Thanks Andy,
I am building local cas from scratch following this document provided by
Ellucian.
-----Original Message-----
From: Andrew Morgan [mailto:mor...@orst.edu]
Sent: Thursday, November 19, 2015 12:59 PM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] Building cas-3.4.12
I don't know what documentation you're reading, but you can do everything
Ellucian wants with a standard install of CAS. We have been running SSO
Manager, Luminis, and XE stuff against CAS for a long time. The only "custom"
work we did was add the UDC_IDENTIFIER attribute they wanted.
Andy
On Thu, 19 Nov 2015, Darouichi, Aziz wrote:
> Carlos, I am following the standard documentation provided by their
> support...!!!
>
> Thanks,
>
>
>
> From: Carlos M. Fernández [mailto:cfern...@sju.edu]
> Sent: Thursday, November 19, 2015 12:36 PM
> To: cas-user@lists.jasig.org
> Subject: RE: [cas-user] Building cas-3.4.12
>
> Ellucian no longer has specific requirements since they updated their SSO
> Manager to use samlValidate, and their portal product uses the CAS 2.0
> protocol. Banner XE apps also use the JASIG CAS client for Java. The standard
> documentation for CAS should be followed instead.
>
> Best regards,
> --
> Carlos.
> From: Misagh Moayyed [mailto:mmoay...@unicon.net]
> Sent: Thursday, 19 November, 2015 12:21
> To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
> Subject: RE: [cas-user] Building cas-3.4.12
>
> You'd have to talk to ellucian to get accurate instructions on how to build
> CAS. The official guide for 4.1 is here:
> http://jasig.github.io/cas/4.1.x/installation/Maven-Overlay-Installati
> on.html
>
> From: Darouichi, Aziz [mailto:adaro...@post03.curry.edu]
> Sent: Thursday, November 19, 2015 9:12 AM
> To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
> Subject: [cas-user] Building cas-3.4.12
>
> Hi,
>
> Last time I built a cas server was a couple of years ago, it was a pet
> project, after few struggles I was able to build it. Now I am following a
> documentation provided by ellucian to build a cas for BanXE. I am getting
> build.plugins.plugin.version errors for the followings plugins:
>
> org.apache.maven.plugins:maven-compiler-plugin is missing
> org.apache.maven.plugins:maven-surefire-plugin is missing
> org.apache.maven.plugins:maven-war-plugin is missing
> org.apache.maven.plugins:maven-enforcer-plugin is missing
>
>
> Thank you,
>
> Aziz
>
>
>
>
> --
>
> You are currently subscribed to
> cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as:
> mmoay...@unicon.net<mailto:mmoay...@unicon.net>
>
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
>
> --
>
> You are currently subscribed to
> cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as:
> cfern...@sju.edu<mailto:cfern...@sju.edu>
>
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
>
> --
>
> You are currently subscribed to
> cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as:
> adaro...@post03.curry.edu<mailto:adaro...@post03.curry.edu>
>
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
> --
> You are currently subscribed to cas-user@lists.jasig.org as:
> mor...@orst.edu To unsubscribe, change settings or access archives,
> see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-user@lists.jasig.org as:
adaro...@post03.curry.edu To unsubscribe, change settings or access archives,
see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
Article 000032029 - Implementing CAS with OpenLDAP for SSO use with INB SSB and
Banner 9
This FAQ outlines how to install CAS with OpenLDAP on a new LINUX 6 server for
SSO use with these products
- SSB 8
- INB 8
- Banner 9
Example server details used below
- malaln57 - LINUX 6 64bit CAS server (contains Tomcat, CAS, OpenLDAP)
- malaln34 - Win2008 64bit WebLogic server (contains Banner 9 apps and BEIS)
- malaln24 - Win2008 32bit WebLogic server (contains SSB 8 and INB 8 apps)
- malaln32 - Win2003 32bit database server with BAN9 instance
=============
Documentation
=============
- CAS Single Sign On Handbook.pdf
- beis80200in.pdf
=====
FAQ's
=====
- 1-1BM9F1F - Banner 9 CAS outline and trouble shooting.
