Authentication to Kibana using Httpd and CAS

[Bandi Bharath Reddy]

Requirement : Enable CAS authentication for Kibana using HTTPD and MOD CAS

Software Version : 

mod_auth_cas 1.1

OpenSSL 1.0.2k-fips

Apache Portable Runtime apr-1.6.3  

Apache Web Server httpd-2.4.34

libcurl curl-7.61.1

libpcre pcre-8.42

RHEL Red Hat Enterprise Linux Server release 7.5 (Maipo)

Server and Software details :

Server 1 (10.0.0.12)       : CAS

Server 2 (10.0.0.13)       : Kibana, mod_auth_cas, openssl, Apache Portable Runtime, Apache Web Server, libcurl and libpcre

Status : While connecting to HTTPD URL, based on configuration file, CAS login page is loaded and CAS authentication is successful, but it is not routing to Kibana page (Note : If invalid credentials is entered, then getting valid message  in CAS login page)

Error Message in UI : This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g bad password), or your browser doesnt understand how to supply the credentials required.

Error in TOMCAT Catalina.out file : 

=============================================================

WHO: user1

WHAT: Supplied credentials: [user1]

ACTION: AUTHENTICATION_SUCCESS

APPLICATION: CAS

WHEN: Tue Oct 30 10:36:54 UTC 2018

CLIENT IP ADDRESS: 10.0.121.9

SERVER IP ADDRESS: 10.0.0.12

=============================================================

2018-10-30 10:36:54,872 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: user1

WHAT: TGT-**************************************************D4hA1i3dcK-server1

ACTION: TICKET_GRANTING_TICKET_CREATED

APPLICATION: CAS

WHEN: Tue Oct 30 10:36:54 UTC 2018

CLIENT IP ADDRESS: 10.0.121.9

SERVER IP ADDRESS: 10.0.0.12

=============================================================

2018-10-30 10:36:54,874 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: user1

WHAT: ST-268890-0TYIGhZAait2pCXX3Zki-server1 for http://10.0.0.13:4010/

ACTION: SERVICE_TICKET_CREATED

APPLICATION: CAS

WHEN: Tue Oct 30 10:36:54 UTC 2018

CLIENT IP ADDRESS: 10.0.121.9

SERVER IP ADDRESS: 10.0.0.12

=============================================================

2018-10-30 10:36:55,255 WARN [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <No clients could be determined based on the provided configuration>

2018-10-30 10:36:55,258 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: audit:unknown

WHAT: [event=success,timestamp=Tue Oct 30 10:36:55 UTC 2018,source=InitialAuthenticationAttemptWebflowEventResolver]

ACTION: AUTHENTICATION_EVENT_TRIGGERED

APPLICATION: CAS

WHEN: Tue Oct 30 10:36:55 UTC 2018

CLIENT IP ADDRESS: 10.0.121.9

SERVER IP ADDRESS: 10.0.0.12

=============================================================

Httpd.conf file :

<VirtualHost *:4010>

        CASCookiePath /data/CAS_Kibana_Integration/cache/httpd/mod_auth_cas/

        CASLoginURL https://10.0.0.12:8443/cas/login

        CASValidateURL https://10.0.0.12:8443/cas/serviceValidate

        CASCertificatePath CASCertificatePath

        ServerName 10.0.0.13

        ServerAdmin kibana...@abc.com

        ProxyRequests Off

        SSLProxyEngine on

        SSLProxyVerify none

        SSLProxyCheckPeerCN off

        SSLProxyCheckPeerName off

        SSLProxyCheckPeerExpire off

        SSLCertificateFile “SERVER2.pem file path"

        SSLCertificateKeyFile “Server2_private.key"

        ErrorLog logs/kibana_error.log

        LogLevel debug

        CustomLog logs/kibana_access.log combined

       <Location "/.*">

                CASScope /

                AuthType CAS

                AuthName "CAS"

                Options Indexes MultiViews

                Order allow,deny

                Allow from all

                require valid-user

               ProxyPass / https://10.0.0.13:5601

               ProxyPassReverse / https://10.0.0.13:5601/

               Redirect / https://10.0.0.13:5601

        </Location>

</VirtualHost>

Please let us know configuration changes required to overcome this issue. 

Regards,
Bharath

[Ray Bon]

Bharath,

Are you using a self signed certificate?

You can add the certificate to the jdk store with something like:

sudo keytool -import -file ${certName} -alias ${aliasName} -keystore $JAVA_HOME/jre/lib/security/cacerts

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca