There was an error in this gadget

Thursday, May 28, 2009

Google Web Elements

Yesterday at Google I/O, their developers conference, Google Debuted a new product that could help people simplify publishing of Google Apps generated content. They have created simple widgets that you fill in your information about the content, and they give you the simple javascript code to insert it into your own web pages, blogs, etc. A simple example is a widget they have for simply publishing presentations created in Google Apps. You can see the slides from our ACPE presentation below:




It took a grand total of about 20 seconds to paste in the url of the presentation, and then copy the javascript for inclusion in this blog post. Can't get much easier than that. You can find more information at http://www.google.com/webelements

Monday, May 25, 2009

Upgrading our VMware Infrastructure to vSphere 4

This week VMware released their major upgrade to the VMware Infrastructure. In case you haven't seen anything about it, you can read more at http://www.vmware.com/products/vsphere/. There are some really cool new features in this new release, and there are also some significant performance gains that could be realized with an upgrade to vSphere 4.

Since I listen to a lot of podcasts regarding VMware and having been hearing about the release for months, I having been waiting on this upgrade for a while now. Also, since we are not quite in the production stages of our VMware implementation I figured that an upgrade the first day that the bits are released to the public would be an acceptable risk.

I am happy to say that the upgrade went fairly well, our vCenter and ESX hosts are all upgraded as well as the virtual machines residing on them. I am still running into some glitches with Converter Enterprise and Consolidation Manager, but those will be worked out in the next few days. The installation process is really a fairly simple one, especially if you go through the upgrade center on the VMware site and watch the videos. I had already watched them once, but I used them to following along to during my upgrade process, and everything really went well. Thanks for that VMware, maybe an idea for some other vendors out there when it comes to big releases and upgrades that all your users are facing.

Google Reader Bundles

I am not sure if this is a new feature or not, but I saw it this week, and it really seems like a handy new addition to Google Reader. They call it bundles, and you can see more here. What it is essentially is a collection of RSS feeds that you can share out to whoever you want.

There are great possibilities, especially in education, from getting people started with RSS, so create 10 feeds in a bundle that show them the information you can gain from RSS. Another one that I will be using in the next few days is creating "bundles" of feeds that I read, so that my staff can also start reading the same things I do, and we can all get on the same page as far as the information we are working off of.

Just as a sample to start working with this, I have created three bundles, and if you are so inclined, you can subscribe to them below.

Google Blogs and Information Bundle
Active Directory Blogs Bundle
Windows Server Technologies Bundle

Thursday, May 14, 2009

Greased Lightbox

As you may have noticed, some of my recent posts were a bit messed up at the bottom. I was using a Greasemonkey script called Greased Lightbox to simplify viewing pictures from websites like Digg, or Google Search Results. Unfortunately it also had the effect of adding a bunch of worthless junk to posts that I made that included pictures. This has now been remedied, and any of the posts that had this have been cleaned up. I apologize for any inconvenience.

Friday, May 8, 2009

ACPE Presentation Slides

As I promised in the presentation, here are the slides from the presentation we gave this morning. I want to thank everyone who came, as we had a really great discussion both in the session, and in the backchannel on Twitter, I think some people really got some good information. As I mentioned, if you have any questions for any of us, please get in touch, and we will be happy to help or share our experience.

Presentation Slides:
http://bit.ly/QNEY1

Thursday, May 7, 2009

CAS Integrations with Google Apps

As a follow up to my previous posts of setting up a Central Authentication Server in your organization, and the associated documentation, I would also like to share with you the specific setup documentation I have written for setting up Google Apps with CAS.

As in the other documentation, the changes that need to be made to XML files are displayed here as images.

  • Google Apps - Single Sign On
    • These instructions have been taken from the CAS wiki at: http://www.ja-sig.org/wiki/display/CASUM/SAML+2.0+(Google+Accounts+Integration)
    • First you need generate public and private keys for CAS & Google to communicate. These steps should be done while in the /usr/local/tomcat/webapps/cas/WEB-INF/classes directory:
      1. root@cas:/usr/local/tomcat/webapps/cas/WEB-INF/classes# openssl genrsa -out private.key 1024
      2. root@cas:/usr/local/tomcat/webapps/cas/WEB-INF/classes# openssl rsa -pubout -in private.key -out public.key -inform PEM -outform DER
      3. root@cas:/usr/local/tomcat/webapps/cas/WEB-INF/classes# openssl pkcs8 -topk8 -inform PER -outform DER -nocrypt -in private.key -out private.p8
      4. root@cas:/usr/local/tomcat/webapps/cas/WEB-INF/classes# openssl req -new -x509 -key private.key -out x509.pem -days 365
    • Then you must add the following for CAS to recognize the Google SAML requests. This is in WEB-INF/spring-configuration/argumentExtractors/Configuration.xml


