I'm not quite sure the best way of going about this, so I thought I'd start 
out here.


There is a ton of documentation about the different options that are 
available for CAS, but I've yet to find a step-by-step "here's how to bring 
a new CAS server online" document, and trying to infer what all you need to 
do and in what steps just from the config file examples on the 
documentation site is rather painful and time-consuming to be honest. Since 
I document the daylights out of stuff like this as I go through it, I 
thought that I'd share what I did in case it helps others.


Is there any way that something like this could be published to the 
documentation site as some sort of getting started guide?


Chris




This document isn't universal, but it should help provide a good 
kicking-off point. It assumes that you already have a Tomcat server built 
on a Linux server, running with the default port 8080, front-ended by some 
sort of device/software that does SSL offloading and URL rewriting. (Eg., 
while the Tomcat server address would be http://casvm.school.edu:8080/cas 
<https://ecommunities.ellucian.com/external-link.jspa?url=http%3A%2F%2Fcasvm.school.edu%3A8080%2Fcas>,
 
the end-user and other applications would see https://login.school.edu/cas 
<https://ecommunities.ellucian.com/external-link.jspa?url=https%3A%2F%2Flogin.school.edu%2Fcas>
)


It also operates under the assumption that you're going to be pointed to a 
regular LDAP server (in my example, we use an eDirectory server, but it 
should be comparable to generic LDAP.)


The configuration below provides support for  SAML attribute handling, the 
JSON registry service, login attempt throttling, and has configuration for 
the CAS password management service (It is disabled in the configuration 
(cas.authn.pm.enabled=false) because we aren't able to take advantage of it 
at this point, but the configuration is still included below.)


I will also provide documentation on bringing online the GUI management web 
application.


Downloading, configuring, building, and deploying the CAS application 
itself:


https://github.com/apereo/cas-overlay-template
https://apereo.github.io/2017/03/28/cas5-gettingstarted-overlay/

Build the directory structure and clone the project:

> CASVM:/ # cd /opt/
>
> CASVM:/opt # mkdir apereo
>
> CASVM:/opt # cd apereo/
>
> CASVM:/opt/apereo # mkdir cas
>
> CASVM:/opt/apereo # cd cas/
>
> CASVM:/opt/apereo/cas # git clone 
> https://github.com/apereo/cas-overlay-template.git 
> <https://ecommunities.ellucian.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Fapereo%2Fcas-overlay-template.git>
>
> CASVM:/opt/apereo/cas # cd cas-overlay-template
>
> CASVM:/opt/apereo/cas/cas-overlay-template # mkdir -p src/main/resources
>
>
Add the following to the "dependencies" element of the pom.xml file in 
/opt/apereo/cas/cas-overlay-template ::

> <dependency>
>
>   <groupId>org.apereo.cas</groupId>
>
>   <artifactId>cas-server-support-ldap</artifactId>
>
>   <version>${cas.version}</version>
>
> </dependency>
>
> <dependency>
>
>   <groupId>org.apereo.cas</groupId>
>
>   <artifactId>cas-server-support-ldap-core</artifactId>
>
>   <version>${cas.version}</version>
>
> </dependency>
>
> <dependency>
>
>   <groupId>org.apereo.cas</groupId>
>
>   <artifactId>cas-server-support-saml</artifactId>
>
>   <version>${cas.version}</version>
>
> </dependency>
>
> <dependency>
>
>   <groupId>org.apereo.cas</groupId>
>
>   <artifactId>cas-server-support-json-service-registry</artifactId>
>
>   <version>${cas.version}</version>
>
> </dependency>
>
> <dependency>
>
>   <groupId>org.apereo.cas</groupId>
>
>   <artifactId>cas-server-support-pm-ldap</artifactId>
>
>   <version>${cas.version}</version>
>
> </dependency>
>
>
Modify the build.sh file to add the "deploy" target as well as modify the 
"clean" target. Example file attached.


