Сервис CAS

• https://wiki.jasig.org/display/casc/mod_auth_cas
• http://www.howtoforge.com/configuring-cas-3.5.2-on-ubuntu-12.04-for-two-factor-authentication-from-wikid
• https://wiki.jasig.org/display/CASUM/RADIUS
• http://mvnrepository.com/artifact/org.jasig.cas/cas-server-support-radius/4.1.0
• https://sonnguyen.ws/install-jasig-cas-ubuntu-14-04/https://sonnguyen.ws/install-jasig-cas-ubuntu-14-04/
• Единая авторизация (SSO) средствами JASIG CAS. Часть 1
• http://jasig.github.io/cas/4.1.x/protocol/OpenID-Protocol.html

casserver# wget http://developer.ja-sig.org/maven2/org/jasig/cas/cas-server-support-radius/3.5.2/cas-server-support-radius-3.5.2.jar

casserver# tar -xvzf cas-server-3.5.2-release.tar.gz

casserver# cd cas-server-3.5.2/cas-server-webapp/

casserver:~/cas-server-3.5.2/cas-server-webapp# find . -name '*,v'

./src/main/webapp/WEB-INF/cas.properties,v
./src/main/webapp/WEB-INF/deployerConfigContext.xml,v
./pom.xml,v

casserver:~/cas-server-3.5.2/cas-server-webapp# mvn clean package

Смотрим на ошибки компиляции и для каждой выполняем примерно следующее:

# wget  http://developer.ja-sig.org/maven2/org/jasig/parent/jasig-parent/39/jasig-parent-39.pom

# mv jasig-parent-39.pom /root/.m2/repository/org/jasig/parent/jasig-parent/39/jasig-parent-39.pom
...

• !!! Пароли на PKCS12 и на keystore должны совпадать !!!

casserver# cat int.geotrust.crt /etc/ssl/certs/ca-certificates.crt > int.crt

casserver# openssl pkcs12 -export -chain -inkey bmstu.ru.clkey -in bmstu.ru.crt -name "tomcat" -CAfile int.crt -out bmstu.ru_int.p12

casserver# keytool -importkeystore -srckeystore bmstu.ru_int.p12 -srcstoretype PKCS12 -alias tomcat -keystore /usr/share/tomcat7/.keystore

casserver# keytool -list -v -keystore /usr/share/tomcat7/.keystore

• Проблема с сертификатами в Tomcat http://georgik.sinusgear.com/2012/02/19/tomcat-7-and-curl-ssl23_get_server_hellotlsv1-alert-internal-error/comment-page-1/

casclient# openssl s_client -showcerts -CAfile /etc/ssl/certs/ca-certificates.crt -connect proxy.bmstu.ru:8443

casserver# cat /etc/tomcat7/server.xml

...
    <Connector port="8443"
...
                ciphers="SSL_RSA_WITH_RC4_128_SHA"
...

http://casval.bmstu.ru/test.cgi

# apt install libapache2-mod-auth-cas


# cat /etc/apache2/mods-available/auth_cas.conf
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://proxy.bmstu.ru:8443/cas/login
CASValidateURL https://proxy.bmstu.ru:8443/cas/serviceValidate


# a2enmod auth_cas


# cat /etc/apache2/sites-available/casval.conf
<VirtualHost *:80>
     ServerName casval.bmstu.ru
     DocumentRoot /home/val/casval/
     <Directory /home/val/casval/>
         Options ExecCGI Indexes FollowSymLinks
         AddHandler cgi-script .cgi
         Authtype CAS
         Require valid-user
     </Directory>
</VirtualHost>


# a2ensite casval


root@val:~# cat /home/val/casval/test.cgi
#!/bin/sh
echo Content-type: text/plain
echo
env

casclient# apt-get install libapache2-mod-auth-cas

casclient# a2enmod auth_cas

casclient# cp int.geotrust.crt /etc/ssl/certs/
casclient# cp bmstu.ru.crt /etc/ssl/certs/
casclient# c_rehash /etc/ssl/certs/

casclient# cat /etc/apache2/mods-enabled/auth_cas.conf

CASCookiePath /var/cache/apache2/mod_auth_cas/
CASCertificatePath /etc/ssl/certs/
CASLoginURL https://proxy.bmstu.ru:8443/cas/login
CASValidateURL https://proxy.bmstu.ru:8443/cas/serviceValidate
CASAllowWildcardCert On

casclient# pkg install ap24-mod_auth_cas

casclient# cat /usr/local/etc/apache24/Includes/auth_cas.conf

LoadModule auth_cas_module    libexec/apache24/mod_auth_cas.so
CASCookiePath   /tmp/
CASLoginURL https://proxy.bmstu.ru:8443/cas/login
CASValidateURL https://proxy.bmstu.ru:8443/cas/serviceValidate
CASAllowWildcardCert On
CASCertificatePath /usr/local/share/certs/

# cat default

# cat default-ssl

...
        <Directory "/.../cgi-bin">
...
                Order allow,deny
                Allow from all
                AuthType CAS
                AuthName "TEST CAS AUTH"
                Require valid-user
        </Directory>
...