URL: http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.3/idp/install-esupcas.html
Author: Patrik Schnellmann - SWITCH
$Date: 2007/08/03 11:41:39 $
$Revision: 1.9 $ 

How To Install CAS Generic Handler (esup-casgeneric) for Shibboleth IdP

Install esup-cas

  1. Download the esup-cas-server package from http://esup-casgeneric.sourceforge.net. The version of CAS Server included in that package is cas-server-2.0.12.
  2. Extract the file esup-cas-server-2.0.7-3.zip in directory /opt:
    $ cd /opt $ unzip esup-cas-server-2.0.7-3.zip
    The package content can be found in directory /opt/esup-cas-server-2.0.7-3/. The documentation in HTML format is in the subdirectory docs.
  3. Configure your authentication backend as documented in docs/auth-high-level.html or online on http://esup-casgeneric.sourceforge.net/auth-high-level.html. This can be done in the file properties/build.properties. Example configurations:
    1. LDAP backend example configuration configuration:

      esup-casgeneric.auth=ldap-search esup-casgeneric.auth.ldap-search.filter=uid=%u esup-casgeneric.auth.ldap-search.search-base=dc=example,dc=ch esup-casgeneric.auth.ldap-search.scope=sub esup-casgeneric.auth.ldap-search.bind-dn=cn=admin,dc=example,dc=ch esup-casgeneric.auth.ldap-search.bind-password=examplepw esup-casgeneric.auth.ldap-search.url=ldap://ldap.example.ch # [...] esup-casgeneric.log.path=/var/log/esup-casgeneric.log # [...] cas-server.deploy.home=/opt/tomcat/webapps/cas
      For anonymous bind, leave the values for "ldap-search.bind-dn" and "ldap-search.bind-password" empty.

    2. Active Directory example configuration:

      esup-casgeneric.auth=ad-search esup-casgeneric.auth.ad-search.filter=sAMAccountName=%u esup-casgeneric.auth.ad-search.search-base=dc=example,dc=ch esup-casgeneric.auth.ad-search.scope=sub esup-casgeneric.auth.ad-search.bind-dn=cn=Administrator,dc=example,dc=ch esup-casgeneric.auth.ad-search.bind-password=examplepw esup-casgeneric.auth.ad-search.url=ldap://ad.example.ch # [...] esup-casgeneric.log.path=/var/log/esup-casgeneric.log # [...] cas-server.deploy.home=/opt/tomcat/webapps/cas

    Note: If ldaps is going to be used, please see the section below.
  4. Deploy the cas web application:
    $ cd /opt/esup-cas-server-2.0.7-3/ $ ant deploy
  5. Customize the CAS pages in /opt/tomcat/webapps/cas/ to meet your design guidelines (header.jsp, footer.jsp, login.jsp, goService.jsp). You may also use templates provided by SWITCH: SWITCH-CAS.tar.gz.
  6. The login page is accessible via the URL http://www.example.ch/cas/login. There you can test the authentication against the configured backend (LDAP).

Configure Shibboleth Web App to use CAS

The CAS Client installation and configuration is described in the Shibboleth Identity Provider 1.3 Installation Guide on install-idp-1.3-debian.html.

Enable esup-casgeneric to handle ldaps

With the CAS Generic Handler it is possible to make SSL secured ldap (ldaps) connections. Depending on the certificates, the LDAP server uses, there has one additional step to be done: When the CAS handler makes an ldaps-connection, the certificate of the ldap server is checked if it is trusted or not. Therefore, Tomcat (or to be more precise, the JVM in which Tomcat runs) has to trust the certification authority (CA) who issued the certificate on the LDAP server. The certificate of the CA can be stored in one of three places where Java looks for them:

  1. The JVM's default truststore in $TOMCAT_HOME/jre/lib/security/cacerts.
  2. A truststore configured via the property javax.net.ssl.trustStore. For Tomcat, this is set in the CATALINA_OPTS variable in /etc/init.d/tomcat. This is how it is done when you follow our deployment guide for the Shibboleth IdP 1.3. (overrides the above)
  3. A truststore set programmatically with System.setProperty("javax.net.ssl.trustStore", "/path/to/truststore.jks"). (overrides the two above)
In the section "Java Keystore with Trusted CA Certificates", the Shibboleth IdP deployment guide of SWITCH describes how to create a truststore specific for the certificates accepted (see: http://www.switch.ch/aai/certificates/) within the SWITCHaai federation.

The only thing to be done for a successful ldaps connection is to import the CA certificate of the certificate used for ldaps:

$ keytool -import -trustcacerts -alias "my ca" -file myCA.PEM.crt \ -keystore truststore.jks

--   
$Id: install-esupcas.html,v 1.9 2007/08/03 11:41:39 schnell Exp $