- 000008006 - FAQ 1-1459RA7 How to implement Banner 9 SSO with Luminis/CAS
- 1-7PYUTV - How to install OpenLDAP on Linux
- 1-12Y102E - Install and Configure Tomcat 6 on Linux RedHat 5 64-bit for
Banner 9 Student Faculty Grade Entry - FGE
- Article 000032067 - Implementing Seamless Navigation and Application
Navigator in Banner 9
====
JAVA
====
Ensure that Java SDK 1.6.x or 1.7.x is installed for use with cas-server-3.4.12
Example install (installed JDK 1.6.0.45)
su - root
mkdir /usr/share/jdk-1.6.0.45
ftp file jdk-6u45-linux-x64-rpm.bin into /usr/share/jdk-1.6.0.45
chmod +x jdk-6u45-linux-x64-rpm.bin
./jdk-6u45-linux-x64-rpm.bin
Everything installed into
/usr/java/jdk1.6.0_45/
You can safely remove the temp folder /usr/share/jdk-1.6.0.45 if no longer
needed
rm -r /usr/share/jdk-1.6.0.45
Update the env variables
vi .bash_profile and add these lines as needed
export JAVA_HOME=/usr/java/jdk1.6.0_45
export PATH=$JAVA_HOME/bin:$PATH
Confirm version
/usr/java/jdk1.6.0_45/bin/java -version
/usr/java/jdk1.6.0_45/bin/javac -version
========
OPENLDAP
========
Added details in
- FAQ 1-7PYUTV - How to install OpenLDAP on Linux
Example install
1.
First see what is installed
su - root
yum list *openldap*
Installed Packages
compat-openldap.x86_64 1:2.3.43-2.el6
@anaconda-RedHatEnterpriseLinux-201311111358.x86_64/6.5
openldap.x86_64 2.4.39-8.el6 @rhel-x86_64-server-6
Available Packages
compat-openldap.i686 1:2.3.43-2.el6 rhel-x86_64-server-6
openldap.i686 2.4.39-8.el6 rhel-x86_64-server-6
openldap-clients.x86_64 2.4.39-8.el6 rhel-x86_64-server-6
openldap-devel.i686 2.4.39-8.el6 rhel-x86_64-server-6
openldap-devel.x86_64 2.4.39-8.el6 rhel-x86_64-server-6
openldap-servers.x86_64 2.4.39-8.el6 rhel-x86_64-server-6
2.
Install the openldap software
yum -y install openldap
yum -y install openldap-clients
yum -y install openldap-servers
3.
Now rerun this command to confirm they installed correctly
yum list *openldap*
Installed Packages
compat-openldap.x86_64 1:2.3.43-2.el6
@anaconda-RedHatEnterpriseLinux-201311111358.x86_64/6.5
openldap.x86_64 2.4.39-8.el6 @rhel-x86_64-server-6
openldap-clients.x86_64 2.4.39-8.el6 @rhel-x86_64-server-6
openldap-servers.x86_64 2.4.39-8.el6 @rhel-x86_64-server-6
Available Packages
compat-openldap.i686 1:2.3.43-2.el6 rhel-x86_64-server-6
openldap.i686 2.4.39-8.el6 rhel-x86_64-server-6
openldap-devel.i686 2.4.39-8.el6 rhel-x86_64-server-6
openldap-devel.x86_64 2.4.39-8.el6 rhel-x86_64-server-6
4.
Optional - On this server it needed to open port 389 for use before starting
OpenLDAP
vi /etc/sysconfig/iptables
and add this line
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
service iptables restart
5.
