[cas-dev] CAS3 Reference Guide

Earl Fogel earl.fogel at usask.ca
Thu Aug 24 14:37:16 EDT 2006 

Hi,

That's great!

Earl
-
On Thu, 24 Aug 2006, Scott Battaglia wrote:

> This looks good...thanks!  I'll try to incorporate some of this into our
> reference guide tonight.
>
> If anyone else has any deployment tips or instructions they set up that
> might be helpful, please let me know.
>
> Thanks
> -Scott
>
> On 8/24/06, Earl Fogel <earl.fogel at usask.ca> wrote:
>> 
>> Scott,
>> 
>> This is what I did to get CAS 3.05 working on linux, with ldap
>> authentication to active directory.  Since I'm new to CAS, java and
>> tomcat,
>> there are probably better ways to do some of this.
>> 
>> I realize that a lot of this is specific to our environment, but hopefully
>> some of it will be useful to you.
>> 
>> Earl
>> --
>> 
>> Installing a Linux CAS Server
>> 
>> Create 'cas' user and setup environment
>>
>>         useradd -c 'CAS Server' cas
>>
>>      Add these lines to ~cas/.bashrc:
>>
>>         export JAVA_HOME=/usr/java/jdk1.5.0_07
>>         PATH=/usr/java/jdk1.5.0_07/bin:$PATH
>>         PATH=$HOME/ant/bin:$PATH
>>         PATH=$HOME/tomcat/bin:$PATH
>> 
>>
>>      All the remaining steps are performed as the 'cas' user,
>>      except the Apache proxy configuration.
>> 
>> Download and install Sun JDK for linux
>>
>>         http://java.sun.com/j2se/1.5.0/download.jsp
>>         sh jdk-1_5_0_07-linux-i586-rpm.bin (unpacks & installs rpm)
>> 
>> Download and install Tomcat
>>
>>         http://tomcat.apache.org/
>>         gtar xzf src/apache-tomcat-5.5.17.tar.gz
>>         ln -s apache-tomcat-5.5.17 tomcat
>>         tomcat/bin/startup.sh  (listens on port 8080 by default)
>>         tomcat/bin/shutdown.sh
>> 
>> Download and install CAS
>>
>>         http://www.ja-sig.org/products/cas/
>>         cas-server-3.0.5.tar.gz
>>         gtar xzf src/cas-server-3.0.5.tar.gz
>>         ln -s cas-server-3.0.5 cas
>> 
>> Install demo cas.war file and test it
>>
>>         mkdir tomcat/webapps/cas
>>         cd tomcat/webapps/cas
>>         unzip ~/cas/target/cas.war
>>         tomcat/bin/shutdown.sh
>>         tomcat/bin/startup.sh
>>         connect to http://cas.usask.ca:8080/cas/
>> 
>> Download and install CAS ldap module and dependencies
>>
>>         http://developer.ja-sig.org/maven/cas/jars/
>> 
>> http://developer.ja-sig.org/projects/cas/multiproject/cas-server-ldap/dependencies.html
>>         cp src/cas-server-ldap-3.0.5.jar
>> tomcat/webapps/cas/WEB-INF/lib
>>         cp src/commons-lang-2.1.jar
>>           tomcat/webapps/cas/WEB-INF/lib
>>         cp src/ldaptemplate-1.0.2.jar
>>         tomcat/webapps/cas/WEB-INF/lib
>> 
>> Make CAS use LDAP authentication to Active Directory
>>
>>      Replace cas/WEB-INF/deployerConfigContext.xml with rutgers ldap
>>      version,then edit:
>>
>>         filter sAMAccountName=%u
>>         searchBase dc=usask,dc=ca
>>         userName LDAPquery
>>         password ***
>>         urls ldap://usaskdc1.usask.ca:389/, ...
>>
>>      (also remove lines for java.naming.security.protocol)
>>
>>      Add these lines for Active Directory:
>>
>>         <entry>
>>              <key><value>java.naming.referral</value></key>
>>              <value>follow</value>
>>         </entry>
>>
>>      This fixes the following error in tomcat/logs/catalina.out:
>>
>>         javax.naming.PartialResultException:
>>             Unprocessed Continuation Reference(s);
>>                 remaining name 'dc=usask,dc=ca'
>>
>>      It seems that the usask domain controllers do an ldap referral to
>>      ldap:://usask.ca, but the DNS record for usask.ca does not point to
>>      active directory, so this referral always fails. To get around
>>      this, I added usask.ca to /etc/hosts, giving it our domain controller
>>      IPs. This tricks CAS into contacting the domain controllers.
