There was an error in this gadget

Sunday, May 3, 2009

CAS Installation Documentation

Well, as promised here are the step by step instructions of setting up a CAS server. These instructions are on Linux, but for the most part, everything applies on any platform. The big configuration changes are done by modifying xml files in Apache Tomcat. Also, these instructions were written using a bit of an older version of CAS, but it shouldn't be any different at this time.

Note: Some of the XML changes that were made are not displaying correctly in the blog, so I had to place it in as images. If you have trouble with the images, click on them and they you will be able to view them fully.

The CAS server is setup on top of a default Ubuntu Server 8.04 Server setup.

CAS requires that Tomcat be installed and running on the server before it can be installed, since it is not in the default install, we must do it separately.

Basic server login and setup tasks:
  1. Login to server with assigned credentials using ssh.
  2. All work on the server must be completed as root.
    1. user@cas:~$ sudo -i (password required is your user password)
  3. Need basic tools not installed in setup.
    1. root@cas:~# apt-get install locate (locate utility to find files)
    2. root@cas:~# apt-get install nano (nano text editor to easily edit files)
    3. root@cas:~# apt-get install nmap (nmap utility to detect network activity)
    4. root@cas:~# apt-get install wget (wget utility to download files over internet connections)
Tomcat installation:
  1. The default Tomcat that is in apt isn't the latest, and it doesn't work reliably with 8.04, so it needs to be installed manually.
    1. Start by installing sun-java6-jdk from apt (you will need to accept the license in the process
      1. root@cas:~# apt-get install sun-java6-jdk
    2. Then Tomcat needs to be downloaded and extracted. We do this from the /tmp directory.
      1. root@cas:~# cd /tmp
      2. root@cas:/tmp# wget http://apache.hoxt.com/tomcat/tomcat-6/v6.0.16/bin/apache-tomcat-6.0.16.tar.gz
      3. root@cas:/tmp# tar -zxf apache-tomcat-6.0.16.tar.gz
    3. We will then move the binary distribution of Tomcat into /usr/local/tomcat
      1. root@cas:/tmp mv apache-tomcat-6.0.16.tar.gz /usr/local/tomcat
    4. Next, the JAVA_HOME variable needs to be set. This is done by editing the ~/.bashrc file
      1. root@cas:/tmp# nano ~/.bashrc
      2. paste in the following at the end: export JAVA_HOME=/usr/lib/jvm/java-6-sun
    5. To create an automatic startup and shutdown script for Tomcat, we need to create an init file.
      1. root@cas:/tmp# nano /etc/init.d/tomcat
      2. paste in the following:

# Tomcat auto-start
#
# description: Auto-starts tomcat
# processname: tomcat
# pidfile: /var/run/tomcat.pid

export JAVA_HOME=/usr/lib/jvm/java-6-sun

case $1 in
start)
sh /usr/local/tomcat/bin/startup.sh
;;
stop)
sh /usr/local/tomcat/bin/shutdown.sh
;;
restart)
sh /usr/local/tomcat/bin/shutdown.sh
sh /usr/local/tomcat/bin/startup.sh
;;
esac
exit 0
    1. The script created needs to be executable and linked to the startup folders so that it runs on startup or shutdown of the system. (Step number is incorrect due to formatting)
      1. root@cas:/tmp# chmod 755 /etc/init.d/tomcat
      2. root@cas:/tmp# ln -s /etc/init.d/tomcat /etc/rc1.d/K99tomcat
      3. root@cas:/tmp# ln -s /etc/init.d/tomcat /etc/rc2.d/S99tomcat
CAS Server Installation:
  1. At the time of this documentation, the latest stable release of CAS is 3.2.11, this needs to be downloaded from their servers.
    1. root@cas:/tmp# wget http://www.ja-sig.org/downloads/cas/cas-server-3.2.1.1-release.tar.gz
  2. The download then needs to be extracted, copied into the tomcat webapps directory, and then tomcat restarted
    1. root@cas:/tmp# tar -zxf cas-server-3.2.1.1-release.tar.gz
    2. root@cas:/tmp# cp cas-server-3.2.1.1/modules/cas-server-webapp-3.2.1.1.war /usr/local/tomcat/webapps/cas.war
    3. root@cas:/tmp# /etc/init.d/tomcat restart
  3. You can test a fully working installation by going to: http://servername:8080/cas-server-webapp-3.2.1.1/login
Customization & Configuration:
  • Active Directory Integration (Pulls Usernames and Passwords from AD for Authentication)
    • Following directions gained from: http://www.ja-sig.org/wiki/display/CASUM/CAS+Quickly+(LDAP%2C+Windows%2C+Apache+Directory+Server)
    • And also directions from: http://www.ja-sig.org/wiki/display/CASUM/Active+Directory
      1. Stop the Tomcat services:
        • root@cas:tmp# /etc/init.d/tomcat stop
      2. Copy the necessary jar file from the extracted download in /tmp in the deployed application's necessary directory
        • root@cas:/tmp# cp /tmp/cas-server-3.2.1.1/modules/cas-server-support-ldap-3.2.1.1.jar /usr/local/tomcat/webapps/cas/WEB-INF/lib/
      3. Edit the pom.xml file in the deployed application to insert support for ldap lookups in cas.
        • root@cas:tmp# nano /usr/local/tomcat/webapps/cas/META-INF/maven/org.jasig.cas/cas-server-webapp/pom.xml


      4. Edit the deployerConfigContext.xml file in the deployed application to remove the bean for the standard simple authentication and add in ldap information and server configuration (server IP and domain)
        • root@cas:~# nano /usr/local/tomcat/webapps/cas/WEB-INF/deployerConfigContext.xml


      5. Restart the tomcat services
        • root@cas:~# /etc/init.d/tomcat start
      6. Verify that authentication works by entering an AD username and password and trying to login at the web interface.

