From Newroco tech docs
Revision as of 07:21, 2 July 2018 by Emilian.mitocariu (talk | contribs) (Keepalived)
Jump to: navigation, search

Install Tomcat 8

  2. apt-get install openjdk-8-jdk
  3. apt-get install tomcat8

Copy certificates from proxy with rsync

Add the public key of the user that is going to copy the certificates to the /root directory. More details here Create script /opt/bin/letsencrypt_sync:

  1. /usr/bin/rsync -rl --safe-links --rsync-path="/usr/bin/sudo /usr/bin/rsync" <user>@<proxy-ip>:/etc/letsencrypt/ /etc/letsencrypt-proxy/ 2>&1 >> /var/log/letsencrypt_sync.log
  3. openssl pkcs12 -export -in /etc/letsencrypt-proxy/live/<domain>/fullchain.pem -inkey /etc/letsencrypt-proxy/live/<domain>/privkey.pem -out /opt/bin/fullchain_and_key.p12 -name tomcat -password pass:<password>
  5. service tomcat8 restart

Make it executable

  1. chmod +x /opt/bin/letsencrypt_sync

Install rsync if not already

  1. apt-get install rsync

Run the script for initial copy

  1. /opt/bin/letsencrypt_sync

Create a crontab for automatic copy

  1. crontab -u root -e

And add this to the file:

  1. 0 0 * * * /opt/bin/letsencrypt_sync

Enable SSL

Edit /etc/tomcat8/server.xml, uncomment and change appropriately the next section(change password with what you used in script above):

  2. <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
  3. maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
  4. clientAuth="false" sslProtocol="TLS"
  5. keystoreFile="/opt/bin/fullchain_and_key.p12" keystoreType="PKCS12"
  6. keystorePass="<password>"
  7. />

Restart tomcat (service tomcat8 restart) and you should be able to access it at https://server-ip:8443

Install CAS

First we need to install maven.

  2. apt-get install maven

Create a directory to download cas and in that directory create a file pom.xml. The content of pom.xml for the latest CAS version can be taken from

  2. mkdir ~/cas
  3. vi ~/cas/pom.xml

If you want CAS to use LDAP then add this to pom.xml inside <dependencies> tag:

  2. <dependency>
  3. <groupId>org.apereo.cas</groupId>
  4. <artifactId>cas-server-support-ldap</artifactId>
  5. <version>${cas.version}</version>
  6. </dependency>

Now go to ~/cas directory, download CAS and copy cas.war to tomcats webapp folder.

  2. cd ~/cas
  3. mvn clean package
  4. cp target/cas.war /var/lib/tomcat8/webapps/
  5. service tomcat8 restart

The CAS login page can be found at https://server-ip:8443/cas/login

Configure CAS

If the samba/LDAP server is using a self-signed certificate copy it (from /var/lib/samba/private/tls/samba-cert.pem) to the CAS server in /opt/bin/samba-cert.pem. Create a samba user for CAS to use. Back on the CAS server, add a line in /etc/hosts:

  2. samba-server-ip hostname.domain.local

Edit /var/lib/tomcat8/webapps/cas/WEB-INF/classes/ file. Comment if you find a line like this:

  2. cas.authn.accept.users=casuser::Mellon

And add this at the end of the file, changing it for your case:

  2. cas.authn.ldap[0].type=AUTHENTICATED
  3. cas.authn.ldap[0].ldapUrl=ldaps://hostname.domain.local
  4. cas.authn.ldap[0].useSsl=true
  5. cas.authn.ldap[0].connectTimeout=5000
  6. cas.authn.ldap[0].baseDn=dc=DOMAIN,dc=LOCAL
  7. cas.authn.ldap[0].userFilter=sAMAccountName={user}
  8. cas.authn.ldap[0].subtreeSearch=true
  9. cas.authn.ldap[0].usePasswordPolicy=true
  10. cas.authn.ldap[0].bindDn=cn=cas-user,cn=Users,dc=DOMAIN,dc=LOCAL
  11. cas.authn.ldap[0].bindCredential=cas-user-passwords
  12. cas.authn.ldap[0].trustCertificates=file:/opt/bin/samba-cert.pem

Change this line at the beginning of /var/lib/tomcat8/webapps/cas/WEB-INF/classes/log4j2.xml

  1. <Property name="baseDir">/etc/cas/logs</Property>


  1. <Property name="baseDir">/var/lib/tomcat8/webapps/cas/WEB-INF/classes/logs</Property>

Add a cronjob to delete old logs.

  1. #vi /etc/cron.daily/cas-old-logs
  3. #!/bin/bash
  4. find /var/lib/tomcat8/webapps/cas/WEB-INF/classes/logs -mtime +10 -type f -delete

Make it executable

  1. chmod +x /etc/cron.daily/cas-old-logs

Restart tomcat

  2. service tomcat8 restart

Note: tomcat8 and its apps take a long time to fully restart.

Service registry

By default CAS allows all services that come from HTTPS or IMAPS. If you want to change that you can modify /var/lib/tomcat8/webapps/cas/WEB-INF/classes/services/HTTPSandIMAPS-10000001.json or create a another file in the same folder with similar format.

If CAS says that the service is not authorized even if it is, add this line to /var/lib/tomcat8/webapps/cas/WEB-INF/classes/

  1. cas.serviceRegistry.initFromJson=true

If your LDAP server is case insensitive but one of your services is case sensitive you might want to transform login usernames to lowercase, as LDAP would accept "User.Name" even it is actually "", but your service will see User.Name as a new user.

To do this add the following to the json file from /var/lib/tomcat8/webapps/cas/WEB-INF/classes/services that defines the service

  1. "usernameAttributeProvider": {
  2. "@class": "",
  3. "canonicalizationMode": "LOWER"
  4. }

Ticket Experation

If you want to change the ticket expiration time you can add this to /var/lib/tomcat8/webapps/cas/WEB-INF/classes/

  1. cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=28800

Internal DNS recods

If the CAS server and other web services that use CAS for authentication are behind the same proxy they will probably need internal DNS records pointing to the internal IP of the proxy to avoid loops in the firewall routing.


If you want to have a failover CAS build a second server exactly as above and configure a floating IP with Keepalived as below.


To setup keepalived, install it on both servers:

  1. sudo apt-get install keepalived

Copy the nagios check "check_http" to /usr/local/bin, from the /usr/lib/nagios/plugins of a server that has nagios-plugins installed (please don't install nagios-plugins on the CAS servers, that package would install many dependencies).

Finally create the following /etc/keepalived/keepalived.conf on the master:

  1. global_defs {
  2. notification_email {
  3. <email>
  4. }
  6. notification_email_from <email>
  7. smtp_server
  8. }
  10. vrrp_script chk_apache {
  11. script "check_http -S -H -u /cas/ -p 8443"
  12. interval 3 # check every 3 seconds
  13. weight 2 # add 2 points of prio if OK
  14. }
  16. vrrp_instance floating_ip {
  17. interface ens3
  18. state MASTER
  19. virtual_router_id 31
  20. priority 101
  21. authentication {
  22. auth_type PASS
  23. auth_pass justatestpass
  24. }
  25. virtual_ipaddress {
  26. <floating-IP>
  27. }
  29. track_script {
  30. chk_apache
  31. }
  32. }

Create exactly the same file on the failover CAS, just change priority from 101 to 100.

Restart keepalived

  1. service keepalived restart