>> 
>> Configure tomcat to use secure LDAP
>>
>>      Earlier, we edited deployerConfigContext.xml to turn off SSL. Now
>>      that we've tested it, we go back to original config, with
>>      ldap://usaskdc1.usask.ca:636/, and java.naming.security.protocol
>>      set to ssl
>>
>>      Tomcat uses the system's central java keystore to decide what
>>      certificate authorities to trust, and our usask domain crontrollers
>>      have certificates signed by the U of S certificate authority, so we
>>      add that to the central cacerts database:
>>
>>         cd /usr/java/jdk1.5.0_07
>>         cp -p jre/lib/security/cacerts jre/lib/security/cacerts.orig
>>         chmod +w jre/lib/security/cacerts
>>         bin/keytool -import -keystore jre/lib/security/cacerts
>> -trustcacerts \
>>            -file /etc/certs/uofs.cer -alias uofs
>>         Enter keystore password:  ***
>>
>>      Restart tomcat.
>> 
>> 
>> Make Tomcat start and stop automatically
>>
>>         cp src/S95cas /etc/init.d
>>         chkconfig --add cas
>>         service cas start
>>         service cas stop
>> 
>> 
>> Setup an Apache Proxy Server
>>
>>      Instead of configuring tomcat to use ssl, apache can do the ssl and
>>      proxy requests to the CAS server.  Since I know more about apache
>>      than tomcat, I found this easier to setup.  Another benefit is that
>>      Apache does more logging than Tomcat, so it's easier to see what's
>>      happening. Plus, since apache was already on the box using standard
>>      port numbers, I had to use non-standard port numbers with Tomcat,
>>      and I don't want people to see those.
>>
>>      Edit /etc/httpd/conf.d/ssl.conf and add these lines:
>>
>>      <IfModule mod_proxy.c>
>>         ProxyRequests Off
>>         ProxyVia On
>>         ProxyPass        /cas http://cas.usask.ca:8080/cas
>>         ProxyPassReverse /cas http://cas.usask.ca:8080/cas
>>         <Proxy *>
>>                Order deny,allow
>>         </Proxy>
>>      </IfModule>
>>
>>      Then restart apache and tomcat:
>>
>>         shutdown.sh
>>         startup.sh
>>         service httpd reload
>>
>>      You should now be able to talk to CAS via apache at:
>>
>>         https://cas.usask.ca/cas
>> 
>> 
>> Customize the CAS login page
>>
>>      The CAS login and logout pages can be customized by editing various
>>      files in the cas distribution.
>>
>>      Edit cas/WEB-INF/classes/messages.properties (the English language
>>      file) and change:
>>
>>         screen.welcome.welcome=Welcome to the University of Saskatchewan's
>> Central Authentication Service (CAS).
>>         screen.welcome.instructions=Enter your Network Services ID and
>> Password.
>>         screen.welcome.label.netid=Username:
>>         screen.welcome.label.netid.accesskey=u
>>
>>      Edit cas/WEB-INF/view/jsp/default/ui/includes/top.jsp and bottom.jsp
>>      to use standard U of S header and footer.
>>
>>      Edit cas/WEB-INF/view/jsp/default/ui/casLoginView.jsp to remove the
>>      "Warn me before logging me into other sites" button (which seems
>>      to confuse some clients) and the languages for which we don't have
>>      translations.
>>
>>      Edit cas/css/home.css if you need to change background colors or
>>      images.
>>
>>      Edit cas/js/common.js and change forms[1] to forms[0] if, as in
>>      our case, the login form is the first form on the page.
>> 
>> 
>> Increase the CAS Ticket Timeout
>> 
>> Edit cas/WEB-INF/applicationContext.xml and increase the timeout:
>>
>>     <bean
>>         id="grantingTicketExpirationPolicy"
>>         class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
>>         <constructor-arg
>>                 index="0"
>>                 value="28800000" />
>>     </bean>
>> 
>> 
>

More information about the cas-dev mailing list