Installation and configuration of CAS with jdk17, tomcat9, ldap and lam...

[Coeurcy Mokoko]

Hello, I am working on the implementation of an SSO with CAS using, tomcat9, ldap, lam, jdk17, I encounter several errors that I can not solve for a week already including the compilation of the build.gradle file, I really need help it's urgent...!

I thank you in advance!

[Ray Bon]

Coeurcy,

And the problem is...?

Ray

On Fri, 2023-04-28 at 03:57 -0700, Coeurcy Mokoko wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[azer tyuiop]

Task :createKeystore FAILED
erreur keytool : java.lang.Exception: Paire de clés non générée, l'alias <cas> existe déjà

FAILURE: Build failed with an exception.

* Where:
Script '/opt/cas-overlay-template/gradle/tasks.gradle' line: 160

* What went wrong:
Execution failed for task ':createKeystore'.
> Process 'command 'keytool'' finished with non-zero exit value 1

[Ray Bon]

azer,

The default location is /etc/cas

Do you have write access to this directory?

You can also change the location in the gradle.properties; certDir=...

Ray

[Frédéric Dussurget]

Hi,

as the cas alias "existe déjà",  you might list certificates that are stored in your keystore (/etc/cas/thekeystore) then delete the cas entry :

keytool -list -v -keystore /etc/cas/thekeystore -storepass changeit (or whatever your password is)

keytool -delete -alias your_cas_server_alias -keystore thekeystore -storepass changeit  (or whatever your password is)

(and , this said, I would go for tomcat 10 over jdk 17, especially for cas v7.x - You can stay with tomcat 9/jdk 11 with cas 6.x especially if you want to implement cas-management besides)

[azer tyuiop]

Thanks, I was able to solve this problem, but I would like to know how to put cas in https and how to configure web applications to this one so that they take into account the authentication with cas...!

Thanks in advance!

[Ray Bon]

azer,

These might help:

https://paulchauvet.github.io/deploying-cas/

https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html

Ray

[azer tyuiop]

Hi, I thank you very much for the links you provided me because it's difficult to find more detailed information about CAS deployment, but those don't help me much because they use obsolete versions with your environments different from mine.

I use :

- JDK-17
- Tomcat 10.1.8 (my cas server is deployed in this one)
- CAS-6.6.7
- LDAP directory

I was able to install CAS Server, what bothers me at the moment is to link CAS to web applications so that they can take into account CAS-SSO so that authentication is unique through CAS.

It would help me a lot if you try to help me with the specifications I provided on my CAS deployment.

Thank you in advance!

[Ray Bon]

azer,

For the client side of your system, the choice will depend on which technology and architecture you are using. Here is a list from the cas docs, https://apereo.github.io/cas/6.6.x/integration/CAS-Clients.html

I have used java and php clients. More recently, pac4j, since it provides support for many different protocols. My coworkers have used spring security in grails, OIDC in node.js, or keycloak for some third party applications. There is also Shibboleth SP and of course commercial vendors.

Cas itself supports many protocols, https://apereo.github.io/cas/6.6.x/protocol/Protocol-Overview.html

Do you have an application already built or just starting?

As far as the installation guides, though they are for older versions, the steps and terminology used are still relevant.

Ray

[Ray Bon]

azer,

Checkout these options (java centric):

https://fawnoos.com/2021/02/13/cas63-bootiful-cas-client/

https://www.pac4j.org/docs/index.html (clients section)

Ray

On Thu, 2023-05-04 at 11:06 -0700, azer tyuiop wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Oh right, but I don't have an application, I've just started and barely managed to install cases via CAS-OVERLAY-TEMPLATE and it's my first time to do all this which is why I'm having a lot of trouble.

[azer tyuiop]

Oh right, but I don't have an application, I've just started and barely managed to install cases via CAS-OVERLAY-TEMPLATE and it's my first time to do all this which is why I'm having a lot of trouble.

[azer tyuiop]

Thank you very much for your help, I have understood what it takes to evolve in my project and for the moment everything is going well, in any case thank you very much!

