Cas: Difference between revisions
Line 69: | Line 69: | ||
The CAS login page can be found at https://server-ip:8443/cas/login | The CAS login page can be found at https://server-ip:8443/cas/login | ||
===Configure CAS | ===Configure CAS=== | ||
If the samba/LDAP server is using a self-signed certificate copy it (from /var/lib/samba/private/tls/samba-cert.pem) to the CAS server in /opt/bin/samba-cert.pem. Create a samba user for CAS to use. | |||
Back on the CAS server, add a line in /etc/hosts: | Back on the CAS server, add a line in /etc/hosts: | ||
<pre> | <pre> | ||
Line 108: | Line 96: | ||
cas.authn.ldap[0].trustCertificates=file:/opt/bin/samba-cert.pem | cas.authn.ldap[0].trustCertificates=file:/opt/bin/samba-cert.pem | ||
</pre> | </pre> | ||
Change this line at the beginning of /var/lib/tomcat8/webapps/cas/WEB-INF/classes/log4j2.xml | |||
<pre><Property name="baseDir">/etc/cas/logs</Property></pre> | |||
To | |||
<pre><Property name="baseDir">/var/lib/tomcat8/webapps/cas/WEB-INF/classes/logs</Property></pre> | |||
Restart tomcat | Restart tomcat |
Revision as of 12:57, 16 June 2017
Install Tomcat 8
apt-get install openjdk-8-jdk apt-get install tomcat8
Copy certificates from proxy with rsync
Add the public key of the user that is going to copy the certificates to the /root directory. More details here http://docswiki.newro.co/index.php/SSHKeyAuth#Install_key_authentication_for_an_account. Create script /opt/bin/letsencrypt_sync:
/usr/bin/rsync -rl --safe-links --rsync-path="/usr/bin/sudo /usr/bin/rsync" <user>@<proxy-ip>:/etc/letsencrypt/ /etc/letsencrypt/ 2>&1 >> /var/log/letsencrypt_sync.log openssl pkcs12 -export -in /etc/letsencrypt/live/<domain>/fullchain.pem -inkey /etc/letsencrypt/live/domain/privkey.pem -out /opt/bin/fullchain_and_key.p12 -name tomcat -password pass:<password> service tomcat8 restart
Run the script with sudo and then create a crontab for root.
crontab -u root -e
And add this to the file:
0 0 * * * /opt/bin/letsencrypt_sync
Enable SSL
Edit /etc/tomcat8/server.xml, uncomment and change appropriately the next section(change password with what you used in script above):
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/opt/bin/fullchain_and_key.p12" keystoreType="PKCS12" keystorePass="<password>" />
Restart tomcat (service tomcat8 restart) and you should be able to access it at https://server-ip:8443
Install CAS
First we need to install maven.
apt-get install maven
Create a directory to download cas and in that directory create a file pom.xml. The content of pom.xml for the latest CAS version can be taken from https://github.com/apereo/cas-overlay-template/blob/master/pom.xml
mkdir ~/cas vi ~/cas/pom.xml
If you want CAS to use LDAP then add this to pom.xml inside <dependencies> tag:
<dependency> <groupId>org.apereo.cas</groupId> <artifactId>cas-server-support-ldap</artifactId> <version>${cas.version}</version> </dependency>
Now go to ~/cas directory, download CAS and copy cas.war to tomcats webapp folder.
cd ~/cas mvn clean package cp target/cas.war /var/lib/tomcat8/webapps/ service tomcat8 restart
The CAS login page can be found at https://server-ip:8443/cas/login
Configure CAS
If the samba/LDAP server is using a self-signed certificate copy it (from /var/lib/samba/private/tls/samba-cert.pem) to the CAS server in /opt/bin/samba-cert.pem. Create a samba user for CAS to use. Back on the CAS server, add a line in /etc/hosts:
samba-server-ip hostname.domain.local
Edit /var/lib/tomcat8/webapps/cas/WEB-INF/classes/application.properties file. Comment if you find a line like this:
cas.authn.accept.users=casuser::Mellon
And add this at the end of the file, changing it for your case:
cas.authn.ldap[0].type=AUTHENTICATED cas.authn.ldap[0].ldapUrl=ldaps://hostname.domain.local cas.authn.ldap[0].useSsl=true cas.authn.ldap[0].connectTimeout=5000 cas.authn.ldap[0].baseDn=cn=Users,dc=DOMAIN,dc=LOCAL cas.authn.ldap[0].userFilter=sAMAccountName={user} cas.authn.ldap[0].subtreeSearch=true cas.authn.ldap[0].usePasswordPolicy=true cas.authn.ldap[0].bindDn=cn=cas-user,cn=Users,dc=DOMAIN,dc=LOCAL cas.authn.ldap[0].bindCredential=cas-user-passwords cas.authn.ldap[0].trustCertificates=file:/opt/bin/samba-cert.pem
Change this line at the beginning of /var/lib/tomcat8/webapps/cas/WEB-INF/classes/log4j2.xml
<Property name="baseDir">/etc/cas/logs</Property>
To
<Property name="baseDir">/var/lib/tomcat8/webapps/cas/WEB-INF/classes/logs</Property>
Restart tomcat
service tomcat8 restart
Service registry
By default CAS allows all services that come from HTTPS or IMAPS. If you want to change that you can modify /var/lib/tomcat8/webapps/cas/WEB-INF/classes/services/HTTPSandIMAPS-10000001.json or create a another file in the same folder with similar format.
If CAS says that the service is not authorized even if it is add this line to /var/lib/tomcat8/webapps/cas/WEB-INF/classes/application.properties
cas.serviceRegistry.initFromJson=true