CAS Server Installation in Ubuntu

         CAS server installation in ubuntu and integration with Drupal & OTRS

Contents

•  Introduction
•  How CAS works
•  CAS installation

             Installing Dependencies(apache-tomcat)
             Generating and installing Certificate
             Configuring CAS server
             Integrating CAS with LDAP authentication
             Integrating CAS with DRUPAL (CAS client)
             Integrating CAS with OTRS (CAS client

Introduction

The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.
Our goal is to integrate CAS sever with Drupal and OTRS and provide single sign on solution for our customer.

How CAS works

When an application would like to authenticate users with CAS, it will use a CAS client along with a small amount of code to interact with this client. Many clients are available including a client for uPortal, AuthCAS for Apache along with clients written in Java, Perl, PHP, Ruby, etc.
To insure that the web application does not require access the user's credentials, authentication with CAS is a two step process.

When a new user initially logs into an application they won't have established a session with the application. Instead of displaying a login form asking for the username and password, the application (via the CAS Client) will redirect the browser to the CAS login page.

CAS then authenticates the user. If the authentication fails, the CAS login page is displayed again with an error message. So until authentication succeeds, the user will not be returned to the application. If the user is not sure how to proceed at that point, there are help desk links on the CAS login page. Once the user authenticates successfully, CAS will redirect the browser back to your application. CAS knows where to redirect to via a {service} parameter that you append to the CAS login url.

When CAS redirects the authenticated user back to your application, it will append a {ticket} parameter to your url.

The ticket returned to your application is opaque, meaning that it includes no useful information to anyone other than the CAS Server. The only thing that your application can do is send this ticket back to CAS for validation.

CAS will then either respond that this ticket does not represent a valid user for this service, or will acknowledge that this ticket proves authentication. In the later case, CAS will also supply the user's NetID so that you know the identity of the user.

The application must provide its own session management. Once the user is authenticated, your application should keep track of this fact within a session so that you don't have to reauthenticate them with the CAS Server. Typically this would be the same as if you authenticated the user directly from your application.

Through the myRutgers portal, CAS offers a single sign-on facility. Once the user has logged into myRutgers, the user does not need to supply their password to login to other applications using CAS. This is accomplished with a Ticket Granting Ticket cookie that CAS sends back to the browser when they initially login to the myRutgers portal.

For applications that deal with especially sensitive data, the application can opt out of the single sign-on facility by providing the {renew=true} parameter to the CAS login page.

Each application should provide their own logout facility which will invalidate the session and require the user to re-authenticate into the application. Note that if they are using SSO through the myRutgers portal, they will not have to re-enter their NetID and password.

CAS Installation

Prerequisites

•  Apache Tomcat
•  Sun java JDK

Sun java JDK installation

#sudo add-apt-repository ppa:sun-java-community-team/sun-java6

#sudo apt-get update

#sudo apt-get install sun-java6-jdk

Apache Tomcat installation

Download the Latest version of apache-tomcat from http://tomcat.apache.org/

Extract the downloaded file

To start the tomcat run this command in teminal

# /path to apache tomcat/bin/startup.sh

To stop apache-toamcat

#/path to apache tomcat/bin/startup.sh

To check the working of tomcat open this URL in web browser http:/localhost:8080/

If the apache-tomcat home page is opening means you have successfully installed tomcat

Generating and installing certificate

In any directory (I use my root) enter the command:

keytool -genkey -alias tomcat -keypass changeit -keyalg RSA

Note: Be sure to use the keytool that comes with the Java VM (%JAVA_HOME%/jre/bin/keytool), as on some systems the default points to the GNU version of keytool, where the two seem incompatible.

Answer the questions: (note that your firstname and lastname MUST be hostname of your server and cannot be a IP address; this is very important as an IP address will fail client hostname verification even if it is correct)

Enter keystore password: changeit

What is your first and last name?

[Unknown]: localhost

What is the name of your organizational unit?

[Unknown]:

What is the name of your organization?

[Unknown]:

What is the name of your City or Locality?

[Unknown]:

What is the name of your State or Province?

[Unknown]:

What is the two-letter country code for this unit?

[Unknown]:

Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?

[no]: yes

Then enter the command:

keytool -export -alias tomcat -keypass changeit -file %FILE_NAME%

Finally import the cert into Java's keystore with this command. Tomcat uses the keystore in your JRE (%JAVA_HOME%/jre/lib/security/cacerts)

keytool -import -alias tomcat -file %FILE_NAME% -keypass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts

Open the HTTPS port in tomcat server

Edit “server.xml“ file located at /apache-tomcat-7.0.26/conf/server.xml and uncomment the below

