How to connect cas server 6.2 to mod_auth_cas apache client using ubuntu
155 views
Skip to first unread message
arti wavale
Dec 7, 2020, 1:14:17 PM12/7/20
to CAS Community
Hello all,
I am facing issue to connect and transfer user data from cas 6.2 to mod_auth_cas apache client.
How to create certificate in cas server 6.2 and which certificate need to pass from server to client.
Build and Run command for server:
1] ./gradlew build
2] ./gradlew build jibDockerBuild
3] ./gradlew run
3] ./gradlew run
mod_auth_cas apache client:
CASLoginUrl https://cas.example.com/cas/login
#CASValidateUrl https://cas.example.com/cas/serviceValidate
CASValidateUrl https://cas.example.com/cas/samlValidate
CASCookiePath /var/cache/apache2/mod_auth_armor/
CASRootProxiedAs https://cas.client.com
CASValidateSAML On
CASSSOEnabled On
CASDebug On
CASVersion 2
LogLevel debug
CASCertificatePath /etc/ssl/certs/casrdev.crt
#CASValidateUrl https://cas.example.com/cas/serviceValidate
CASValidateUrl https://cas.example.com/cas/samlValidate
CASCookiePath /var/cache/apache2/mod_auth_armor/
CASRootProxiedAs https://cas.client.com
CASValidateSAML On
CASSSOEnabled On
CASDebug On
CASVersion 2
LogLevel debug
CASCertificatePath /etc/ssl/certs/casrdev.crt
Please guide me to connect cas server 6.2 and mod_auth_cas apache client.
Thanks and Regards
Arti
Colin Ryan
Dec 7, 2020, 2:23:57 PM12/7/20
to cas-...@apereo.org
Arti,
So first of all there is ton's of log information available to you, but you've shared none of it. So it's hard to see where you have issues.
However for mod_auth_cas you've defined the variables for it all fine. But the example you have given does not indicate you've told Apache to use it at all.
As found in the man info for that module
https://github.com/apereo/mod_auth_cas, you need to implement the
Auth module.
<Location /secured> Authtype CAS Require valid-user </Location>
Hope this helps.
Colin
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4ecf455b-80b0-4a93-ad09-e9d2f92ce0a9n%40apereo.org.
arti wavale
Dec 8, 2020, 8:16:28 AM12/8/20
to CAS Community, C Ryan
Hello C Ryan,
I have created a detail document and I have mention each and every main step in cas 6.2 server side and mod auth cas apache cas client side. Please find the attachment.
I do not understood how can I create a certificate and how to pass data from server to client .
Please guide me on it
Thanks and Regards
Arti
Ray Bon
Dec 8, 2020, 11:21:47 AM12/8/20
to cas-...@apereo.org, col...@caveo.ca
Arti,
You can paste the text of your config into the email.
If you are using self signed certs, either use the same one in both cas and apache or add each cert to the other server.
Ray
On Tue, 2020-12-08 at 05:16 -0800, arti wavale wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
arti wavale
Dec 21, 2020, 11:14:29 AM12/21/20
to CAS Community, Ray Bon, C Ryan
Hello,
Created certificate using following command:
1] keytool -genkey -alias cas -keyalg RSA -validity 999 -keystore /etc/cas/thekeystore -ext san=dns:$REPLACE_WITH_FULL_MACHINE_NAME
2]
keytool -export -file /etc/cas/config/cas.crt -keystore /etc/cas/thekeystore -alias cas
3]
sudo keytool -import -file /etc/cas/config/cas.crt -alias cas -keystore /usr/lib/jvm/java-1.11.0-openjdk-amd64/lib/security/cacerts
Cas.properties:
cas.server.name=https://xxxxxxx:8443
cas.server.prefix=${cas.server.name}/cas
logging.config=file:/etc/cas/config/log4j2.xml
cas.service-registry.initFromJson=true
cas.service-registry.json.location=file:/etc/cas/services
cas.tgc.secure:true
cas.tgc.crypto.signing.key:xxxxxxx
cas.tgc.crypto.encryption.key:xxxx
cas.webflow.crypto.signing.key:xxxx
cas.webflow.crypto.encryption.key:xxx
cas.authn.accept.users=
cas.authn.ldap[0].order=0
cas.authn.ldap[0].name=
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://localhost
#cas.authn.ldap[0].useSsl=false
#cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=50000
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].validatePeriod=270
cas.authn.ldap[0].searchFilter=cn={user}