Create folders and set permissions:

Set the permissions on that /etc/cas/config folder:

> CASVM:/ # mkdir -p /etc/cas/config
>
> CASVM:/ # mkdir -p /etc/cas/logs
>
> CASVM:/ # mkdir -p /etc/cas/services
>
>
> CASVM:/ # chown -r tomcat:root /etc/cas/config
>
> CASVM:/ # chown -r tomcat:root /etc/cas/logs
>
> CASVM:/ # chown -r tomcat:root /etc/cas/services
>
>
> CASVM:/ # cd /etc/cas
>
>
> CASVM:/etc/cas # chmod u+s config
>
> CASVM:/etc/cas # chmod u+s logs
>
> CASVM:/etc/cas # chmod u+s services
>
>
Build the project for the first time:

> CASVM:/opt/apereo/cas/cas-overlay-template # chmod +x build.sh 
>
> CASVM:/opt/apereo/cas/cas-overlay-template # ./build.sh package
>
> ......
>
> Creating configuration directory under /etc/cas
>
> Copying configuration files from etc/cas to /etc/cas
>
> 'etc/cas/config/application.yml' -> '/etc/cas/config/application.yml'
>
> 'etc/cas/config/cas.properties' -> '/etc/cas/config/cas.properties'
>
> 'etc/cas/config/log4j2.xml' -> '/etc/cas/config/log4j2.xml'
>



Set the following configuration in 
/opt/apereo/cas/cas-overlay-template/etc/cas/config/cas.properties:

> #General configuration
>
> cas.server.name: https://login.school.edu 
> <https://ecommunities.ellucian.com/external-link.jspa?url=https%3A%2F%2Flogin.school.edu>
>
> cas.server.prefix: https://login.school.edu/cas 
> <https://ecommunities.ellucian.com/external-link.jspa?url=https%3A%2F%2Flogin.school.edu%2Fcas>
>
>
>
>
> #CAS Management
>
> #https://dacurry-tns.github.io/deploying-apereo-cas/building_server_dashboard_configure-admin-pages-properties.html
>  
> <https://ecommunities.ellucian.com/external-link.jspa?url=https%3A%2F%2Fdacurry-tns.github.io%2Fdeploying-apereo-cas%2Fbuilding_server_dashboard_configure-admin-pages-properties.html>
>
> cas.adminPagesSecurity.actuatorEndpointsEnabled=true
>
> cas.monitor.endpoints.enabled=true
>
> endpoints.enabled=true
>
> cas.monitor.endpoints.sensitive=false
>
> endpoints.sensitive=false
>
> cas.adminPagesSecurity.loginUrl=https://login.school.edu/cas/login 
> <https://ecommunities.ellucian.com/external-link.jspa?url=https%3A%2F%2Flogin.school.edu%2Fcas%2Flogin>
>
> cas.adminPagesSecurity.service=https://login.school.edu/status/dashboard 
> <https://ecommunities.ellucian.com/external-link.jspa?url=https%3A%2F%2Flogin.school.edu%2Fstatus%2Fdashboard>
>
> cas.adminPagesSecurity.users=file:/etc/cas/config/adminusers.properties
>
> cas.adminPagesSecurity.adminRoles[0]=ROLE_ADMIN
>
>
>
>
> #Service management
>
> cas.serviceRegistry.watcherEnabled=true
>
> cas.serviceRegistry.repeatInterval=120000
>
> cas.serviceRegistry.startDelay=15000
>
> #cas.serviceRegistry.initFromJson=true
>
> cas.serviceRegistry.json.location=file:/etc/cas/services
>
>
>
>
> #Throttle login attempts to help prevent guessing
>
> cas.authn.throttle.usernameParameter=username
>
> cas.authn.throttle.schedule.startDelay=10000
>
> cas.authn.throttle.schedule.repeatInterval=20000
>
> cas.authn.throttle.appcode=CAS
>
> cas.authn.throttle.failure.threshold=100
>
> cas.authn.throttle.failure.code=AUTHENTICATION_FAILED
>
> cas.authn.throttle.failure.rangeSeconds=60
>
>
>
> #CAS Logging
>
> logging.config: file:/etc/cas/config/log4j2.xml
>
>
>
> #Encryption keys
> ################
> #See Documentation Below For How To Get These
> #When you paste the values in after they're generated, you'll need to 
> uncomment these lines...
> ################
>
> #cas.tgc.crypto.encryption.key=redacted
>
> #cas.tgc.crypto.signing.key=redacted
>
> #cas.webflow.crypto.signing.key=redacted
>
> #cas.webflow.crypto.encryption.key=redacted
>
> ################
>
>
>
>
> #CAS Authentication
>
> cas.authn.ldap[0].type=AUTHENTICATED
>
> cas.authn.ldap[0].ldapUrl=ldap://ldap.school.edu
>
> cas.authn.ldap[0].useSsl=false
>
> cas.authn.ldap[0].useStartTls=false
>
> cas.authn.ldap[0].connectTimeout=5000
>
> cas.authn.ldap[0].baseDn=o=ed
>
> cas.authn.ldap[0].userFilter=(cn={user})
>
> cas.authn.ldap[0].subtreeSearch=true
>
> cas.authn.ldap[0].usePasswordPolicy=false
>
> cas.authn.ldap[0].bindDn=cn=ldapuser,ou=school,o=ed
>
> cas.authn.ldap[0].bindCredential=redacted
>
> cas.authn.ldap[0].minPoolSize=3
>
> cas.authn.ldap[0].maxPoolSize=10
>
> cas.authn.ldap[0].validateOnCheckout=true
>
> cas.authn.ldap[0].validatePeriodically=true
>
> cas.authn.ldap[0].validatePeriod=600
>
> cas.authn.ldap[0].principalAttributeId=uid
>
>
>
>
> #Attribute stuff
>
> #Customize for your needs; not all attributes listed are available on every 
> environment
>
> cas.authn.ldap[0].principalAttributeList=cn,givenName,sn,fullName,mail,uid,member,mail,workforceID,eduPersonPrincipalName,eduPersonScopedAffiliation,udcIdentifier:UDC_IDENTIFIER
>
> cas.authn.attributeRepository.defaultAttributesToRelease=cn,givenName,sn,fullName,mail,uid,member,mail,workforceID,eduPersonPrincipalName,eduPersonScopedAffiliation,UDC_IDENTIFIER
>
>
>
>
> #Password Management
>
> ####
>
> ####
>
> ####Requires your LDAP to support PasswdModifyOID (1.3.6.1.4.1.4203.1.11.1)
>
> ####
>
> ####
>
> #https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#ldap-password-management
>  
> <https://ecommunities.ellucian.com/external-link.jspa?url=https%3A%2F%2Fapereo.github.io%2Fcas%2F5.2.x%2Finstallation%2FConfiguration-Properties.html%23ldap-password-management>
>
> ##### Functionality is disabled in this configuration by the value below
>
> cas.authn.pm.enabled=false
>
> # Minimum 8 and Maximum 30 characters at least 1 Uppercase Alphabet, 1 
> Lowercase Alphabet, 1 Number and 1 Special Character
>
> cas.authn.pm.policyPattern=^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[$@$!%*?&])[A-Za-z\\d$@$!%*?&]{8,30}
>
> cas.authn.pm.reset.text=Someone
>  (hopefully you) requested a passsword reset for your School accounts. 
> If you were the one making this request, you can reset your password 
> with this link: %s . If you did not make this request, please contact 
> the School IT department at (111) 111-1111.
>
> cas.authn.pm.reset.subject=School Password Reset Request
>
> cas.authn.pm.reset.from=infot...@school.edu
>
> cas.authn.pm.reset.expirationMinutes=30
>
> cas.authn.pm.reset.emailAttribute=mail
>
> cas.authn.pm.reset.securityQuestionsEnabled=false
>
> cas.authn.pm.ldap.type=GENERIC
>
> #eDirectory requires password resets to be done over SSL connections
>
> cas.authn.pm.ldap.ldapUrl=ldaps://ldap.school.edu
>
> cas.authn.pm.ldap.useSsl=true
>
> cas.authn.pm.ldap.useStartTls=false
>
> cas.authn.pm.ldap.baseDn=o=ed
>
> cas.authn.pm.ldap.userFilter=(cn={user})
>
> cas.authn.pm.ldap.subtreeSearch=true
>
> cas.authn.pm.ldap.bindDn=cn=ldapuser,ou=school,o=ed
>
> cas.authn.pm.ldap.bindCredential=redacted
>
>
>
>
> #Email sending details
>
> spring.mail.host=smtp.school.edu
>
> spring.mail.port=25
>
> spring.mail.testConnection=true
>
>
Copy the application.properties file locally:

> CASVM:/opt/apereo/cas/cas-overlay-template # cp 
> ./target/cas/WEB-INF/classes/application.properties src/main/resources/
>
>
then edit it and set the following:

> #Tomcat server url context
>
> server.context-path=/cas
>
> #Tomcat application server listening port
>
> server.port=8080
>
>
> #comment out the following
>
> #because we'll use SSL offloading
>
> #server.ssl.key-store=file:/etc/cas/thekeystore
>
> #server.ssl.key-store-password=changeit
>
> #server.ssl.key-password=changeit
>
>
> cas.authn.accept.users=
>
>
Create a folder for the authorized services:

> CASVM:/opt/apereo/cas/cas-overlay-template # mkdir -p etc/cas/services/
>
>
Create a json service for the dashboard:

/opt/apereo/cas/cas-overlay-template/etc/cas/services/CASAdminDashboard-2018020601.json

> {
>
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>
>   "serviceId" : "^https://login.school.edu/cas/status/dashboard(\\z|/.* 
> <https://ecommunities.ellucian.com/external-link.jspa?url=https%3A%2F%2Flogin.school.edu%2Fcas%2Fstatus%2Fdashboard%28%5C%5Cz%7C%2F.*>)",
>
>   "name" : "CAS Admin Dashboard",
>
>   "id" : 22,
>
>   "description" : "CAS dashboard and administrative endpoints",
>
>   "evaluationOrder" :1
>
> }
>
>
Proactively create a json service for the management webapp that we'll 
configure later:

/opt/apereo/cas/cas-overlay-template/etc/cas/services/CASManagementDashboard-2018020601.json

> {
>
>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>
>   "serviceId" : "^https://login.school.edu/cas-management(\\z|/.* 
> <https://ecommunities.ellucian.com/external-link.jspa?url=https%3A%2F%2Flogin.school.edu%2Fcas-management%28%5C%5Cz%7C%2F.*>)",
>
>   "name" : "CAS Management Dashboard",
>
>   "id" : 23,
>
>   "description" : "CAS Management dashboard and administrative endpoints",
>
>   "evaluationOrder" : 2
>
> }
>
>

Create the adminusers.properties, with the contents:

/opt/apereo/cas/cas-overlay-template/etc/cas/config/adminusers.properties

> jschmoe=notused,ROLE_ADMIN
>
> (In this case, the user jschmoe will be able to access the admin 
functionality of the CAS dashboard and management system.)


Now clean, and build again:

> CASVM:/opt/apereo/cas/cas-overlay-template # ./build.sh clean
>
> ...
>
> CASVM:/opt/apereo/cas/cas-overlay-template # ./build.sh package
>
>
Deploying the war is pretty simple:

> CASVM:/opt/apereo/cas/cas-overlay-template # ./build.sh deploy
>
> Alternatively, if you didn't set up the deploy target in the build.sh file 
yet, you can do it the hard way, which assumes that your Tomcat webapps 
directory is "/usr/share/tomcat/webapps":

> CASVM:/opt/apereo/cas/cas-overlay-template
>  # cp target/cas.war /usr/share/tomcat/webapps/cas.foo && mv 
> /usr/share/tomcat/webapps/cas.foo /usr/share/tomcat/webapps/cas.war
>
> After deploying Tomcat for the first time, check the cas.log file in 
/usr/share/tomcat . It'll have a couple of these in it:

> 2018-02-05
>  16:05:47,662 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor]
>  - <Generated encryption key [redacted] of size [256] for 
> [Ticket-granting Cookie]. The generated key MUST be added to CAS 
> settings under setting [cas.tgc.crypto.encryption.key].>
>
> Just add the settings to 
/opt/apereo/cas/cas-overlay-template/etc/cas/config/cas.properties with the 
typical "property=value" configuration as indicated in the comment earlier 
in this post, then clean, build, and redeploy the war file.


If you need to see what CAS is up to, you can tail the following logs in 
/usr/share/tomcat/ ::

cas.log
cas_audit.log
perfStats.log


In my example, I'm assuming that you've got a load balancer or something 
else set up to do SSL offloading, and to front-end the URL to be 
"login.school.edu" instead of "CASVM.school.edu. If this isn't the case, 
please adjust my instructions above to reflect what your setup actually is. 
Once all is set up, you should now be able to log into here: 
https://login.school.edu/cas/status/dashboard 
<https://logintest.millikin.edu/cas/status/dashboard> and see something 
like this:




*Install and configure the service management webapp:*

First you need to download the CAS overlay:

> CASVM:/opt/apereo/cas # git clone 
> https://github.com/apereo/cas-management-overlay.git 
> <https://ecommunities.ellucian.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Fapereo%2Fcas-management-overlay.git>
>
>
Do the same changes to the build.sh file that you did for the regular CAS 
application itself (example file attached.)