<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->

<Connector port="8443" maxHttpHeaderSize="8192"

maxThreads="150" minSpareThreads="25" maxSpareThreads="75"

enableLookups="false" disableUploadTimeout="true"

acceptCount="100" scheme="https" secure="true"

clientAuth="false" sslProtocol="TLS" />

check your https connection using URL https://localhost:8443/

Configuring CAS server

Download the latest Version of CAS server from jasig web site or

Run this command in the terminal

#wget http://downloads.jasig.org/cas/cas-server-3.4.11-release.tar.gz

#tar –xvzf cas-server-3.4.11-release.tar.gz

Moving CAS WAR file into apache-tomcat server

Move /path to cas-server/cas-server-x.y.z /modules/cascas-server-webapp-x.y.z to /path to apache tomcat/apache-tomcat-7.0.29/webapps/

#mv /path to cas-server/cas-server-x.y.z /modules/cas-server-webapp-x.y.z.war /path_to_apache tomcat/apache-tomcat-7.0.29/webapps/

Restart the tomcat server

To restart the tomcat use the start and stop command for tomcat that mentioned above

Check that your cas server is working or not using this url
https://localhost:8443/cas-server-webapp-x.y.z/ and you will get a login screen like this

The Default login will be username=password

Integrating CAS with LDAP

• Stop the tomcat server, e.g. $TOMCAT_HOME/bin/shutdown.sh
• Add the following to the pom.xml file in the META-INF folder, $TOMCAT_HOME\webapps\cas-
  
  

  server-webapp-$VERSION\META-INF\maven\org.jasig.cas\cas-server-webapp:

<dependency>

<groupId>${project.groupId}</groupId>

<artifactId>cas-server-support-ldap</artifactId>

<version>${project.version}</version>

</dependency>

• Edit $TOMCAT_HOME\webapps\cas-server-webapp-$VERSION\WEBINF\
• deployerConfigContext.xmlas follows

<bean id="contextSource"

class="org.springframework.ldap.core.support.LdapContextSource">

<property name="anonymousReadOnly" value="false" />

<property name="userDn" value="CN=sso,DC=pitsm,DC=com" />

<property name="password" value="SGS^cas" />

<property name="pooled" value="true" />

<property name="urls">

<list>

<value>ldap://172.20.1.28:389/</value>

</list>

</property>

<property name="baseEnvironmentProperties">

<map>

<entry>

<key><value>java.naming.security.authentication</value></key>

<value>simple</value>

</entry>

</map>

</property>

</bean>

• Remove the demo authentication handler,
  org.jasig.cas.authentication.handler.support.SimpleTestUsernamePassword 
  AuthenticationHandler, from the authenticationHandlers property of the 
  org.jasig.cas.authentication.AuthenticationManagerImpl bean.
• Add the LDAP fast bind authentication handler to the authenticationHandlers property of the authenticationHandler bean:

<bean

class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler" >

<property name="filter" value="uid=%u,ou=system" />

<property name="contextSource" ref="contextSource" />

</bean>

• Add the cas-server-support-ldap-$VERSION.jar from the CAS installation to $TOMCAT_HOME\webapps\cas-server-webapp-$VERSION\WEB-INF\lib.
• Add the spring-ldap-X.Y.Z.RELEASE-all.jar to $TOMCAT_HOME\webapps\casserver-
• webapp-$VERSION\WEB-INF\lib. It can be downloaded from http://www.springsource.org/ldap. X.Y.Z should correspond to latest version.
• Start tomcat and confirm there are no errors in the $TOMCAT_HOME\logs\catalina.out log
• Open a browser to the URL http://localhost:8080/cas-server-webapp-$VERSION/ and authenticate with the following credentials, sso/SGS^cas

Give the credintials

Successful login to the cas server

Integrating CAS server With Drupal

Edit the CAS settings in user management-->CAS settings-->CAS

Modify the fields in CAS settings as given below

Now the Drupal will redirect to the CAS login page

Integrating CAS with OTRS

          1)    Install perl library authcas

                 http://search.cpan.org/~osalaun/AuthCAS-1.5/lib/AuthCAS.pm

          2)    Add this to /opt/otrs/Kernel/ Config.pm

                 $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::CAS';

                 $Self->{'Customer::AuthModule::CAS::Gateway'} = 0;

                 $Self->{'Customer::AuthModule::CAS::ServiceUrl'} =

                 'http://172.20.1.21/customer.pl';

                 $Self->{'Customer::AuthModule::CAS::CASUrl'} = 'https://172.20.1.25:8443/';

         3)  Create CAS.pm in Kernel/System/CustomerAuth

              

                  (download from http://bugs.otrs.org/attachment.cgi?id=1673)

• Restart the apache server

             /etc/init.d/apache restart

             Once you enter the http://172.20.1.21/customer.pl it will redirect to CAS login page

Reference

https://wiki.jasig.org/display/CASUM/CAS+on+Windows+Quick+Setup+Guide

http://bugs.otrs.org/show_bug.cgi?id=7467

http://osdir.com/ml/otrs.devel/2007-05/msg00014.html

https://wiki.jasig.org/display/CASUM/LDAP