[azer tyuiop]

Hello, you told me earlier that you had to install and use java-ca-client as a client for your architecture, then I would like you to give the necessary configurations to integrate the applications to the java-ca-client so that they can be linked or take into account the CAS authentication, because I try for a few days but it does not work

Thanks in advance 

[Ray Bon]

azer,

I started with java cas client by getting a working test application from the internet. The java cas client requires edit to web.xml; in my opinion it is less friendly than pac4j, which uses spring beans. Check the docs in the previous links.

Ray

P.S. here is a chunk of pac4j config:

<bean id="casClientConfig" class="org.pac4j.cas.config.CasConfiguration">

<property name="loginUrl" value="${cas.server.prefix}/login" />

<property name="proxyReceptor">

<bean class="org.pac4j.cas.client.CasProxyReceptor">

<property name="callbackUrl" value="${demo.clients.callback-url}" />

</bean>

</property>

<property name="defaultTicketValidator">

<bean class="org.jasig.cas.client.validation.Cas30ServiceTicketValidator">

<constructor-arg value="${cas.server.prefix}" />

</bean>

</property>

</bean>

<bean id="casClient" class="org.pac4j.cas.client.CasClient">

<property name="configuration" ref="casClientConfig" />

</bean>

<bean id="clients" class="org.pac4j.core.client.Clients">

<constructor-arg name="callbackUrl" value="${demo.clients.callback-url}" />

<constructor-arg name="clients">

<list>

<ref bean="oidcClient" />

<ref bean="casOAuthWrapperClient" />

<ref bean="samlClient" />

<ref bean="casClient" />

</list>

</constructor-arg>

</bean>

[azer tyuiop]

Hello I hope you are well, in any case I come back to you with a huge disappointment and fear of the fact that I still did not manage to make CAS SSO work for the authentication of web applications. Indeed, with the new version of CAS-OVERLAY-TEMPLATE, I encountered several difficulties which are:

- All the tutorials on the Internet and that you provided me concerning the complete implementation of CAS are obsolete because:
     * The CAS versions used are obsolete
     * The configuration files like "cas.properties" for the connection of CAS to LDAP exist.
     * The implementation is done with Tomcat 7 - 9; jdk8-11 and cas 5.x.x - 6.3.x; Debian 10 and other OS like RED HAT
     * Installation and configuration of clients and applications is easier and more functional
- I can't even clone the old CAS versions on github to comply with the tutorials which use old CAS versions

Please I really need urgent help as I am currently a third year undergraduate student and this( Implementing CAS SSO) is my thesis topic for my defense and the defense date is approaching so I am really stressed. If possible, I would like you to make a tutorial with the new version of CAS 6.6.7 and LDAP with java-cas-client or pac4j in order to help me to realize this project please.

Attached is a pdf with screenshots of the errors I got.

I am looking forward to your help. Thank you in advance!

[Coeurcy MOKOKO]

Hello I hope you are well, in any case I come back to you with a huge disappointment and fear of the fact that I still did not manage to make CAS SSO work for the authentication of web applications. Indeed, with the new version of CAS-OVERLAY-TEMPLATE, I encountered several difficulties which are:

- All the tutorials on the Internet and that you provided me concerning the complete implementation of CAS are obsolete because:
     * The CAS versions used are obsolete
     * The configuration files like "cas.properties" for the connection of CAS to LDAP exist.
     * The implementation is done with Tomcat 7 - 9; jdk8-11 and cas 5.x.x - 6.3.x; Debian 10 and other OS like RED HAT
     * Installation and configuration of clients and applications is easier and more functional
- I can't even clone the old CAS versions on github to comply with the tutorials which use old CAS versions

Please I really need urgent help as I am currently a third year undergraduate student and this( Implementing CAS SSO) is my thesis topic for my defense and the defense date is approaching so I am really stressed. If possible, I would like you to make a tutorial with the new version of CAS 6.6.7 and LDAP with java-cas-client or pac4j in order to help me to realize this project please.