cas.authn.ldap[0].baseDn=dc=cyberforza,dc=com
cas.authn.ldap[0].bindDn=cn=admin,dc=cyberforza,dc=com
cas.authn.ldap[0].bindCredential=administrator
cas.authn.ldap[0].principalAttributeList=memberOf,uid,cn,mail
# LDAP Pooling
cas.authn.ldap[0].minPoolSize=3
cas.authn.ldap[0].maxPoolSize=50
cas.authn.ldap[0].validateOnCheckout=true
cas.authn.ldap[0].validatePeriodically=true
cas.authn.ldap[0].validatePeriod=600
cas.authn.ldap[0].failFast=true
cas.authn.ldap[0].idleTime=5000
cas.authn.ldap[0].prunePeriod=5000
cas.authn.ldap[0].blockWaitTime=5000
#cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
cas.authn.ldap[0].allowMultipleDns=false
# Attribute repository settings
cas.authn.attribute-repository.expirationTime=30
cas.authn.attribute-repository.expirationTimeUnit=MINUTES
cas.authn.attribute-repository.maximumCacheSize=10000
cas.authn.attribute-repository.merger=ADD
cas.authn.attribute-repository.ldap[0].ldapUrl=ldap://localhost
cas.authn.attribute-repository.ldap[0].searchFilter=cn={user}
cas.authn.attribute-repository.ldap[0].bindDn=cn=admin,dc=cyberforza,dc=com
cas.authn.attribute-repository.ldap[0].bindCredential=administrator
cas.authn.attribute-repository.ldap[0].attributes.cn=cn
cas.authn.attribute-repository.ldap[0].attributes.displayName=displayName
cas.authn.attribute-repository.ldap[0].attributes.givenName=givenName
cas.authn.attribute-repository.ldap[0].attributes.mail=mail
cas.authn.attribute-repository.ldap[0].attributes.sn=sn
cas.authn.attribute-repository.ldap[0].attributes.employeeNumber=employeeNumber
cas.authn.attribute-repository.ldap[0].attributes.uid=uid
cas.server.prefix=${cas.server.name}/cas
logging.config=file:/etc/cas/config/log4j2.xml
cas.service-registry.initFromJson=true
cas.service-registry.json.location=file:/etc/cas/services
cas.tgc.secure:true
cas.tgc.crypto.signing.key:xxxxxxx
cas.tgc.crypto.encryption.key:xxxx
cas.webflow.crypto.signing.key:xxxx
cas.webflow.crypto.encryption.key:xxx
cas.authn.accept.users=
cas.authn.ldap[0].order=0
cas.authn.ldap[0].name=
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://localhost
#cas.authn.ldap[0].useSsl=false
#cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=50000
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].validatePeriod=270
cas.authn.ldap[0].searchFilter=cn={user}
cas.authn.ldap[0].baseDn=dc=cyberforza,dc=com
cas.authn.ldap[0].bindDn=cn=admin,dc=cyberforza,dc=com
cas.authn.ldap[0].bindCredential=administrator
cas.authn.ldap[0].principalAttributeList=memberOf,uid,cn,mail
# LDAP Pooling
cas.authn.ldap[0].minPoolSize=3
cas.authn.ldap[0].maxPoolSize=50
cas.authn.ldap[0].validateOnCheckout=true
cas.authn.ldap[0].validatePeriodically=true
cas.authn.ldap[0].validatePeriod=600
cas.authn.ldap[0].failFast=true
cas.authn.ldap[0].idleTime=5000
cas.authn.ldap[0].prunePeriod=5000
cas.authn.ldap[0].blockWaitTime=5000
#cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
cas.authn.ldap[0].allowMultipleDns=false
# Attribute repository settings
cas.authn.attribute-repository.expirationTime=30
cas.authn.attribute-repository.expirationTimeUnit=MINUTES
cas.authn.attribute-repository.maximumCacheSize=10000
cas.authn.attribute-repository.merger=ADD
cas.authn.attribute-repository.ldap[0].ldapUrl=ldap://localhost
cas.authn.attribute-repository.ldap[0].searchFilter=cn={user}
cas.authn.attribute-repository.ldap[0].bindDn=cn=admin,dc=cyberforza,dc=com
cas.authn.attribute-repository.ldap[0].bindCredential=administrator
cas.authn.attribute-repository.ldap[0].attributes.cn=cn
cas.authn.attribute-repository.ldap[0].attributes.displayName=displayName
cas.authn.attribute-repository.ldap[0].attributes.givenName=givenName
cas.authn.attribute-repository.ldap[0].attributes.mail=mail
cas.authn.attribute-repository.ldap[0].attributes.sn=sn
cas.authn.attribute-repository.ldap[0].attributes.employeeNumber=employeeNumber
cas.authn.attribute-repository.ldap[0].attributes.uid=uid
I am facing issue to connect and transfer user data from cas 6.2 to mod_auth_cas apache client.
