Cas
Install Tomcat 8
apt-get install openjdk-8-jdk apt-get install tomcat8
Copy certificates from proxy with rsync
Add the public key of the user that is going to copy the certificates to the /root directory. More details here http://docswiki.newro.co/index.php/SSHKeyAuth#Install_key_authentication_for_an_account. Create script /opt/bin/letsencrypt_sync:
/usr/bin/rsync -rl --safe-links --rsync-path="/usr/bin/sudo /usr/bin/rsync" <user>@<proxy-ip>:/etc/letsencrypt/ /etc/letsencrypt/ 2>&1 >> /var/log/letsencrypt_sync.log openssl pkcs12 -export -in /etc/letsencrypt/live/<domain>/fullchain.pem -inkey /etc/letsencrypt/live/domain/privkey.pem -out /opt/bin/fullchain_and_key.p12 -name tomcat -password pass:<password> service tomcat8 restart
Run the script with sudo and then create a crontab for root.
crontab -u root -e
And add this to the file:
0 0 * * * /opt/bin/letsencrypt_sync
Enable SSL
Edit /etc/tomcat8/server.xml, uncomment and change appropriately the next section(change password with what you used in script above):
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/opt/bin/fullchain_and_key.p12" keystoreType="PKCS12"
keystorePass="<password>"
/>
Restart tomcat (service tomcat8 restart) and you should be able to access it at https://server-ip:8443
Install CAS
First we need to install maven.
apt-get install maven
Create a directory to download cas and in that directory create a file pom.xml. The content of pom.xml for the latest CAS version can be taken from https://github.com/apereo/cas-overlay-template/blob/master/pom.xml
mkdir ~/cas vi ~/cas/pom.xml
If you want CAS to use LDAP then add this to pom.xml inside <dependencies> tag:
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${cas.version}</version>
</dependency>
Now go to ~/cas directory, download CAS and copy cas.war to tomcats webapp folder.
cd ~/cas mvn clean package cp target/cas.war /var/lib/tomcat8/webapps/ service tomcat8 restart
The CAS login page can be found at https://server-ip:8443/cas/login
Configure CAS to use LDAP
On the samba server add this on [global] inside /etc/samba/smb.conf file:
tls enabled = yes tls keyfile = /var/lib/samba/private/tls/key.pem tls certfile = /var/lib/samba/private/tls/cert.pem tls cafile = /var/lib/samba/private/tls/ca.pem
And restart samba DC service.
service samba-ad-dc restart
Copy the certificate from the samba/LDAP server(/var/lib/samba/private/tls/cert.pem) to the CAS server in /opt/bin/samba-cert.pem. Create a samba user for CAS to use. Back on the CAS server, add a line in /etc/hosts:
samba-server-ip hostname.domain.local
Edit /var/lib/tomcat8/webapps/cas/WEB-INF/classes/application.properties file. Comment if you find a line like this:
cas.authn.accept.users=casuser::Mellon
And add this at the end of the file, changing it for your case:
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://hostname.domain.local
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].baseDn=cn=Users,dc=DOMAIN,dc=LOCAL
cas.authn.ldap[0].userFilter=sAMAccountName={user}
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].usePasswordPolicy=true
cas.authn.ldap[0].bindDn=cn=cas-user,cn=Users,dc=DOMAIN,dc=LOCAL
cas.authn.ldap[0].bindCredential=cas-user-passwords
cas.authn.ldap[0].trustCertificates=file:/opt/bin/samba-cert.pem
Restart tomcat
service tomcat8 restart
Service registry
By default CAS allows all services that come from HTTPS or IMAPS. If you want to change that you can modify /var/lib/tomcat8/webapps/cas/WEB-INF/classes/services/HTTPSandIMAPS-10000001.json or create a another file in the same folder with similar format.
If CAS says that the service is not authorized even if it is add this line to /var/lib/tomcat8/webapps/cas/WEB-INF/classes/application.properties
cas.serviceRegistry.initFromJson=true
