Cas

From Newroco Tech Docs
Jump to navigationJump to search

Install Tomcat 8

apt-get install openjdk-8-jdk
apt-get install tomcat8

Copy certificates from proxy with rsync

Add the public key of the user that is going to copy the certificates to the /root directory. More details here http://docswiki.newro.co/index.php/SSHKeyAuth#Install_key_authentication_for_an_account. Create script /opt/bin/letsencrypt_sync:

/usr/bin/rsync -rl --safe-links --rsync-path="/usr/bin/sudo /usr/bin/rsync" <user>@<proxy-ip>:/etc/letsencrypt/ /etc/letsencrypt-proxy/ 2>&1 >> /var/log/letsencrypt_sync.log

openssl pkcs12 -export -in /etc/letsencrypt/live/<domain>/fullchain.pem -inkey /etc/letsencrypt/live/<domain>/privkey.pem -out /opt/bin/fullchain_and_key.p12 -name tomcat -password pass:<password>

service tomcat8 restart

Make it executable

chmod +x /opt/bin/letsencrypt_sync

Install rsync if not already

apt-get install rsync

Run the script for initial copy

/opt/bin/letsencrypt_sync

Create a crontab for automatic copy

crontab -u root -e

And add this to the file:

0 0 * * * /opt/bin/letsencrypt_sync

Enable SSL

Edit /etc/tomcat8/server.xml, uncomment and change appropriately the next section(change password with what you used in script above):

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="/opt/bin/fullchain_and_key.p12" keystoreType="PKCS12"
               keystorePass="<password>"
               />

Restart tomcat (service tomcat8 restart) and you should be able to access it at https://server-ip:8443

Install CAS

First we need to install maven.

apt-get install maven

Create a directory to download cas and in that directory create a file pom.xml. The content of pom.xml for the latest CAS version can be taken from https://github.com/apereo/cas-overlay-template/blob/master/pom.xml

mkdir ~/cas
vi ~/cas/pom.xml

If you want CAS to use LDAP then add this to pom.xml inside <dependencies> tag:

<dependency>
   <groupId>org.apereo.cas</groupId>
   <artifactId>cas-server-support-ldap</artifactId>
   <version>${cas.version}</version>
</dependency>

Now go to ~/cas directory, download CAS and copy cas.war to tomcats webapp folder.

cd ~/cas
mvn clean package
cp target/cas.war /var/lib/tomcat8/webapps/
service tomcat8 restart

The CAS login page can be found at https://server-ip:8443/cas/login

Configure CAS

If the samba/LDAP server is using a self-signed certificate copy it (from /var/lib/samba/private/tls/samba-cert.pem) to the CAS server in /opt/bin/samba-cert.pem. Create a samba user for CAS to use. Back on the CAS server, add a line in /etc/hosts:

samba-server-ip hostname.domain.local

Edit /var/lib/tomcat8/webapps/cas/WEB-INF/classes/application.properties file. Comment if you find a line like this:

cas.authn.accept.users=casuser::Mellon

And add this at the end of the file, changing it for your case:

cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://hostname.domain.local
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].baseDn=dc=DOMAIN,dc=LOCAL
cas.authn.ldap[0].userFilter=sAMAccountName={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].usePasswordPolicy=true
cas.authn.ldap[0].bindDn=cn=cas-user,cn=Users,dc=DOMAIN,dc=LOCAL
cas.authn.ldap[0].bindCredential=cas-user-passwords
cas.authn.ldap[0].trustCertificates=file:/opt/bin/samba-cert.pem

Change this line at the beginning of /var/lib/tomcat8/webapps/cas/WEB-INF/classes/log4j2.xml

<Property name="baseDir">/etc/cas/logs</Property>

To

<Property name="baseDir">/var/lib/tomcat8/webapps/cas/WEB-INF/classes/logs</Property>

Restart tomcat

service tomcat8 restart 

Note: tomcat8 and its apps take a long time to fully restart.

Service registry

By default CAS allows all services that come from HTTPS or IMAPS. If you want to change that you can modify /var/lib/tomcat8/webapps/cas/WEB-INF/classes/services/HTTPSandIMAPS-10000001.json or create a another file in the same folder with similar format.

If CAS says that the service is not authorized even if it is, add this line to /var/lib/tomcat8/webapps/cas/WEB-INF/classes/application.properties

cas.serviceRegistry.initFromJson=true

If your LDAP server is case insensitive but one of your services is case sensitive you might want to transform login usernames to lowercase, as LDAP would accept "User.Name" even it is actually "user.name", but your service will see User.Name as a new user.

To do this add the following to the json file from /var/lib/tomcat8/webapps/cas/WEB-INF/classes/services that defines the service

"usernameAttributeProvider": {
  "@class": "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
  "canonicalizationMode": "LOWER"
}

Ticket Experation

If you want to change the ticket expiration time you can add this to /var/lib/tomcat8/webapps/cas/WEB-INF/classes/application.properties

cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=28800

Internal DNS recods

If the CAS server and other web services that use CAS for authentication are behind the same proxy they will probably need internal DNS records pointing to the internal IP of the proxy to avoid loops in the firewall routing.