Added OpenLDAP configuration details at
- http://www.openldap.org/doc/admin24/quickstart.html
First stop it and remove any old files if they exist
service slapd stop
rm -r /var/lib/ldap/*
rm -r /etc/openldap/slapd.d/*
rm /etc/openldap/slapd.conf
vi /etc/openldap/slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile "\"OpenLDAP Server\""
#TLSCertificateKeyFile /etc/openldap/certs/password
database bdb
suffix "dc=ellucian,dc=com"
rootdn "cn=Manager,dc=ellucian,dc=com"
rootpw u_pick_it
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
slaptest -u -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /var/lib/ldap/*
chown -R ldap:ldap /etc/openldap/slapd.d/*
service slapd restart
vi /etc/openldap/load1.ldif
dn: dc=ellucian,dc=com
objectclass: dcObject
objectclass: organization
o: Ellucian Company
dc: ellucian
vi /etc/openldap/load2.ldif
dn: cn=Manager,dc=ellucian,dc=com
objectclass: organizationalRole
cn: Manager
vi /etc/openldap/load3.ldif
dn: ou=users,dc=ellucian,dc=com
objectclass: organizationalUnit
ou: users
ldapadd -x -D "cn=Manager,dc=ellucian,dc=com" -W -f /etc/openldap/load1.ldif
ldapadd -x -D "cn=Manager,dc=ellucian,dc=com" -W -f /etc/openldap/load2.ldif
ldapadd -x -D "cn=Manager,dc=ellucian,dc=com" -W -f /etc/openldap/load3.ldif
ldapsearch -x -b 'dc=ellucian,dc=com' '(objectclass=*)'
Optionally instead of running load3.ldif above you could have used an LDAP
browser to connect to the
LDAP instance and load data
For example
Edit-- Add Entry -- organizationalUnit
dn: ou=users,dc=ellucian,dc=com
objectclass: top
objectclass: organizationalUnit
Now load Banner records as needed via LDAP browser or command line
Some example files are below
vi /etc/openldap/banner1.ldif
DN: cn= 0D9D446868E04E05A430DCEA2FE030D3,ou=users,dc=ellucian,dc=com
objectClass: person
objectClass: uidObject
objectClass: top
cn: 0D9D446868E04E05A430DCEA2FE030D3
sn: testinb8
uid: testinb8
userPassword: u_pick_it
ldapadd -x -D "cn=Manager,dc=ellucian,dc=com" -W -f /etc/openldap/banner1.ldif
vi /etc/openldap/banner2.ldif
DN: cn= casadmin,ou=users,dc=ellucian,dc=com
objectClass: person
objectClass: uidObject
objectClass: top
cn: casadmin
sn: casadmin
uid: casadmin
userPassword: u_pick_it
ldapadd -x -D "cn=Manager,dc=ellucian,dc=com" -W -f /etc/openldap/banner2.ldif
Add or adjust LDAP records as needed.
===
ANT
===
Ensure Ant is installed.
Download file
- http://ant.apache.org/bindownload.cgi
Example install
1.
su - root
mkdir /usr/share/ant/
cd /usr/share/ant/
ftp apache-ant-1.9.4-bin.tar.gz to /usr/share/ant/
tar -xf apache-ant-1.9.4-bin.tar.gz
2.
vi .bash_profile
add these lines as needed
export ANT_HOME=/usr/share/ant/apache-ant-1.9.4
export PATH=$ANT_HOME/bin:$PATH
3.
ant -version
Shows
Apache Ant(TM) version 1.9.4 compiled on October 29 2014
=====
MAVEN
=====
Ensure that Apache Maven 3.x is installed for use with cas-server-3.4.12
Download file
- http://maven.apache.org/download.cgi
Install Notes
- http://maven.apache.org/download.cgi#Installation
Example install
1.
su - root
mkdir /usr/share/maven/
cd /usr/share/maven/
ftp apache-maven-3.2.3-bin.tar.gz to /usr/share/maven/
tar -xf apache-maven-3.2.3-bin.tar.gz
2.
vi .bash_profile
add these lines as needed
export M2_HOME=/usr/share/maven/apache-maven-3.2.3
export M2=$M2_HOME/bin
export PATH=$M2:$PATH
export JAVA_HOME=/usr/java/jdk1.6.0_45
export PATH=$JAVA_HOME/bin:$PATH
3.
mvn --version
shows
Apache Maven 3.2.3 (33f8c3e1027c3ddde99d3cdebad2656a31e8fdf4;
2014-08-11T16:58:10-04:00)
Maven home: /usr/share/maven/apache-maven-3.2.3
Java version: 1.8.0_25, vendor: Oracle Corporation
Java home: /usr/java/jdk1.8.0_25/jre
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "2.6.32-431.el6.x86_64", arch: "amd64", family:
"unix"
4.
Optional test to confirm "mvn" runs correctly
mkdir /usr/share/maven/test
cd /usr/share/maven/test
mvn archetype:generate -DgroupId=com.mycompany.app -DartifactId=my-app
-DarchetypeArtifactId=maven-archetype-quickstart -DinteractiveMode=false -e -X
That should run without issue and download all needed files and end with these
details
...
[INFO] project created from Old (1.x) Archetype in dir:
/aux/maven/apache-maven-3.2.3/test/my-app
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 06:29 min
[INFO] Finished at: 2014-11-19T01:37:09+05:30
[INFO] Final Memory: 13M/155M
[INFO] ------------------------------------------------------------------------
You should also see these files built
[root@malaln57 test]# pwd
/usr/share/maven/test
[root@malaln57 test]# ls -ltr
total 4
drwxr-xr-x. 3 root root 4096 Dec 2 10:18 my-app
======
TOMCAT
======
Ensure that Tomcat 6 or 7 is installed for use with cas-server-3.4.12
Example install of Tomcat 7
1.
