CAS build stuck

[Zach Tackett]

I am completely new to CAS, server side management. New job, boss asked me to setup CAS on a CentOS 7 server

Installed Java8, tomcat, cloned down the cas-overlay-template (maven)

I am getting stuck at this point. I have went back into the logs and set the values it is issuing warnings on, and it still comes up with the warnings for the signing and encryption keys. All of the documentation I have been able to find and understand is old, or useless

[INFO] Scanning for projects...
[INFO]
[INFO] Using the MultiThreadedBuilder implementation with a thread count of 5
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building cas-overlay 1.0
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- maven-clean-plugin:2.5:clean (default-clean) @ cas-overlay ---
[INFO] Deleting /home/entapps/cas-overlay-template/target
[INFO]
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ cas-overlay ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /home/entapps/cas-overlay-template/src/main/resources
[INFO]
[INFO] --- maven-compiler-plugin:3.3:compile (default-compile) @ cas-overlay ---
[INFO] No sources to compile
[INFO]
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ cas-overlay ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /home/entapps/cas-overlay-template/src/test/resources
[INFO]
[INFO] --- maven-compiler-plugin:3.3:testCompile (default-testCompile) @ cas-overlay ---
[INFO] No sources to compile
[INFO]
[INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ cas-overlay ---
[INFO] No tests to run.
[INFO]
[INFO] --- maven-war-plugin:2.6:war (default-war) @ cas-overlay ---
[INFO] Packaging webapp
[INFO] Assembling webapp [cas-overlay] in [/home/entapps/cas-overlay-template/target/cas]
[info] Copying manifest...
[INFO] Processing war project
[INFO] Processing overlay [ id org.apereo.cas:cas-server-webapp-tomcat]
[INFO] Webapp assembled in [1278 msecs]
[INFO] Building war: /home/entapps/cas-overlay-template/target/cas.war
[INFO]
[INFO] --- spring-boot-maven-plugin:1.5.12.RELEASE:repackage (default) @ cas-overlay ---
[INFO] Layout: WAR
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 7.112 s (Wall Clock)
[INFO] Finished at: 2018-09-14T14:28:55-04:00
[INFO] Final Memory: 13M/39M
[INFO] ------------------------------------------------------------------------

   __   ____      _      ____   __ 
  / /  / ___|    / \    / ___|  \ \
 | |  | |       / _ \   \___ \   | |
 | |  | |___   / ___ \   ___) |  | |
 | |   \____| /_/   \_\ |____/   | |
  \_\                           /_/

CAS Version: 5.2.6
CAS Commit Id: f5118fffa39b90da780500631d1dffcc296bbc08
CAS Build Date/Time: 2018-09-14T18:28:54Z
Spring Boot Version: 1.5.12.RELEASE
------------------------------------------------------------
Java Home: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-3.b13.el7_5.x86_64/jre
Java Vendor: Oracle Corporation
Java Version: 1.8.0_181
JVM Free Memory: 7 MB
JVM Maximum Memory: 444 MB
JVM Total Memory: 39 MB
JCE Installed: Yes
------------------------------------------------------------
OS Architecture: amd64
OS Name: Linux
OS Version: 3.10.0-862.11.6.el7.x86_64
OS Date/Time: 2018-09-14T14:29:07.867
OS Temp Directory: /tmp
------------------------------------------------------------
Apache Tomcat Version: Apache Tomcat/8.5.31
------------------------------------------------------------


