Cas 6.1.x

Install Tomcat 9

apt-get install openjdk-11-jdk
apt-get install tomcat9

Copy certificates from proxy with rsync

Add the public key of the user that is going to copy the certificates to the /root directory. More details here http://docswiki.newro.co/index.php/SSHKeyAuth#Install_key_authentication_for_an_account. Create script /opt/bin/letsencrypt_sync:

/usr/bin/rsync -rl --safe-links --rsync-path="/usr/bin/sudo /usr/bin/rsync" <user>@<proxy-ip>:/etc/letsencrypt/ /etc/letsencrypt-proxy/ 2>&1 >> /var/log/letsencrypt_sync.log

openssl pkcs12 -export -in /etc/letsencrypt-proxy/live/<domain>/fullchain.pem -inkey /etc/letsencrypt-proxy/live/<domain>/privkey.pem -out /opt/bin/fullchain_and_key.p12 -name tomcat -password pass:<password>

systemctl restart tomcat9

Make it executable

chmod +x /opt/bin/letsencrypt_sync

Install rsync if not already

apt-get install rsync

Run the script for initial copy

/opt/bin/letsencrypt_sync

Create a crontab for automatic copy

crontab -u root -e

And add this to the file:

0 0 * * * /opt/bin/letsencrypt_sync

Enable SSL

Edit /etc/tomcat9/server.xml, uncomment and change appropriately the next section(change password with what you used in script above):

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="/opt/bin/fullchain_and_key.p12" keystoreType="PKCS12"
               keystorePass="<password>"
               />

Restart tomcat and you should be able to access it at https://my.domain.com:8443

systemctl restart tomcat9

Add the following argumet to the HTTPS proxy vhost:

SSLProxyEngine On

Install CAS

Download the CAS Overlay Template needed for installation.

mkdir /opt/cas
cd /opt/cas
wget https://github.com/apereo/cas-overlay-template/archive/6.1.zip
unzip 6.1.zip
cd cas-overlay-template-6.1

First, you need to open the file build.gradle and add the necessary dependencies. Here are the base dependencies that you'll most probably need:

dependencies {
    compile "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}"
    compile "org.apereo.cas:cas-server-support-ldap:${casServerVersion}"
    compile "com.unboundid:unboundid-ldapsdk:4.0.14"
    compile "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}"
}

For more dependencies like SAML, OAuth2, OpenID Connect, 2 Factor Authentication, etc. visit this page: https://apereo.github.io/cas/6.1.x/index.html

By default when building CAS, it doesn't make all the resources available, that you need to configure and customize your CAS instance. So you first need to make those resources available for the war file that you'll build.

./gradlew explodeWar
mkdir src/main/resources
cp -r build/cas-resources/* src/main/resources/

Now we can build the application war file.

./gradlew clean build

Move the resulted war file into the tomcat folder

cp build/libs/cas.war /var/lib/tomcat9/webapps/

Note: CAS 6.1 requires tomcat 9.0.27 (or newer), so if you have an older version of tomcat 9 it can still work but this will need to be set in /var/lib/tomcat9/webapps/cas/WEB-INF/classes/application.properties

spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.web.embedded.EmbeddedWebServerFactoryCustomizerAutoConfiguration

To be able to manage what services/apps are allowed to authenticate through CAS, you need to add this line to the configuration

cas.serviceRegistry.initFromJson=true

Uncomment these 2 lines from the configuration to disable the default account.

#cas.authn.accept.users=casuser::Mellon
#cas.authn.accept.name=Static Credentials

To set an LDAP server as the user source use this configuration

cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://ldap.domain.com
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].baseDn=cn=Users,dc=<domain>,dc=local
cas.authn.ldap[0].searchFilter=sAMAccountName={user}
cas.authn.ldap[0].bindDn=cn=<bind-user>,cn=Users,dc=<domain>,dc=local
cas.authn.ldap[0].bindCredential=<password>
cas.authn.ldap[0].trustCertificates=file:/opt/samba-cert/samba-cert.pem
cas.authn.ldap[0].principalAttributeList=mail

Restart tomcat

systemctl restart tomcat9

2 Factor Authentication (2FA)

Note: CAS calls 2 Factor Authentication (2FA) as Multifactor Authentication (MFA). Mainly because it is possible to set multiple 2FA options in a certain order (e.g. user/pass -> 2fa sms -> 2fa email -> successful login)

Email

To be able to use email 2FA you first need to add this to the dependencies before building CAS

compile "org.apereo.cas:cas-server-support-simple-mfa:${project.'cas.version'}"

Next you need to install postfix

apt-get install postfix

Add these lines to the CAS config in /var/lib/tomcat9/webapps/cas/WEB-INF/classes/application.properties

cas.authn.mfa.globalProviderId=mfa-simple
cas.authn.mfa.simple.name=Email MFA
cas.authn.mfa.simple.order=1
cas.authn.mfa.simple.timeToKillInSeconds=180
cas.authn.mfa.simple.tokenLength=6

cas.authn.mfa.simple.mail.from=no-reply@my.domain.com
cas.authn.mfa.simple.mail.text=This is your 2FA code for CAS authentication: %s
cas.authn.mfa.simple.mail.subject=CAS 2FA Code
cas.authn.mfa.simple.mail.validateAddresses=false
cas.authn.mfa.simple.mail.html=false

cas.authn.mfa.simple.mail.attributeName=mail

spring.mail.host=localhost
spring.mail.port=25
spring.mail.testConnection=true
spring.mail.properties.mail.smtp.auth=false
spring.mail.properties.mail.smtp.starttls.enable=false

SMS (Nexmo)

To be able to use SMS 2FA you first need to add this to the dependencies before building CAS

compile "org.apereo.cas:cas-server-support-simple-mfa:${project.'cas.version'}"
compile "org.apereo.cas:cas-server-support-sms-nexmo:${project.'cas.version'}"

Create an account on Nexmo (https://dashboard.nexmo.com/sign-up). After that create a new application, that should give you an api key and a secret.

Add these lines to the CAS config in /var/lib/tomcat9/webapps/cas/WEB-INF/classes/application.properties

cas.authn.ldap[0].principalAttributeList=mail,telephoneNumber   #you probably have this already in your config just need to add the phone attribute

cas.authn.mfa.globalProviderId=mfa-simple
cas.authn.mfa.simple.name=SMS 2FA
cas.authn.mfa.simple.order=1
cas.authn.mfa.simple.timeToKillInSeconds=180
cas.authn.mfa.simple.tokenLength=6

cas.authn.mfa.simple.sms.from=CAS
cas.authn.mfa.simple.sms.text=This is your CAS 2FA code: %s
cas.authn.mfa.simple.sms.attributeName=telephoneNumber

cas.smsProvider.nexmo.apiToken=<api-key>
cas.smsProvider.nexmo.apiSecret=<api-secret>

Change login page design

Add a new logo

To add logo to the login page first copy the .pmg file /cas/WEB-INF/classes/static directory ang change the file ownership to tomcat user:

sudo chown tomcat:tomcat

Add following file to /cas/WEB-INF/classes/static/templates/fragments/header.html before or after the ".svg" file:

<a href="https://newro.co/"><img src="/cas/newroco_logo.png" style="width: 374px;height: 42px;"/></a>

To remove the drop down menu, remove all the "

" class.

Change the had bar background color

Add following file to /cas/WEB-INF/classes/static/css/cas.css line 11755:

header > .navbar {
background-color: #a1b1b9;
color: #fff;

Change the "Reset password?" button

Edit the text message /cas/WEB-INF/classes/messages.properties line 27 and the redirect lint from /cas/WEB-INF/classes/templates/fragments/pmlinks.html line 32.