/usr/sbin/groupadd tomcat
/usr/sbin/useradd -c "Tomcat" -m -g tomcat -s /bin/bash -d /aux/tomcat -u 505
tomcat
passwd tomcat (Set the password as needed)
ftp file apache-tomcat-7.0.57.tar.gz to /aux/tomcat
chmod 777 /aux/tomcat/apache-tomcat-7.0.57.tar.gz
su - tomcat
tar zxvf apache-tomcat-7.0.57.tar.gz
2.
vi .bash_profile
add these lines as needed
export CATALINA_HOME=/aux/tomcat/apache-tomcat-7.0.57
export CATALINA_OPTS="-server -Xms2048m -Xmx4g -XX:MaxPermSize=256m"
export JAVA_HOME=/usr/java/jdk1.6.0_45
export PATH=$JAVA_HOME/bin:$CATALINA_HOME/bin:$PATH
3.
Edit $CATALINA_HOME/conf/tomcat-users.xml
remove the comments from bottom section on users and
Change password and roles on this line
<user username="tomcat" password="manager1" roles="tomcat,manager-gui"/>
Add this line above the you just editted.
<role rolename="manager-gui"/>
4.
Optional - On this server it required the ipatbles to open up pot 8080
vi /etc/sysconfig/iptables
and add this line
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
service iptables restart
5.
Start tomcat
/aux/tomcat/apache-tomcat-7.0.57/bin/startup.sh
Stop tomcat
/aux/tomcat/apache-tomcat-7.0.57/bin/shutdown.sh
Confirm you can connect from browser
http://malaln57.sct.com:8080/
Shows
Apache Tomcat/7.0.57
Manager App
- http://malaln57.sct.com:8080/manager/html (Login with tomcat/manager1)
Implement SSL with Tomcat 7
---------------------------
- http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
1.
su - tomcat
/aux/tomcat/apache-tomcat-7.0.57/bin/shutdown.sh
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -validity 365
Enter keystore password: changeit
Re-enter new password: changeit
What is your first and last name?
[Unknown]: malaln57.sct.com
What is the name of your organizational unit?
[Unknown]: ellucian
What is the name of your organization?
[Unknown]: ellucian
What is the name of your City or Locality?
[Unknown]: Rochester
What is the name of your State or Province?
[Unknown]: NY
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=malaln57.sct.com, OU=ellucian, O=ellucian, L=Rochester, ST=NY, C=US
correct?
[no]: yes
Enter key password for <tomcat> changeit
(RETURN if same as keystore password):
Re-enter new password: changeit
2.
Uncomment the "SSL HTTP/1.1 Connector" entry in $CATALINA_BASE/conf/server.xml
vi $CATALINA_HOME/conf/server.xml
Uncomment this code
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
Change to
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" />
Save changes
3.
Optional - On this server it required the ipatbles to open up pot 8443
vi /etc/sysconfig/iptables
and add this line
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
service iptables restart
4.
Now restart tomcat
/aux/tomcat/apache-tomcat-7.0.57/bin/startup.sh
5.
Test SSL access via port 8443
- https://malaln57.sct.com:8443/
===========
Install CAS
===========
Used the CAS SSO Handbook provided by ellucian to install.
Step 1.
-------
<CAS_HOME> = /usr/share/cas/cas-server-3.4.12/
Step 2.
-------
Edited the pom.xml file located in the directory:
/usr/share/cas/cas-server-3.4.12/cas-server-webapp/pom.xml
Added these lines
<!-- LDAP SUPPORT -->
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${project.version}</version>
<type>jar</type>
</dependency>
<!-- Apache Commons DBCP for Java 6 (use version 1.3 for Java 5 or lower)-->
<dependency>
<groupId>commons-dbcp</groupId>
<artifactId>commons-dbcp</artifactId>
<version>1.4</version>
<scope>runtime</scope>
</dependency>
<!-- Hibernate Core and Entity Manager -->
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-core</artifactId>
<version>${hibernate.core.version}</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-entitymanager</artifactId>
<version>${hibernate.core.version}</version>
<scope>runtime</scope>
</dependency>
<!-- Oracle JDBC Driver -->
<dependency>
<groupId>com.oracle</groupId>
<artifactId>ojdbc6</artifactId>
<version>11.2.0</version>
</dependency>
Step 3.
-------
Installed maven following default instructions.