How to create certificate in cas server 6.2 and which certificate need to pass from server to client.
Build and Run command for server:
1] ./gradlew build
2] ./gradlew build jibDockerBuild
3] ./gradlew run
3] ./gradlew run
mod_auth_cas apache client:
CASLoginUrl https://cas.example.com/cas/login
#CASValidateUrl https://cas.example.com/cas/serviceValidate
CASValidateUrl https://cas.example.com/cas/samlValidate
CASCookiePath /var/cache/apache2/mod_auth_armor/
CASRootProxiedAs https://cas.client.com
CASValidateSAML On
CASSSOEnabled On
CASDebug On
CASVersion 2
LogLevel debug
#CASValidateUrl https://cas.example.com/cas/serviceValidate
CASValidateUrl https://cas.example.com/cas/samlValidate
CASCookiePath /var/cache/apache2/mod_auth_armor/
CASRootProxiedAs https://cas.client.com
CASValidateSAML On
CASSSOEnabled On
CASDebug On
CASVersion 2
LogLevel debug
CASCertificatePath /etc/ssl/certs/cas.crt
<Directory "/var/www/html/secured-by-cas">
<IfModule mod_auth_cas.c>
AuthType CAS
CASAuthNHeader On
</IfModule>
Require valid-user
</Directory>
<IfModule mod_auth_cas.c>
AuthType CAS
CASAuthNHeader On
</IfModule>
Require valid-user
</Directory>
Please guide me to connect cas server 6.2 and mod_auth_cas apache client.
Thanks and Regards
Arti
Ray Bon
Jan 4, 2021, 7:20:42 PM1/4/21
to artiw...@gmail.com, cas-...@apereo.org, col...@caveo.ca
Arti,
Since there is no ticket validation in the cas log, it means that apache/mod_auth_cas is not able to send the ticket for validation. Either it is sending to the wrong url (verify CASValidateUrl) or it can not find cas.crt or cas/tomcat is not using cas.crt.
Did you copy your certificate from /etc/cas/config/cas.crt to /etc/ssl/certs/cas.crt.
Does your apache access.log show the correct redirect with the ST-1-... ?
Did you configure tomcat with your certificate?
When you browse to https://server/cas/login, you should receive a prompt about an unverified certificate. Click advanced and view certificate to make sure it is the one you have added to apache config.
If apache has its own self signed cert, it will need to be added to cacerts too.
Ray
--
Ray Bon
Jan 6, 2021, 12:00:48 PM1/6/21
to artiw...@gmail.com, cas-...@apereo.org
Arti,
I use a stand alone tomcat to run cas. Out of habit, I restart tomcat for all changes to cas.
Does gradlew know to use that cert?
Here is a section of my server.xml.
<Connector port="8444" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/home/uvtomcat/config/thekeystore" clientAuth="false" sslProtocol="TLS">
</Connector>
Ray
On Wed, 2021-01-06 at 13:59 +0530, arti wavale wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
Hello Ray Bon,
I am using CASValidateUrl correctly and I have copied the server certificate from /etc/cas/config/cas.crt to /etc/ssl/certs/cas.crt on the client side.
But cas.war is not uploaded properly in apache tomcat and first I need to stop tomcat service then successfully run command " ./gradlew run " for cas V 6.2.
So how can I configure the cas.war file in apache tomcat on the server system. Please give a solution on it.
Thanks and RegardsArti
Reply all
Reply to author
Forward
0 new messages