Create the folder structure for the configuration file contents:

> CASVM:/opt/apereo/cas/cas-management-overlay # mkdir -p etc/cas/config/
>
> CASVM:/opt/apereo/cas/cas-management-overlay # cd etc/cas/config
>
>
Create a new file named management.properties with the following content:

> # CAS server that management app will authenticate with
>
> # This server will authenticate for any app (service) and you can login as 
> casuser/Mellon 
>
> cas.server.name: https://login.school.edu 
> <https://ecommunities.ellucian.com/external-link.jspa?url=https%3A%2F%2Flogin.school.edu>
>
> cas.server.prefix: https://login.school.edu/cas 
> <https://ecommunities.ellucian.com/external-link.jspa?url=https%3A%2F%2Flogin.school.edu%2Fcas>
>
>
> cas.mgmt.adminRoles[0]=ROLE_ADMIN
>
> cas.mgmt.userPropertiesFile=file:/etc/cas/config/adminusers.properties
>


# Update this URL to point at server running this management app

cas.mgmt.serverName=https://login.school.edu 
> <https://ecommunities.ellucian.com/external-link.jspa?url=https%3A%2F%2Flogin.school.edu>
>
>
> server.context-path=/cas-management
>
> server.port=443
>
>
>
> #Service management
>
> cas.serviceRegistry.watcherEnabled=true
>
> cas.serviceRegistry.repeatInterval=120000
>
> cas.serviceRegistry.startDelay=15000
>
> cas.serviceRegistry.json.location=file:/etc/cas/services
>
>
> logging.config=file:/etc/cas/config/log4j2-management.xml
>

Now just do the same process as with the regular CAS application:

> CASVM:/opt/apereo/cas/cas-management-overlay # ./build.sh clean
>
> CASVM:/opt/apereo/cas/cas-management-overlay # ./build.sh package
>
> CASVM:/opt/apereo/cas/cas-management-overlay # ./build.sh deploy
>
>
You should now be able to log into https://login.school.edu/cas-management/ 
<https://logintest.millikin.edu/cas-management/> with the same username as 
configured for the main CAS application.











build.sh with the deploy target:

#!/bin/bash
> function deploy() {
>         cp target/cas-management.war 
> /usr/share/tomcat/webapps/cas-management.foo && mv 
> /usr/share/tomcat/webapps/cas-management.foo 
> /usr/share/tomcat/webapps/cas-management.war
> }
>
> function copy() {
>         echo -e "Creating configuration directory under /etc/cas"
>         mkdir -p /etc/cas/config
>
>         echo -e "Copying configuration files from etc/cas to /etc/cas"
>         cp -rfv etc/cas/* /etc/cas
> }
>
> function help() {
>         echo "Usage: build.sh [copy|clean|package|run]" 
> }
>
> function clean() {
>     rm /usr/share/tomcat/webapps/cas-management.war
>     rm -Rf *.log
>     rm -Rf *.log.gz
>         ./mvnw clean "$@"
> }
>
> function package() {
>         ./mvnw clean package -T 5 "$@"
>         copy
> }
>
>
> function run() {
>         package && java -Xdebug 
> -Xrunjdwp:transport=dt_socket,address=5000,server=y,suspend=n -jar 
> target/cas-management.war
> }
>
> if [ $# -eq 0 ]; then
>     echo -e "No commands provided. Defaulting to [run]\n"
>     run
>     exit 0
> fi
>
>
> case "$1" in
> "deploy")
>     deploy
>     ;;
> "copy")
>     copy
>     ;;
> "clean")
>         shift
>     clean "$@"
>     ;;
> "package")
>         shift
>     package "$@"
>     ;;
> "run")
>     run "$@"
>     ;;
> *)
>     help
>     ;;
> esac
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b37541d1-aba2-49df-8b30-4c0309b665a4%40apereo.org.

Reply via email to