Placed ojdbc6.jar into /usr/share/jdbc
chmod 777 /usr/share/jdbc/ojdbc6.jar
ls -ltr
total 2676
-rwxrwxrwx. 1 root root 2739670 Nov 18 13:45 ojdbc6.jar
Now run maven command to register it
mvn install:install-file -Dfile=/usr/share/jdbc/ojdbc6.jar
-DgroupId=com.oracle -DartifactId=ojdbc6 -Dversion=11.2.0 -Dpackaging=jar
It should say
[INFO] Installing /usr/share/jdbc/ojdbc6.jar to
/root/.m2/repository/com/oracle/ojdbc6/11.2.0/ojdbc6-11.2.0.jar
[INFO] Installing /tmp/mvninstall7791144338087462449.pom to
/root/.m2/repository/com/oracle/ojdbc6/11.2.0/ojdbc6-11.2.0.pom
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.288 s
[INFO] Finished at: 2014-11-24T14:42:26-05:00
[INFO] Final Memory: 6M/29M
[INFO] ------------------------------------------------------------------------
Step 4.
-------
<PROJECT_HOME> = /usr/share/cas/cas-server-3.4.12/cas-server-webapp
<PROJECT_WEBROOT> =
/usr/share/cas/cas-server-3.4.12/cas-server-webapp/src/main/webapp
vi
/usr/share/cas/cas-server-3.4.12/cas-server-webapp/src/main/webapp/WEB-INF/cas.properties
Change1
server.prefix=http://localhost:8080/cas
to
server.prefix=https://malaln57.sct.com:8443/cas
Change2
host.name=cas
to
host.name=malaln57.sct.com
Change3 (Optional)
#database.hibernate.dialect=org.hibernate.dialect.OracleDialect
to
database.hibernate.dialect=org.hibernate.dialect.OracleDialect
Change4 (Optional)
add this line to end of the file
ticket.cleaner.database.platform=SQL92
Step 5.
-------
1.
vi
/usr/share/cas/cas-server-3.4.12/cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml
2.
Inside the section
<property name="credentialsToPrincipalResolvers">
<list>
Remove these 2 lines
<bean class=
"org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"/>
<bean class=
"org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"/>
3
And then add these lines
<bean
class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<property name="credentialsToPrincipalResolver">
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
/>
</property>
<property name="filter" value="(uid=%u)" />
<property name="principalAttributeName" value="uid" />
<property name="searchBase" value="ou=users,dc=ellucian,dc=com" />
<property name="contextSource" ref="contextSource" />
<property name="attributeRepository">
<ref bean="attributeRepository" />
</property>
</bean>
Note: Change this line to match you LDAP server location.
<property name="searchBase" value="ou=users,dc=ellucian,dc=com" />
4.
Inside
<property name="authenticationHandlers">
<list>
Remove this line
<bean
class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler"
/>
5.
Add
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" >
<property name="filter" value="uid=%u" />
<property name="searchBase" value="ou=users,dc=ellucian,dc=com" />
<property name="contextSource" ref="contextSource" />
<property name="timeout" value="10">
</property>
</bean>
6.
Change this section
<sec:user-service id="userDetailsService">
<sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused"
authorities="ROLE_ADMIN" />
</sec:user-service>
to
<sec:user-service id="userDetailsService">
<sec:user name="casadmin" password="u_pick_it" authorities="ROLE_ADMIN"
/>
</sec:user-service>
7.
Change
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.StubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation"
value="eduPersonAffiliation" />
<entry key="groupMembership"
value="groupMembership" />
</map>
</property>
</bean>
to
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="contextSource" ref="contextSource" />
<property name="baseDN" value="ou=users,dc=ellucian,dc=com" />
<property name="requireAllQueryAttributes" value="true" />
<!--Attribute mapping between principal (key) and LDAP (value) names used to
perform the
LDAP search. By default, multiple search criteria are ANDed together. Set the
queryType
property to change to OR.-->
<property name="queryAttributeMapping">
<map>
<entry key="username" value="uid" />
</map>
</property>
<property name="resultAttributeMapping">
<map>
<!-- Mapping between LDAP entry attributes (key) and Principal's (value) -->
<entry key="cn" value="UDC_IDENTIFIER"/>
<entry key="uid" value="uid" />
</map>
</property>
</bean>
8.