Attached is a pdf with screenshots of the errors I got.

I am looking forward to your help. Thank you in advance!

 

Envoyé à partir de Courrier pour Windows

 

De : Ray Bon
Envoyé le :mercredi 10 mai 2023 18:04
À : tyuio...@gmail.com; cas-...@apereo.org
Objet :Re: [cas-user] Installation and configuration of CAS with jdk17, tomcat9, ldap and lam...

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f66d99d8bd0d43394ef5197cc5cd3618232d0954.camel%40uvic.ca.

 

[Ray Bon]

azer,

Cas will run 'out of the box'. With a fresh clone of the overlay project (checkout 6.6), it will run and allow you to log in [no configuration necessary].

$ git clone https://github.com/apereo/cas-overlay-template.git

$ cd cas-overlay-template/

$ git fetch origin 6.6

$ git checkout 6.6

$ sudo mkdir -p /etc/cas/config

$ sudo chgrp username /etc/cas

$ sudo chmod -R 775 /etc/cas/

$ ./gradlew createKeystore

$ ./gradlew clean build

$ ./gradlew run

in your browser, https://localhost:8443/cas/login

username: casuser

password: Mellon

You can look into https://github.com/apereo/inspektr to generate the cas-overlay. You will need to know what features you want by reading/understanding the docs, https://apereo.github.io/cas/6.6.x/index.html and using the tutorials at https://fawnoos.com/blog/ starting with the install at https://fawnoos.com/2022/08/06/cas66-gettingstarted-overlay/

The tutorials for the older cas versions are meant as a guide for the steps involved. You will have to make the necessary adjustments for the current version.

From your attachment:

Are you intending to create three different client apps, each one with a different protocol?

What do you mean by 'Apache App' (php, python, ...)?

Are you intending to have multiple authentication sources (LDAP, DB, AD)?

First get cas running with its config before you start with the client application.

The error about the application not authorized to use cas means that the service is not registered with cas (see doc links above).

If you tried to access the application and it redirected you to cas, then that suggests that the application is configured correctly.

The docs linked above will have an example cas.properties

You can use self signed certificates as long as cas and the application know about each other's certificate. You may want to add the certificates to /etc/ssl/certs, tomcat, and the jvm.

Ray

[azer tyuiop]

Thank you for the information you gave me, but the connection from LDAP to CAS does not work. How do I proceed?

I implemented openLdap to install CAS then I created the file cas.properties in cas-overlay-template/etc/cas/config/

Because in this folder after the installation of CAS I did not find the file "cas.properties" which should normally be in the folder cas-overlay-template/etc/cas/config

I recompiled and then deployed in cas but I still have this error attached.

Here are the contents of the "cas.properties" file I created in cas-overlay-template/etc/cas/config:

  cas.server.name=http://acsi.cg:8443
cas.server.prefix=${cas.server.name}/cas
logging.config: file:/etc/cas/config/log4j2.xml


cas.authn.accept.users=
### LDAP connection
#cas.authn.ldap\[0\].providerClass=org.ldaptive.provider.unboundid.UnboundIDPro>
cas.authn.ldap[0].type=AUTHENTICATED
#cas.authn.ldap\[0\].useSsl=false
cas.authn.ldap[0].ldap-url=ldap://acsi.cg:389
cas.authn.ldap[0].base-dn= subtreeA,dc=acsi,dc=cg|subtreeC,dc=acsi,dc=cg
cas.authn.ldap[0].password-encoder.type=NONE
cas.authn.ldap[0].search-filter={user}
#cas.authn.ldap\[0].subtreeSearch=true
#cas.authn.ldap\[0].principalAttributeList=cn,givenName,mail


### Credential to connect to LDAP
cas.authn.ldap[0].bind-dn=admincas,CN=admincas,DC= acsi,DC=cg
cas.authn.ldap[0].bind-credential=@Debian453


As a reminder, I use:
openLdap, ldap account manager, jdk-17, tomcat 10 and cas-overlay-template 6.6.7


I'm looking forward to your help, thanks in advance!