  • Tomcat Configuration (Setting Tomcat to use ports 80 and 443: redirecting initial requests from port 80 and sending them to 443, also setting up an SSL certificate and making cas the default application on Tomcat)
    • Changing default port to port 80 instead of 8080 (the standard)
      1. Edit server.xml file in the config directory
        1. root@cas:tmp# nano /usr/local/tomcat/conf/server.xml
        2. On line 67, change port 8080 to port 80.
        3. Restart the Tomcat services
          • root@cas:tmp# /etc/init.d/tomcat restart
    • Setting CAS to be the default app, and get rid of all the others
      1. Edit server.xml file in the config directory
        1. root@cas:tmp# nano /usr/local/tomcat/conf/server.xml
        2. On line 126 change appBase to be: appBase="webapps/cas"
        3. On line 129 paste in the following:
        4. Move all existing directories into a temporary archive in case they are needed later:
          • root@cas:tmp# mkdir /tmp/archivedTomcatApps
          • root@cas:tmp# mv /usr/local/Tomcat/webapps/docs /tmp/archivedTomcatApps/
          • root@cas:tmp# mv /usr/local/Tomcat/webapps/examples /tmp/archivedTomcatApps/
          • root@cas:tmp# mv /usr/local/Tomcat/webapps/host-manager /tmp/archivedTomcatApps/
          • root@cas:tmp# mv /usr/local/Tomcat/webapps/manager /tmp/archivedTomcatApps/
          • root@cas:tmp# mv /usr/local/Tomcat/webapps/ROOT /tmp/archivedTomcatApps/
        5. Restart the Tomcat services
          • root@cas:tmp# /etc/init.d/tomcat restart
    • Creating an SSL certificate and setting that up in Tomcat so that it will use SSL.
      • Must first create a CSR (certificate signing request) from Article on InstantSSL Site: https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=244&nav=0,33
        • From the tomcat root directory: /usr/local/tomcat you need to create a key file and then the csr file (replace domain with server domain name)
          1. root@cas:/usr/local/tomcat# keytool -genkey -keyalg RSA -keystore domain.key -validity 360
            • It will ask multiple questions, but the important is password, make sure to write down what you choose
          2. root@cas:/usr/local/tomcat# keytool -certreq -keyalg RSA -file domain.csr -keystore domain.key
            • You will be prompted for the same above password
      • You will need to cut and paste the contents of the domain.csr file into the website that is granting the certificate and walk through the steps necessary there.
      • Once they have sent back your file, you will have three different certificates that they send back, and all must be imported into the key file in the correct order. Make sure you use the correct password, which is defined above. This information was gained from: https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=275&nav=0,1,88
        1. root@cas:/usr/local/tomcat# keytool -import -trustcacerts -alias root -file EssentialSSLCA_2.crt -keystore domain.key
        2. root@cas:/usr/local/tomcat# keytool -import -trustcacerts -alias INTER -file ComodoUTNSGCCA.crt -keystore domain.key
        3. root@cas:/usr/local/tomcat# keytool -import -trustcacerts -file domain.crt -keystore domain.key
      • Once all certificates have been loaded into the keyfile, edit the /usr/local/tomcat/conf/server.xml file and paste in the following on line 82 (notice the password matches the above used password This will allow the server to respond to port 443 requests and also knows where to find the keyfile and the password associated.

      • Restart the Tomcat services
        • root@cas:tmp# /etc/init.d/tomcat restart
      • Check to make sure everything is functioning correctly by going to https:// version of the server through your browser.
  • CAS Configuration
    • Setting properties file to have correct CAS URL's
      • In the file: /usr/local/tomcat/webapps/cas/WEB-INF/cas.properties change the top three lines to have the appropriate beginnings of the URL's: https://yourServerAddress/
    • Allowing user access to the services management application:
      • Edit the file: /usr/local/tomcat/webapps/cas/WEB-INF/deployerConfigContext.xml and insert the following at line 134 (replace username with an actual username in AD that will be administering the CAS services:
        • username=notused,ROLE_ADMIN

4 comments:

Kurt Paccio said...

Kris,
We tried to follow your directions with some encouraging initial success. However, Google Apps no longer allows CAS version 3.2.11.

They are requiring an additional piece of information and suggest that we try CAS 3.4.2.

Have you upgraded? Major problems here with the dependencies. Looking for someone who can assist.

KP

Kris Hagel said...

Kurt,

I just emailed Brian, I assume he works with you, and let him know that I handed off this server to one of my employees. I know we have updated, but I am unsure to which version of CAS. I will check with him tomorrow to see if he can assist, and if so I will pass on his contact info. If not, I will build a new virtual machine with the latest software and see if I can get this solved for you. I will be in touch.

Kris

ed.mol said...

I am trying to set up and single sign on for zimbra, knowledgetree, moodle etc. I'll started with the installation of CAS and until implementation and configuration everything fine.

Now i need some advise to set up an ad ( I think ). I assume that this will hold userid and password's ?

Am i correct that thus CAS and AD i'll get to my apps ( like zimbra and knowledgetree ? ).

Can you advise me with the next step to setup an AD ?

Thanks in advance.

Ed Mol

ed.mol said...

I am trying to set up and single sign on for zimbra, knowledgetree, moodle etc. I'll started with the installation of CAS and until implementation and configuration everything fine.

Now i need some advise to set up an ad ( I think ). I assume that this will hold userid and password's ?

Am i correct that thus CAS and AD i'll get to my apps ( like zimbra and knowledgetree ? ).

Can you advise me with the next step to setup an AD ?

Thanks in advance.

Ed Mol