    • The final step is to setup the Google Apps Single Sign-On information. Necessary information is below, and you will also need the x509.pem file created earlier:
      • Check Enable Single Sign-on
      • Sign-in page URL: https://yourCasServer/login
      • Sign-out page URL: http://whateverServerYouWouldLike
      • Change password URL: http://whateverServerYouWouldLike
      • Verification Certificate: This is the x509.pem file
      • Check the use a domain specific issuer box.

Sunday, May 3, 2009

CAS Installation Documentation

Well, as promised here are the step by step instructions of setting up a CAS server. These instructions are on Linux, but for the most part, everything applies on any platform. The big configuration changes are done by modifying xml files in Apache Tomcat. Also, these instructions were written using a bit of an older version of CAS, but it shouldn't be any different at this time.

Note: Some of the XML changes that were made are not displaying correctly in the blog, so I had to place it in as images. If you have trouble with the images, click on them and they you will be able to view them fully.

The CAS server is setup on top of a default Ubuntu Server 8.04 Server setup.

CAS requires that Tomcat be installed and running on the server before it can be installed, since it is not in the default install, we must do it separately.

Basic server login and setup tasks:
  1. Login to server with assigned credentials using ssh.
  2. All work on the server must be completed as root.
    1. user@cas:~$ sudo -i (password required is your user password)
  3. Need basic tools not installed in setup.
    1. root@cas:~# apt-get install locate (locate utility to find files)
    2. root@cas:~# apt-get install nano (nano text editor to easily edit files)
    3. root@cas:~# apt-get install nmap (nmap utility to detect network activity)
    4. root@cas:~# apt-get install wget (wget utility to download files over internet connections)
Tomcat installation:
  1. The default Tomcat that is in apt isn't the latest, and it doesn't work reliably with 8.04, so it needs to be installed manually.
    1. Start by installing sun-java6-jdk from apt (you will need to accept the license in the process
      1. root@cas:~# apt-get install sun-java6-jdk
    2. Then Tomcat needs to be downloaded and extracted. We do this from the /tmp directory.
      1. root@cas:~# cd /tmp
      2. root@cas:/tmp# wget http://apache.hoxt.com/tomcat/tomcat-6/v6.0.16/bin/apache-tomcat-6.0.16.tar.gz
      3. root@cas:/tmp# tar -zxf apache-tomcat-6.0.16.tar.gz
    3. We will then move the binary distribution of Tomcat into /usr/local/tomcat
      1. root@cas:/tmp mv apache-tomcat-6.0.16.tar.gz /usr/local/tomcat
    4. Next, the JAVA_HOME variable needs to be set. This is done by editing the ~/.bashrc file
      1. root@cas:/tmp# nano ~/.bashrc
      2. paste in the following at the end: export JAVA_HOME=/usr/lib/jvm/java-6-sun
    5. To create an automatic startup and shutdown script for Tomcat, we need to create an init file.
      1. root@cas:/tmp# nano /etc/init.d/tomcat
      2. paste in the following:

