Cas
Install Tomcat 8
apt-get install openjdk-8-jdk apt-get install tomcat8
Copy certificates from proxy with rsync
Add the public key of the user that is going to copy the certificates to the /root directory. More details here http://docswiki.newro.co/index.php/SSHKeyAuth#Install_key_authentication_for_an_account. Create script /opt/bin/letsencrypt_sync:
/usr/bin/rsync -rl --safe-links --rsync-path="/usr/bin/sudo /usr/bin/rsync" <user>@<proxy-ip>:/etc/letsencrypt/ /etc/letsencrypt-proxy/ 2>&1 >> /var/log/letsencrypt_sync.log openssl pkcs12 -export -in /etc/letsencrypt-proxy/live/<domain>/fullchain.pem -inkey /etc/letsencrypt-proxy/live/<domain>/privkey.pem -out /opt/bin/fullchain_and_key.p12 -name tomcat -password pass:<password> systemctl restart tomcat8
Make it executable
chmod +x /opt/bin/letsencrypt_sync
Install rsync if not already
apt-get install rsync
Run the script for initial copy
/opt/bin/letsencrypt_sync
Create a crontab for automatic copy
crontab -u root -e
And add this to the file:
0 0 * * * /opt/bin/letsencrypt_sync
Enable SSL
Edit /etc/tomcat8/server.xml, uncomment and change appropriately the next section(change password with what you used in script above):
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/opt/bin/fullchain_and_key.p12" keystoreType="PKCS12" keystorePass="<password>" />
Restart tomcat (service tomcat8 restart) and you should be able to access it at https://server-ip:8443
Add the fallowing argumet to the HTTPS proxy vhost:
SSLProxyEngine On
Install CAS
First we need to install maven.
apt-get install maven
Create a directory to download cas and in that directory create a file pom.xml. The content of pom.xml for the latest CAS version can be taken from https://github.com/apereo/cas-overlay-template/blob/master/pom.xml
mkdir ~/cas vi ~/cas/pom.xml
If you want CAS to use LDAP then add this to pom.xml inside <dependencies> tag:
<dependency> <groupId>org.apereo.cas</groupId> <artifactId>cas-server-support-ldap</artifactId> <version>${cas.version}</version> </dependency>
Now go to ~/cas directory, download CAS and copy cas.war to tomcats webapp folder.
cd ~/cas mvn clean package cp target/cas.war /var/lib/tomcat8/webapps/ service tomcat8 restart
The CAS login page can be found at https://server-ip:8443/cas/login
Configure CAS
If the samba/LDAP server is using a self-signed certificate copy it (from /var/lib/samba/private/tls/samba-cert.pem) to the CAS server in /opt/bin/samba-cert.pem. Create a samba user for CAS to use. Back on the CAS server, add a line in /etc/hosts:
samba-server-ip hostname.domain.local
Edit /var/lib/tomcat8/webapps/cas/WEB-INF/classes/application.properties file. Comment if you find a line like this:
cas.authn.accept.users=casuser::Mellon
And add this at the end of the file, changing it for your case:
cas.authn.ldap[0].type=AUTHENTICATED cas.authn.ldap[0].ldapUrl=ldaps://hostname.domain.local cas.authn.ldap[0].useSsl=true cas.authn.ldap[0].connectTimeout=5000 cas.authn.ldap[0].baseDn=dc=DOMAIN,dc=LOCAL cas.authn.ldap[0].userFilter=sAMAccountName={user} cas.authn.ldap[0].subtreeSearch=true cas.authn.ldap[0].usePasswordPolicy=true cas.authn.ldap[0].bindDn=cn=cas-user,cn=Users,dc=DOMAIN,dc=LOCAL cas.authn.ldap[0].bindCredential=cas-user-passwords cas.authn.ldap[0].trustCertificates=file:/opt/bin/samba-cert.pem
Change this line at the beginning of /var/lib/tomcat8/webapps/cas/WEB-INF/classes/log4j2.xml
<Property name="baseDir">/etc/cas/logs</Property>
To
<Property name="baseDir">/var/lib/tomcat8/webapps/cas/WEB-INF/classes/logs</Property>
Add a cronjob to delete old logs.
#vi /etc/cron.daily/cas-old-logs #!/bin/bash find /var/lib/tomcat8/webapps/cas/WEB-INF/classes/logs -mtime +10 -type f -delete
Make it executable
chmod +x /etc/cron.daily/cas-old-logs
Restart tomcat
service tomcat8 restart
Note: tomcat8 and its apps take a long time to fully restart.
Tomcat logs
By default the logrotate created by tomcat rotates weekly and keeps 52 log files. You probably don't need that much, so to keep the disk to a low, change the rotation to daily and keep 30 files or whatever suits you.
#vi /etc/logrotate.d/tomcat8 /var/log/tomcat8/catalina.out { copytruncate daily rotate 30 compress missingok create 640 tomcat8 adm }
Service registry
By default CAS allows all services that come from HTTPS or IMAPS. If you want to change that you can modify /var/lib/tomcat8/webapps/cas/WEB-INF/classes/services/HTTPSandIMAPS-10000001.json or create a another file in the same folder with similar format.
If CAS says that the service is not authorized even if it is, add this line to /var/lib/tomcat8/webapps/cas/WEB-INF/classes/application.properties
cas.serviceRegistry.initFromJson=true
If your LDAP server is case insensitive but one of your services is case sensitive you might want to transform login usernames to lowercase, as LDAP would accept "User.Name" even it is actually "user.name", but your service will see User.Name as a new user.
To do this add the following to the json file from /var/lib/tomcat8/webapps/cas/WEB-INF/classes/services that defines the service
"usernameAttributeProvider": { "@class": "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider", "canonicalizationMode": "LOWER" }
Ticket Experation
If you want to change the ticket expiration time you can add this to /var/lib/tomcat8/webapps/cas/WEB-INF/classes/application.properties
cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=28800
Internal DNS recods
If the CAS server and other web services that use CAS for authentication are behind the same proxy they will probably need internal DNS records pointing to the internal IP of the proxy to avoid loops in the firewall routing.
Failover
If you want to have a failover CAS build a second server exactly as above and configure a floating IP with Keepalived as below.
Keepalived
To setup keepalived, install it on both servers:
sudo apt-get install keepalived
Copy the nagios check "check_http" to /usr/local/bin, from the /usr/lib/nagios/plugins of a server that has nagios-plugins installed (please don't install nagios-plugins on the CAS servers, that package would install many dependencies).
Finally create the following /etc/keepalived/keepalived.conf on the master:
global_defs { notification_email { <email> } notification_email_from <email> smtp_server 127.0.0.1 } vrrp_script chk_apache { script "check_http -S -H 127.0.0.1 -u /cas/ -p 8443" interval 3 # check every 3 seconds weight 2 # add 2 points of prio if OK } vrrp_instance floating_ip { interface ens3 state MASTER virtual_router_id 31 priority 101 authentication { auth_type PASS auth_pass justatestpass } virtual_ipaddress { <floating-IP> } track_script { chk_apache } }
Create exactly the same file on the failover CAS, just change priority from 101 to 100.
Restart keepalived
service keepalived restart