2018-09-14 14:29:08,185 INFO [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] - <Configuration files found at [/etc/cas/config] are [[/etc/cas/config/application.yml, /etc/cas/config/cas.properties]]>
2018-09-14 14:29:08,285 INFO [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] - <Found and loaded [38] setting(s) from [/etc/cas/config]>
2018-09-14 14:29:08,286 INFO [org.springframework.cloud.bootstrap.config.PropertySourceBootstrapConfiguration] - <Located property source: PropertiesPropertySource {name='standaloneCasConfigService'}>
2018-09-14 14:29:17,050 WARN [org.apereo.cas.config.CasCoreTicketsConfiguration] - <Runtime memory is used as the persistence storage for retrieving and managing tickets. Tickets that are issued during runtime will be LOST upon container restarts. This MAY impact SSO functionality.>
2018-09-14 14:30:10,002 WARN [org.apereo.cas.config.CasCoreServicesConfiguration] - <Runtime memory is used as the persistence storage for retrieving and persisting service definitions. Changes that are made to service definitions during runtime WILL be LOST upon container restarts. Ideally for production, you need to choose a storage option (JDBC, etc) to store and track service definitions.>
2018-09-14 14:30:11,016 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for encryption is not defined for [Ticket-granting Cookie]; CAS will attempt to auto-generate the encryption key>
2018-09-14 14:30:11,031 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated encryption key [ntYWaumohB2mKgvNtQIkjfYil25I8DedEd4br8emuAw] of size [256] for [Ticket-granting Cookie]. The generated key MUST be added to CAS settings under setting [cas.tgc.crypto.encryption.key].>
2018-09-14 14:30:11,032 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for signing is not defined for [Ticket-granting Cookie]. CAS will attempt to auto-generate the signing key>
2018-09-14 14:30:11,032 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated signing key [RF62Dz4ixiuuRDPnzC352_lK7zOG5SU8edMNiy4ZoCTIfL3ry5mJrK2ThHXKTTcC2COj95UALR3K3fFJ_Rgo6Q] of size [512] for [Ticket-granting Cookie]. The generated key MUST be added to CAS settings under setting [cas.tgc.crypto.signing.key].>
2018-09-14 14:30:12,166 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Secret key for signing is not defined under [cas.webflow.crypto.signing.key]. CAS will attempt to auto-generate the signing key>
2018-09-14 14:30:12,167 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Generated signing key [ecLjAaJ21svS7ZBCAjEAvRcXVK7N8-B4BKhhoMBDkdtTURknEvCFBidNx21e3aS3JHcrYHMpsqH9IjtNwxYhGg] of size [512]. The generated key MUST be added to CAS settings under setting [cas.webflow.crypto.signing.key].>
2018-09-14 14:30:12,167 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Secret key for encryption is not defined under [cas.webflow.crypto.encryption.key]. CAS will attempt to auto-generate the encryption key>
2018-09-14 14:30:12,169 WARN [org.apereo.cas.util.cipher.BaseBinaryCipherExecutor] - <Generated encryption key [QuIZQQ5PQFcLtPPQiiOEGw] of size [16]. The generated key MUST be added to CAS settings under setting [cas.webflow.crypto.encryption.key].>

Can someone please point me in the right direction?

[Matthew Uribe]

I don't see anything wrong. It shows the build was a success, and that Tomcat is started. The WARN messages are not errors. It's just telling you that it made its own keys, and that tickets are being stored in memory.

Are you able to navigate to https://localhost:8443/cas on the host? (Assuming you are using port 8443).

Matt Uribe Programmer Analyst II Information Technology Aims Community College 970.339.6375 matthe...@aims.edu 5401 W. 20th Street Greeley, CO, 80634 www.aims.edu

IT staff will never ask you for your username and password.

Always decline to provide the information and report such 
attempts to the Help Desk (x6380).

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/992fbe29-7615-4c43-aca7-b686d10d27f8%40apereo.org.

[Matthew Uribe]

Have you had a chance to look through David Curry's guide? It's thorough and well laid out, and should get you on the road to successfully setting up CAS.

https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html

Matt Uribe Programmer Analyst II Information Technology Aims Community College 970.339.6375 matthe...@aims.edu 5401 W. 20th Street Greeley, CO, 80634 www.aims.edu

IT staff will never ask you for your username and password.

Always decline to provide the information and report such 
attempts to the Help Desk (x6380).

On Fri, Sep 14, 2018 at 12:35 PM, Zach Tackett <ztack...@gmail.com> wrote:

--

[Zach Tackett]

That did it for me! Thank you so much. The login page came up, now I just have to figure out how to get it to work with ADFS so that it will redirect to the college login page.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

[Sean Day]

Do you mean delegated authentication with the login being passed off to ADFS? 

If so I can post the steps I used to get this working, it was a lot easier than I was expecting.

[Sean Day]

OK, back at the desk now so have extracted the relevant sections from my build documentation. Screenshots are missing but the text should provide enough detail (if not too much ;-).

I doubt it is 100% correct as I stumbled though it myself, also the exact same config failed with 5.3.0 but was OK with 5.3.2 and 5.2.3 so seems there was a bug added then fixed (or my config just did not work with that build). Hopefully this will help you/someone and maybe if someone who knows better spots some mistakes in my config I can learn some more also ;-)

Configure ADFS

The CAS Service will be configured to redirect to ADFS before CAS can be setup to do this the Relying Party needs to be setup on the ADFS server.

Login to the ADFS server and launch “AD FS Management”

Expand the tree to “Relying Party Trusts”.

Right click on “Relying Party Trusts” and select “Add Relying Party Trust..”

Click the “Start” button:

Select “Enter the data about the relying party manually” Then click Next.

Enter a Display Name and Notes then click “Next”.

On the “Choose Profile” section leave as AD FS Profile and click “Next”.