Cas 4.x-5.x (old)

Install Tomcat 8

apt-get install openjdk-8-jdk
apt-get install tomcat8

Copy certificates from proxy with rsync

Add the public key of the user that is going to copy the certificates to the /root directory. More details here http://docswiki.newro.co/index.php/SSHKeyAuth#Install_key_authentication_for_an_account. Create script /opt/bin/letsencrypt_sync:

/usr/bin/rsync -rl --safe-links --rsync-path="/usr/bin/sudo /usr/bin/rsync" <user>@<proxy-ip>:/etc/letsencrypt/ /etc/letsencrypt-proxy/ 2>&1 >> /var/log/letsencrypt_sync.log

openssl pkcs12 -export -in /etc/letsencrypt-proxy/live/<domain>/fullchain.pem -inkey /etc/letsencrypt-proxy/live/<domain>/privkey.pem -out /opt/bin/fullchain_and_key.p12 -name tomcat -password pass:<password>

systemctl restart tomcat8

Make it executable

chmod +x /opt/bin/letsencrypt_sync

Install rsync if not already

apt-get install rsync

Run the script for initial copy

/opt/bin/letsencrypt_sync

Create a crontab for automatic copy

crontab -u root -e

And add this to the file:

0 0 * * * /opt/bin/letsencrypt_sync

Enable SSL

Edit /etc/tomcat8/server.xml, uncomment and change appropriately the next section(change password with what you used in script above):

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="/opt/bin/fullchain_and_key.p12" keystoreType="PKCS12"
               keystorePass="<password>"
               />

Restart tomcat (service tomcat8 restart) and you should be able to access it at https://server-ip:8443

Add the following argumet to the HTTPS proxy vhost:

SSLProxyEngine On

Install CAS

First we need to install maven.

apt-get install maven

Create a directory to download cas and in that directory create a file pom.xml. The content of pom.xml for the latest CAS version can be taken from https://github.com/apereo/cas-overlay-template/blob/master/pom.xml

mkdir ~/cas
vi ~/cas/pom.xml

If you want CAS to use LDAP then add this to pom.xml inside <dependencies> tag:

<dependency>
   <groupId>org.apereo.cas</groupId>
   <artifactId>cas-server-support-ldap</artifactId>
   <version>${cas.version}</version>
</dependency>

Now go to ~/cas directory, download CAS and copy cas.war to tomcats webapp folder.

cd ~/cas
mvn clean package
cp target/cas.war /var/lib/tomcat8/webapps/
service tomcat8 restart

The CAS login page can be found at https://server-ip:8443/cas/login

Configure CAS

If the samba/LDAP server is using a self-signed certificate copy it (from /var/lib/samba/private/tls/samba-cert.pem) to the CAS server in /opt/bin/samba-cert.pem. Create a samba user for CAS to use. Back on the CAS server, add a line in /etc/hosts:

samba-server-ip hostname.domain.local

Edit /var/lib/tomcat8/webapps/cas/WEB-INF/classes/application.properties file. Comment if you find a line like this:

cas.authn.accept.users=casuser::Mellon

And add this at the end of the file, changing it for your case:

cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://hostname.domain.local
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].baseDn=dc=DOMAIN,dc=LOCAL
cas.authn.ldap[0].userFilter=sAMAccountName={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].usePasswordPolicy=true
cas.authn.ldap[0].bindDn=cn=cas-user,cn=Users,dc=DOMAIN,dc=LOCAL
cas.authn.ldap[0].bindCredential=cas-user-passwords
cas.authn.ldap[0].trustCertificates=file:/opt/bin/samba-cert.pem

Change this line at the beginning of /var/lib/tomcat8/webapps/cas/WEB-INF/classes/log4j2.xml

<Property name="baseDir">/etc/cas/logs</Property>

To

<Property name="baseDir">/var/lib/tomcat8/webapps/cas/WEB-INF/classes/logs</Property>

Add a cronjob to delete old logs.

