Set up tomcat
1) install tomcat
2) download cas from http://www.jasig.org/cas
3) Extract the download and copy the war file from the modules folder to webapps folder in your tomcat root
4) Create a self-signed certificate with keytool (or get a certificate)
keytool -genkey -keyalg RSA -keysize 2048 -keystore c:\path\to\keystore.jks -alias mykey -validity <days>
Replace <days> with number days the certificate will be valid for.
Answer all the questions and put in a keystore password. This will be used in the tomcat configuration later.
Certain password characters like ampersands may need to be escaped in the tomcat config
4) Edit your server.xml
Add the following line under the <server ..> tag
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystorePass='<password here>' keystoreFile="C:/path/to/keystore.jks"/>
5) restart Tomcat and the war should installed
Config CAS
6) Open the webapps/cas-server-webapp-version/web-inf/deployerConfigContext.xml file
Comment out the bean
SimpleTestUsernamePasswordAuthenticationHandler
like this
<!--<bean
class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />-->
7)
Add the generic authentication method:
<bean class="org.jasig.cas.adaptors.generic.AcceptUsersAuthenticationHandler">
<property name="users">
<map>
<entry key="testuser" value="test" />
</map>
</property>
</bean>
Under the authenticationHandlers tag.
8) Copy the cas-server-support-version.jar to webapps/cas-server-webapp-version/web-inf/lib folder
9) Restart tomcat
10) you should be able to login by going to the following url:
https://server-ip:8443/cas-server-webapp-version/login
Tips for the CAS clients to avoid redirect loops
CAS clients are pretty particular about the ssl certificates. If the certificate is not trusted by the web application using your CAS server you may get redirect loops.
To avoid this buy a certificate or put your self-signed certificate in the trusted store on the computer where the web server is.
Helpful links
To set up CAS you have a good knowledge of SSL, tomcat and java keystores, especially if you want to do proxy authentication. There are many links below that can shed some light on these concepts and related issues.- Generating a self signed cert with keytool - http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2004193
- Tomcat /ssl set up : http://www.sslshopper.com/tomcat-ssl-installation-instructions.html
- Export certificate from IIS to tomcat : http://www.lazynetworkadmin.com/knowledgebase-mainmenu-6/2-windows/150-export-ssl-certificate-from-iis-and-import-into-tomcat
- Installing CAS on centos : http://stansantiago.wordpress.com/2011/07/21/installing-cas-server-on-centos/
- Tomcat / ssl config : http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#Configuration
- Cas logs : http://stackoverflow.com/questions/9491459/jasig-cas-how-do-i-change-where-log-files-are-written-to
- Troubleshooting ssl errors : https://wiki.jasig.org/display/casum/ssl+troubleshooting+and+reference+guide
- Importing a trusted certificate with keytool : http://docs.oracle.com/javase/tutorial/security/toolsign/rstep2.html
- SSLHandshakeException (pkix path building failed error) : http://docs.oracle.com/javase/tutorial/security/toolsign/rstep2.html
- CAS services registry : https://wiki.jasig.org/display/CASUM/Configuring
- Explanation of CAS and proxy authentication : https://web.byu.edu/wiki/central-authentication-services-cas-0
- Working with trusted key stores : http://andyarismendi.blogspot.com/2012/01/changing-tomcats-ca-trust-keystore-file.html
- Keystore faq : http://www.instantssl.com/ssl-certificate-support/server_faq/ssl-server-certificate-java.html
- Converting . rt into .cer format https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=808&ratingconfirm=1
- CAS protocol : http://www.jasig.org/cas/protocol
No comments:
Post a Comment