This shows you the differences between two versions of the page.
Next revision | Previous revision Last revision Both sides next revision | ||
сервис_cas [2014/07/04 09:31] val создано |
сервис_cas [2016/11/11 10:33] val [Привязка серификата к Tomcat] |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Сервис CAS ====== | ====== Сервис CAS ====== | ||
+ | * [[https://wiki.jasig.org/display/casc/mod_auth_cas]] | ||
* [[http://www.howtoforge.com/configuring-cas-3.5.2-on-ubuntu-12.04-for-two-factor-authentication-from-wikid]] | * [[http://www.howtoforge.com/configuring-cas-3.5.2-on-ubuntu-12.04-for-two-factor-authentication-from-wikid]] | ||
+ | * [[https://wiki.jasig.org/display/CASUM/RADIUS]] | ||
+ | * [[http://mvnrepository.com/artifact/org.jasig.cas/cas-server-support-radius/4.1.0]] | ||
+ | * [[https://sonnguyen.ws/install-jasig-cas-ubuntu-14-04/https://sonnguyen.ws/install-jasig-cas-ubuntu-14-04/]] | ||
+ | * [[http://habrahabr.ru/company/tcsbank/blog/142407/|Единая авторизация (SSO) средствами JASIG CAS. Часть 1]] | ||
+ | * [[http://jasig.github.io/cas/4.1.x/protocol/OpenID-Protocol.html]] | ||
+ | |||
+ | ===== Сервер CAS ===== | ||
+ | |||
+ | ==== Компиляция ==== | ||
+ | |||
+ | <code> | ||
+ | casserver# wget http://developer.ja-sig.org/maven2/org/jasig/cas/cas-server-support-radius/3.5.2/cas-server-support-radius-3.5.2.jar | ||
+ | |||
+ | casserver# tar -xvzf cas-server-3.5.2-release.tar.gz | ||
+ | |||
+ | casserver# cd cas-server-3.5.2/cas-server-webapp/ | ||
+ | |||
+ | casserver:~/cas-server-3.5.2/cas-server-webapp# find . -name '*,v' | ||
+ | </code><code> | ||
+ | ./src/main/webapp/WEB-INF/cas.properties,v | ||
+ | ./src/main/webapp/WEB-INF/deployerConfigContext.xml,v | ||
+ | ./pom.xml,v | ||
+ | </code><code> | ||
+ | casserver:~/cas-server-3.5.2/cas-server-webapp# mvn clean package | ||
+ | </code> | ||
+ | Смотрим на ошибки компиляции и для каждой выполняем примерно следующее: | ||
+ | <code> | ||
+ | # wget http://developer.ja-sig.org/maven2/org/jasig/parent/jasig-parent/39/jasig-parent-39.pom | ||
+ | |||
+ | # mv jasig-parent-39.pom /root/.m2/repository/org/jasig/parent/jasig-parent/39/jasig-parent-39.pom | ||
+ | ... | ||
+ | </code> | ||
+ | |||
+ | ==== Привязка серификата к Tomcat ==== | ||
+ | |||
+ | * !!! Пароли на PKCS12 и на keystore должны совпадать !!! | ||
+ | |||
+ | <code> | ||
+ | casserver# cat int.geotrust.crt /etc/ssl/certs/ca-certificates.crt > int.crt | ||
+ | |||
+ | casserver# openssl pkcs12 -export -chain -inkey bmstu.ru.clkey -in bmstu.ru.crt -name "tomcat" -CAfile int.crt -out bmstu.ru_int.p12 | ||
+ | |||
+ | casserver# keytool -importkeystore -srckeystore bmstu.ru_int.p12 -srcstoretype PKCS12 -alias tomcat -keystore /usr/share/tomcat7/.keystore | ||
+ | |||
+ | casserver# keytool -list -v -keystore /usr/share/tomcat7/.keystore | ||
+ | </code> | ||
+ | |||
+ | * Проблема с сертификатами в Tomcat [[http://georgik.sinusgear.com/2012/02/19/tomcat-7-and-curl-ssl23_get_server_hellotlsv1-alert-internal-error/comment-page-1/]] | ||
+ | |||
+ | <code> | ||
+ | casclient# openssl s_client -showcerts -CAfile /etc/ssl/certs/ca-certificates.crt -connect proxy.bmstu.ru:8443 | ||
+ | |||
+ | casserver# cat /etc/tomcat7/server.xml | ||
+ | </code><code> | ||
+ | ... | ||
+ | <Connector port="8443" | ||
+ | ... | ||
+ | ciphers="SSL_RSA_WITH_RC4_128_SHA" | ||
+ | ... | ||
+ | </code> | ||
+ | |||
+ | ===== Клиент CAS (Ubuntu 12.04) ===== | ||
+ | |||
+ | <code> | ||
+ | casclient# apt-get install libapache2-mod-auth-cas | ||
+ | |||
+ | casclient# a2enmod auth_cas | ||
+ | |||
+ | casclient# cp int.geotrust.crt /etc/ssl/certs/ | ||
+ | casclient# cp bmstu.ru.crt /etc/ssl/certs/ | ||
+ | casclient# c_rehash /etc/ssl/certs/ | ||
+ | |||
+ | casclient# cat /etc/apache2/mods-enabled/auth_cas.conf | ||
+ | </code><code> | ||
+ | CASCookiePath /var/cache/apache2/mod_auth_cas/ | ||
+ | CASCertificatePath /etc/ssl/certs/ | ||
+ | CASLoginURL https://proxy.bmstu.ru:8443/cas/login | ||
+ | CASValidateURL https://proxy.bmstu.ru:8443/cas/serviceValidate | ||
+ | CASAllowWildcardCert On | ||
+ | </code> | ||
+ | |||
+ | ===== Клиент CAS (FreeBSD 10.1) ===== | ||
+ | |||
+ | <code> | ||
+ | casclient# pkg install ap24-mod_auth_cas | ||
+ | |||
+ | casclient# cat /usr/local/etc/apache24/Includes/auth_cas.conf | ||
+ | </code><code> | ||
+ | LoadModule auth_cas_module libexec/apache24/mod_auth_cas.so | ||
+ | CASCookiePath /tmp/ | ||
+ | CASLoginURL https://proxy.bmstu.ru:8443/cas/login | ||
+ | CASValidateURL https://proxy.bmstu.ru:8443/cas/serviceValidate | ||
+ | CASAllowWildcardCert On | ||
+ | CASCertificatePath /usr/local/share/certs/ | ||
+ | </code> | ||
+ | |||
+ | ===== Настройка Аутенитификации ===== | ||
+ | |||
+ | <code> | ||
+ | # cat default | ||
+ | |||
+ | # cat default-ssl | ||
+ | </code><code> | ||
+ | ... | ||
+ | <Directory "/.../cgi-bin"> | ||
+ | ... | ||
+ | Order allow,deny | ||
+ | Allow from all | ||
+ | AuthType CAS | ||
+ | AuthName "TEST CAS AUTH" | ||
+ | Require valid-user | ||
+ | </Directory> | ||
+ | ... | ||
+ | </code> |