#vi /etc/cron.daily/cas-old-logs

#!/bin/bash
find /var/lib/tomcat8/webapps/cas/WEB-INF/classes/logs -mtime +10 -type f -delete

Make it executable

chmod +x /etc/cron.daily/cas-old-logs

Restart tomcat

service tomcat8 restart

Note: tomcat8 and its apps take a long time to fully restart.

Tomcat logs

By default the logrotate created by tomcat rotates weekly and keeps 52 log files. You probably don't need that much, so to keep the disk to a low, change the rotation to daily and keep 30 files or whatever suits you.

#vi /etc/logrotate.d/tomcat8

/var/log/tomcat8/catalina.out {
  copytruncate
  daily
  rotate 30
  compress
  missingok
  create 640 tomcat8 adm
}

Service registry

By default CAS allows all services that come from HTTPS or IMAPS. If you want to change that you can modify /var/lib/tomcat8/webapps/cas/WEB-INF/classes/services/HTTPSandIMAPS-10000001.json or create a another file in the same folder with similar format.

If CAS says that the service is not authorized even if it is, add this line to /var/lib/tomcat8/webapps/cas/WEB-INF/classes/application.properties

cas.serviceRegistry.initFromJson=true

If your LDAP server is case insensitive but one of your services is case sensitive you might want to transform login usernames to lowercase, as LDAP would accept "User.Name" even it is actually "user.name", but your service will see User.Name as a new user.

To do this add the following to the json file from /var/lib/tomcat8/webapps/cas/WEB-INF/classes/services that defines the service

"usernameAttributeProvider": {
  "@class": "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
  "canonicalizationMode": "LOWER"
}

Ticket Experation

If you want to change the ticket expiration time you can add this to /var/lib/tomcat8/webapps/cas/WEB-INF/classes/application.properties

cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=28800

Internal DNS records

If the CAS server and other web services that use CAS for authentication are behind the same proxy they will probably need internal DNS records pointing to the internal IP of the proxy to avoid loops in the firewall routing.

Failover

If you want to have a failover CAS build a second server exactly as above and configure a floating IP with Keepalived as below.

Keepalived

To setup keepalived, install it on both servers:

sudo apt-get install keepalived

Copy the nagios check "check_http" to /usr/local/bin, from the /usr/lib/nagios/plugins of a server that has nagios-plugins installed (please don't install nagios-plugins on the CAS servers, that package would install many dependencies).

Finally create the following /etc/keepalived/keepalived.conf on the master:

global_defs {
        notification_email {
                <email>
        }

        notification_email_from <email>
        smtp_server 127.0.0.1
}

vrrp_script chk_apache {
        script "check_http -S -H 127.0.0.1 -u /cas/ -p 8443"
        interval 3                      # check every 3 seconds
        weight 2                        # add 2 points of prio if OK
}

vrrp_instance floating_ip {
        interface ens3
        state MASTER
        virtual_router_id 31
        priority 101
        authentication {
            auth_type PASS
            auth_pass justatestpass
        }
        virtual_ipaddress {
                <floating-IP>
        }

        track_script {
            chk_apache
        }
}

Create exactly the same file on the failover CAS, just change priority from 101 to 100.

Restart keepalived

service keepalived restart

Cas

Contents

Cas 6.1.x

Install Tomcat 9

Copy certificates from proxy with rsync

Enable SSL

Install CAS

2 Factor Authentication (2FA)

Email

SMS (Nexmo)

Change login page design

Add a new logo

Change the had bar background color

Change the "Reset password?" button

Cas 4.x-5.x (old)

Install Tomcat 8

Copy certificates from proxy with rsync

Enable SSL

Install CAS

Configure CAS

Tomcat logs

Service registry

Ticket Experation

Internal DNS records

Failover

Keepalived

Navigation menu

Page actions

Page actions

Personal tools

Navigation

Search

Tools