Click “Next” on the “Configure Certificate” screen.

Click “Next” on the “Configure URL” page.

On the “Configure Identifiers” page enter a unique identifier e.g. urn:cas-svr.domain.com for the CAS service and click “Add” then “Next”.

Leave the Multi-factor authentication as “I do not want to configure..” and click “Next”:

On the “Choose Issuance Authorization Rules” page leave it as “Permit all users to access this relying party” and click “Next”.

Click “Next” on the “Ready to Add Trust” page

Click “Close”.

Double click on the new Relying Party entry and select the “Endpoints” tab.

Click on “Add WS-Federation..".

Populate with the CAS login URL for your CAS server e.g. https://cas-svr.domain.com/cas/login.

Click “OK” then “OK” again to close the properties window.

Right click on the CAS Relying Party and select “Edit Claim Rules”.

Click “Add Rule” on the "Issuance Transform Rules" screen.

Select “Send LDAP  Attributes as Claims” and click “Next”.

Complete the “Configure Claim Rule” page as required, my settings were "LDAP Attribute"= "SAM-Account-Name" mapped to "Outgoing Claim Type"="UPN".

Click "finish".

Export the Token-signing Certificate

CAS will need to have access to the ADFS Token-signing certificate, export this from "AD FS Manager" and store it on the CAS server for later use.

CAS Maven pom.xml

Edit the Maven pom.xml, find the section below and add the lines in Green:

<dependencies>

<dependency>

      <groupId>org.apereo.cas</groupId>

            <artifactId>cas-server-webapp${app.server}</artifactId>

            <version>${cas.version}</version>

            <type>war</type>

            <scope>runtime</scope>

</dependency>

      <!--

      ...Additional dependencies may be placed here...

      -->

<dependency>

<groupId>org.apereo.cas</groupId>

<artifactId>cas-server-support-json-service-registry</artifactId>

<version>${cas.version}</version>

</dependency>

<dependency>

<groupId>org.apereo.cas</groupId>

<artifactId>cas-server-support-wsfederation-webflow</artifactId>

<version>${cas.version}</version>

</dependency>

</dependencies>

Save the pom.xml file.

ADFS token-signing certificate

Now open the etc/cas/config folder and copy the ADFS token-signing certificate file to this folder (File in this example is "my-adfs-token-signing.cer").

CAS ADFS settings

Edit the cas.properties file in this folder and add the contents below:

# Logout settings if required uncomment below and change the cas.slo.disabled setting

#cas.logout.redirectUrl=https://adfs-svr.domain.com/adfs/ls/?wa=wsignin1.0&wtrealm=urn:cas:cas-svr.domain.com

cas.slo.disabled=true

#cas.logout.followServiceRedirects=true

# ADFS Note http on the "identityProviderIdentifier" this is not a mistake..

cas.authn.wsfed[0].identityProviderUrl=https://adfs-svr.domain.com/adfs/ls/

cas.authn.wsfed[0].identityProviderIdentifier=http://adfs-svr.domain.com/adfs/services/trust

cas.authn.wsfed[0].relyingPartyIdentifier=urn:cas:cas-svr.domain.com

cas.authn.wsfed[0].attributesType=WSFED

cas.authn.wsfed[0].signingCertificateResources=file:///etc/cas/config/my-adfs-token-signing.cer

cas.authn.wsfed[0].tolerance=10000

cas.authn.wsfed[0].identityAttribute=upn

cas.authn.wsfed[0].attributeResolverEnabled=true

cas.authn.wsfed[0].autoRedirect=true

# cas.authn.wsfed[0].name=

# cas.authn.wsfed[0].principal.principalAttribute=

# cas.authn.wsfed[0].principal.returnNull=false

# Private/Public keypair used to decrypt assertions, if any.

# cas.authn.wsfed[0].encryptionPrivateKey=classpath:private.key

# cas.authn.wsfed[0].encryptionCertificate=classpath:certificate.crt

# cas.authn.wsfed[0].encryptionPrivateKeyPassword=NONE

Build and deploy CAS.

Make sure the configuration is copied by running “build copy” or manually copying the files to the correct location.

Run the Package command to generate the .war file “build package”:

[Zach Tackett]

Yeah! That's exactly what I mean :)

[Zach Tackett]

I already have the ADFS cert in base64 format an d have it scp'ed to the cas server.

Which part of the how-to would be best for me?

On Sunday, September 16, 2018 at 6:50:09 AM UTC-4, Sean Day wrote:

[Zach Tackett]

Quick question,

I have tried to go to the login page again after the script hangs at the same point and I can not seem to be able to get the login page to load. Page keeps saying "Unable to connect".

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.