# Tomcat auto-start
#
# description: Auto-starts tomcat
# processname: tomcat
# pidfile: /var/run/tomcat.pid

export JAVA_HOME=/usr/lib/jvm/java-6-sun

case $1 in
start)
sh /usr/local/tomcat/bin/startup.sh
;;
stop)
sh /usr/local/tomcat/bin/shutdown.sh
;;
restart)
sh /usr/local/tomcat/bin/shutdown.sh
sh /usr/local/tomcat/bin/startup.sh
;;
esac
exit 0
    1. The script created needs to be executable and linked to the startup folders so that it runs on startup or shutdown of the system. (Step number is incorrect due to formatting)
      1. root@cas:/tmp# chmod 755 /etc/init.d/tomcat
      2. root@cas:/tmp# ln -s /etc/init.d/tomcat /etc/rc1.d/K99tomcat
      3. root@cas:/tmp# ln -s /etc/init.d/tomcat /etc/rc2.d/S99tomcat
CAS Server Installation:
  1. At the time of this documentation, the latest stable release of CAS is 3.2.11, this needs to be downloaded from their servers.
    1. root@cas:/tmp# wget http://www.ja-sig.org/downloads/cas/cas-server-3.2.1.1-release.tar.gz
  2. The download then needs to be extracted, copied into the tomcat webapps directory, and then tomcat restarted
    1. root@cas:/tmp# tar -zxf cas-server-3.2.1.1-release.tar.gz
    2. root@cas:/tmp# cp cas-server-3.2.1.1/modules/cas-server-webapp-3.2.1.1.war /usr/local/tomcat/webapps/cas.war
    3. root@cas:/tmp# /etc/init.d/tomcat restart
  3. You can test a fully working installation by going to: http://servername:8080/cas-server-webapp-3.2.1.1/login
Customization & Configuration:
  • Active Directory Integration (Pulls Usernames and Passwords from AD for Authentication)
    • Following directions gained from: http://www.ja-sig.org/wiki/display/CASUM/CAS+Quickly+(LDAP%2C+Windows%2C+Apache+Directory+Server)
    • And also directions from: http://www.ja-sig.org/wiki/display/CASUM/Active+Directory
      1. Stop the Tomcat services:
        • root@cas:tmp# /etc/init.d/tomcat stop
      2. Copy the necessary jar file from the extracted download in /tmp in the deployed application's necessary directory
        • root@cas:/tmp# cp /tmp/cas-server-3.2.1.1/modules/cas-server-support-ldap-3.2.1.1.jar /usr/local/tomcat/webapps/cas/WEB-INF/lib/
      3. Edit the pom.xml file in the deployed application to insert support for ldap lookups in cas.
        • root@cas:tmp# nano /usr/local/tomcat/webapps/cas/META-INF/maven/org.jasig.cas/cas-server-webapp/pom.xml


      4. Edit the deployerConfigContext.xml file in the deployed application to remove the bean for the standard simple authentication and add in ldap information and server configuration (server IP and domain)
        • root@cas:~# nano /usr/local/tomcat/webapps/cas/WEB-INF/deployerConfigContext.xml


      5. Restart the tomcat services
        • root@cas:~# /etc/init.d/tomcat start
      6. Verify that authentication works by entering an AD username and password and trying to login at the web interface.

  • Tomcat Configuration (Setting Tomcat to use ports 80 and 443: redirecting initial requests from port 80 and sending them to 443, also setting up an SSL certificate and making cas the default application on Tomcat)
    • Changing default port to port 80 instead of 8080 (the standard)
      1. Edit server.xml file in the config directory
        1. root@cas:tmp# nano /usr/local/tomcat/conf/server.xml
        2. On line 67, change port 8080 to port 80.
        3. Restart the Tomcat services
          • root@cas:tmp# /etc/init.d/tomcat restart
    • Setting CAS to be the default app, and get rid of all the others
      1. Edit server.xml file in the config directory
        1. root@cas:tmp# nano /usr/local/tomcat/conf/server.xml
        2. On line 126 change appBase to be: appBase="webapps/cas"
        3. On line 129 paste in the following:
        4. Move all existing directories into a temporary archive in case they are needed later:
          • root@cas:tmp# mkdir /tmp/archivedTomcatApps
          • root@cas:tmp# mv /usr/local/Tomcat/webapps/docs /tmp/archivedTomcatApps/
          • root@cas:tmp# mv /usr/local/Tomcat/webapps/examples /tmp/archivedTomcatApps/
          • root@cas:tmp# mv /usr/local/Tomcat/webapps/host-manager /tmp/archivedTomcatApps/
          • root@cas:tmp# mv /usr/local/Tomcat/webapps/manager /tmp/archivedTomcatApps/
          • root@cas:tmp# mv /usr/local/Tomcat/webapps/ROOT /tmp/archivedTomcatApps/
        5. Restart the Tomcat services
          • root@cas:tmp# /etc/init.d/tomcat restart
    • Creating an SSL certificate and setting that up in Tomcat so that it will use SSL.
      • Must first create a CSR (certificate signing request) from Article on InstantSSL Site: https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=244&nav=0,33
        • From the tomcat root directory: /usr/local/tomcat you need to create a key file and then the csr file (replace domain with server domain name)
          1. root@cas:/usr/local/tomcat# keytool -genkey -keyalg RSA -keystore domain.key -validity 360
            • It will ask multiple questions, but the important is password, make sure to write down what you choose
          2. root@cas:/usr/local/tomcat# keytool -certreq -keyalg RSA -file domain.csr -keystore domain.key
            • You will be prompted for the same above password
      • You will need to cut and paste the contents of the domain.csr file into the website that is granting the certificate and walk through the steps necessary there.
      • Once they have sent back your file, you will have three different certificates that they send back, and all must be imported into the key file in the correct order. Make sure you use the correct password, which is defined above. This information was gained from: https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=275&nav=0,1,88
        1. root@cas:/usr/local/tomcat# keytool -import -trustcacerts -alias root -file EssentialSSLCA_2.crt -keystore domain.key
        2. root@cas:/usr/local/tomcat# keytool -import -trustcacerts -alias INTER -file ComodoUTNSGCCA.crt -keystore domain.key
        3. root@cas:/usr/local/tomcat# keytool -import -trustcacerts -file domain.crt -keystore domain.key
      • Once all certificates have been loaded into the keyfile, edit the /usr/local/tomcat/conf/server.xml file and paste in the following on line 82 (notice the password matches the above used password This will allow the server to respond to port 443 requests and also knows where to find the keyfile and the password associated.

