/<domain>/fullchain.pem -inkey /etc/letsencrypt/live/<domain>/privkey.pem -out /opt/bin/fullchain_and_key.p12 -name tomcat -password pass:<password>
  4.  
  5. service tomcat8 restart

Make it executable

  1. chmod +x /opt/bin/letsencrypt_sync

Install rsync if not already

  1. apt-get install rsync

Run the script for initial copy

  1. /opt/bin/letsencrypt_sync

Create a crontab for automatic copy

  1. crontab -u root -e

And add this to the file:

  1. 0 0 * * * /opt/bin/letsencrypt_sync

Enable SSL

Edit /etc/tomcat8/server.xml, uncomment and change appropriately the next section(change password with what you used in script above):

  1.  
  2. <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
  3. maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
  4. clientAuth="false" sslProtocol="TLS"
  5. keystoreFile="/opt/bin/fullchain_and_key.p12" keystoreType="PKCS12"
  6. keystorePass="<password>"
  7. />
  8.  

Restart tomcat (service tomcat8 restart) and you should be able to access it at https://server-ip:8443

Install CAS

First we need to install maven.

  1.  
  2. apt-get install maven
  3.  

Create a directory to download cas and in that directory create a file pom.xml. The content of pom.xml for the latest CAS version can be taken from https://github.com/apereo/cas-overlay-template/blob/master/pom.xml

  1.  
  2. mkdir ~/cas
  3. vi ~/cas/pom.xml
  4.  

If you want CAS to use LDAP then add this to pom.xml inside <dependencies> tag:

  1.  
  2. <dependency>
  3. <groupId>org.apereo.cas</groupId>
  4. <artifactId>cas-server-support-ldap</artifactId>
  5. <version>${cas.version}</version>
  6. </dependency>
  7.  

Now go to ~/cas directory, download CAS and copy cas.war to tomcats webapp folder.

  1.  
  2. cd ~/cas
  3. mvn clean package
  4. cp target/cas.war /var/lib/tomcat8/webapps/
  5. service tomcat8 restart
  6.  

The CAS login page can be found at https://server-ip:8443/cas/login

Configure CAS

If the samba/LDAP server is using a self-signed certificate copy it (from /var/lib/samba/private/tls/samba-cert.pem) to the CAS server in /opt/bin/samba-cert.pem. Create a samba user for CAS to use. Back on the CAS server, add a line in /etc/hosts:

  1.  
  2. samba-server-ip hostname.domain.local
  3.  

Edit /var/lib/tomcat8/webapps/cas/WEB-INF/classes/application.properties file. Comment if you find a line like this:

  1.  
  2. cas.authn.accept.users=casuser::Mellon
  3.  

And add this at the end of the file, changing it for your case:

  1.  
  2. cas.authn.ldap[0].type=AUTHENTICATED
  3. cas.authn.ldap[0].ldapUrl=ldaps://hostname.domain.local
  4. cas.authn.ldap[0].useSsl=true
  5. cas.authn.ldap[0].connectTimeout=5000
  6. cas.authn.ldap[0].baseDn=dc=DOMAIN,dc=LOCAL
  7. cas.authn.ldap[0].userFilter=sAMAccountName={user}
  8. cas.authn.ldap[0].subtreeSearch=true
  9. cas.authn.ldap[0].usePasswordPolicy=true
  10. cas.authn.ldap[0].bindDn=cn=cas-user,cn=Users,dc=DOMAIN,dc=LOCAL
  11. cas.authn.ldap[0].bindCredential=cas-user-passwords
  12. cas.authn.ldap[0].trustCertificates=file:/opt/bin/samba-cert.pem
  13.  

Change this line at the beginning of /var/lib/tomcat8/webapps/cas/WEB-INF/classes/log4j2.xml

  1. <Property name="baseDir">/etc/cas/logs</Property>

To

  1. <Property name="baseDir">/var/lib/tomcat8/webapps/cas/WEB-INF/classes/logs</Property>

Restart tomcat

  1.  
  2. service tomcat8 restart
  3.  

Service registry

By default CAS allows all services that come from HTTPS or IMAPS. If you want to change that you can modify /var/lib/tomcat8/webapps/cas/WEB-INF/classes/services/HTTPSandIMAPS-10000001.json or create a another file in the same folder with similar format.

If CAS says that the service is not authorized even if it is, add this line to /var/lib/tomcat8/webapps/cas/WEB-INF/classes/application.properties

  1. cas.serviceRegistry.initFromJson=true

If your LDAP server is case insensitive but one of your services is case sensitive you might want to transform login usernames to lowercase, as LDAP would accept "User.Name" even it is actually "user.name", but your service will see User.Name as a new user.

To do this add the following to the json file from /var/lib/tomcat8/webapps/cas/WEB-INF/classes/services that defines the service

  1. "usernameAttributeProvider": {
  2. "@class": "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
  3. "canonicalizationMode": "LOWER"
  4. }

Ticket Experation

If you want to change the ticket expiration time you can add this to /var/lib/tomcat8/webapps/cas/WEB-INF/classes/application.properties

  1. cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=28800

Internal DNS recods

If the CAS server and other web services that use CAS for authentication are behind the same proxy they will probably need internal DNS records pointing to the internal IP of the proxy to avoid loops in the firewall routing.