      • Restart the Tomcat services
        • root@cas:tmp# /etc/init.d/tomcat restart
      • Check to make sure everything is functioning correctly by going to https:// version of the server through your browser.
  • CAS Configuration
    • Setting properties file to have correct CAS URL's
      • In the file: /usr/local/tomcat/webapps/cas/WEB-INF/cas.properties change the top three lines to have the appropriate beginnings of the URL's: https://yourServerAddress/
    • Allowing user access to the services management application:
      • Edit the file: /usr/local/tomcat/webapps/cas/WEB-INF/deployerConfigContext.xml and insert the following at line 134 (replace username with an actual username in AD that will be administering the CAS services:
        • username=notused,ROLE_ADMIN

CAS: Central Authentication Service

Last school year my boss came back from the COSN conference and was quite excited about the single sign-on systems he had seen demonstrated there, specifically, CAS (Central Authentication Service) and Shibboleth. After spending quite a bit of time researching these two technologies which were completely new to me, I determined that in our infrastructure currently we didn't have the need for Shibboleth, which is more of a federated authentication architecture between organizations. Shibboleth seems to me to be a lot like what OpenID is trying to accomplish throughout the open source community, and at the time, it just didn't seem like something we needed.

CAS on the other hand was something that was going to be needed badly throughout our organization in the very near future. What CAS does is split apart the authentication layer from the actual data source and provides a web-based single sign-on architecture throughout your organization. CAS allows you to use any LDAP or even database backend as the authentication authority. For us, we needed to use Active Directory, as that is where all of our usernames and password currently reside, luckily, this works just fine with CAS as well.

As part of everything that I am doing in my current position, I have fully documented the steps necessary to get this setup from the ground up. I need to double check the document a little bit better to make sure it is fit for public consumption, but when I do, I will post it here as a step by step document for people looking to set this up in their organization.

Just as a further side note on what can be setup to authenticate with CAS, we are currently authenticating our Google Apps setup (more on this in another post), Moodle, Wordpress, and an application custom built for us by contractors. There are also instructions on their website for authenticating many other systems such as Outlook Web Access, Joomla, PeopleSoft, and many others.

MobilAP: The Mobile Academic Platform

Over the last month I have been working to customize a web application that will be used in an upcoming conference that I am a part of. There is an expectation by the board of this conference that there will be a fairly high number of attendees that will have either iPod Touchs or iPhones. Because of this, they found a web application originally developed by the the University of Cincinnati College of Design, Architecture, Art & Planning called MobilAP. I started looking into this application a couple of months ago and had hoped at the time, that the customization of the application would be assisted by vendors. It turned out that the vendor we had hoped for assistance from had no resources that could be put into this task at this time, so that left all updating and customization on me.

A few weeks ago, I spent a few hours customizing the look and feel of the application. This was setup pretty easily as the download for the package included the project files from Dashcode. This allowed for simple look and feel changes to be done easily. It also allowed for easy creation of new screens that were going to need to be added to the application for it to fit into what this conference had envisioned.

This weekend arrived and since the conference starts next week, there was no time left to put this off, so I had to dig in and get to work customizing it. The standard application has no portions built to provide a way to display promotional information from the vendors, so that had to be built in.

After nearly 30 hours of work this weekend, I am proud to say that the application is complete and ready to go for the conference. Some examples of the look and feel can be seen below:

If there is anyone out there who needs to do something like this, please let me know, and I would be happy share with you the changes I made. They aren't pretty, I haven't really done much coding for the last couple years, but they do function. You can also get the original source code at the link for MobilAP above.