Add this line after the <bean id="attributeRepository" defined in the step above
<bean id="contextSource"
class="org.springframework.ldap.core.support.LdapContextSource">
<property name="pooled" value="false"/>
<property name="urls">
<list>
<value>ldap://malaln57.sct.com:389</value>
</list>
</property>
<property name="userDn" value="cn=Manager,dc=ellucian,dc=com"/>
<property name="password" value="u_pick_it"/>
<property name="baseEnvironmentProperties">
<map>
<entry>
<key>
<value>java.naming.security.authentication</value>
</key>
<value>simple</value>
</entry>
</map>
</property>
</bean>
9.1
Change
<bean
id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<bean class="org.jasig.cas.services.RegexRegisteredService">
<property name="id" value="0" />
<property name="name" value="HTTP and IMAP" />
<property name="description" value="Allows HTTP(S) and
IMAP(S) protocols" />
<property name="serviceId"
value="^(https?|imaps?)://.*" />
<property name="evaluationOrder" value="10000001" />
</bean>
<!--
Use the following definition instead of the above to
further restrict access
to services within your domain (including subdomains).
Note that example.com must be replaced with the domain you
wish to permit.
-->
<!--
<bean class="org.jasig.cas.services.RegexRegisteredService">
<property name="id" value="1" />
<property name="name" value="HTTP and IMAP on
example.com" />
<property name="description" value="Allows HTTP(S) and
IMAP(S) protocols on example.com" />
<property name="serviceId"
value="^(https?|imaps?)://([A-Za-z0-9_-]+\.)*example\.com/.*" />
<property name="evaluationOrder" value="0" />
</bean>
-->
</list>
</property>
</bean>
to
<bean id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<!-- Protect CAS Manged Services Endpoint -->
<bean class="org.jasig.cas.services.RegisteredServiceImpl">
<property name="id" value="1" />
<property name="name" value="CAS Managed Services" />
<property name="description" value="CAS Managed
Services Endpoint" />
<property name="serviceId"
value="https://malaln57.sct.com:8443/cas/services/**" />
<property name="allowedAttributes">
<list>
<value>uid</value>
</list>
</property>
<property name="evaluationOrder" value="10000001" />
</bean>
<!-- Protect SSB/INB via the SSO Manager Client -->
<bean class="org.jasig.cas.services.RegisteredServiceImpl">
<property name="id" value="2" />
<property name="name" value="SSO Manager" />
<property name="description" value="CAS Client for
SSB/INB" />
<property name="serviceId"
value="http://malaln34.sct.com:9908/ssomanager/c/**" />
<property name="allowedAttributes">
<list>
<value>UDC_IDENTIFIER</value>
</list>
</property>
<property name="evaluationOrder" value="10000002" />
</bean>
</list>
</property>
</bean>
9.2
Can skip since using 9.1 in-memory data store
10.
Save file
/usr/share/cas/cas-server-3.4.12/cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml
Step 6.
-------
Skip this step since only used with JPA-based session (9.2 above) and we are
using in-memory data store (9.1 above)
Step 7.
-------
1.
vi
/usr/share/cas/cas-server-3.4.12/cas-server-webapp/src/main/webapp/themes/default/cas.css
2.
Make any style changes as needed
3.
Save File
4.
cd /usr/share/cas/cas-server-3.4.12/cas-server-webapp/src/main/webapp/images
5.
Change images as needed
6.
Skipped - Optional
7.
Skipped - Optional
8.
Skipped - Optional
Step 8.
------
1.
cd /usr/share/cas/cas-server-3.4.12/cas-server-webapp
2.
mvn clean package
it should state
[INFO] Webapp assembled in [1410 msecs]
[INFO] Building war:
/usr/share/cas/cas-server-3.4.12/cas-server-webapp/target/cas.war
[INFO] WEB-INF/web.xml already added, skipping
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 22.658 s
[INFO] Finished at: 2014-11-24T15:31:12-05:00
[INFO] Final Memory: 17M/43M
[INFO] ------------------------------------------------------------------------
Step 9.
-------
1.
cd /usr/share/cas/cas-server-3.4.12/cas-server-webapp/target
2.
Locate newly built cas.war
ls -l cas.war
-rw-r--r--. 1 root root 24090118 Nov 24 15:31 cas.war
3.
su - tomcat
/usr/share/tomcat/apache-tomcat-8.0.14/bin/shutdown.sh
cp /usr/share/cas/cas-server-3.4.12/cas-server-webapp/target/cas.war
/aux/tomcat/apache-tomcat-7.0.57/webapps/cas.war
/usr/share/tomcat/apache-tomcat-8.0.14/bin/startup.sh
exit
4.
Ensure that SSL is enabled on Tomcat.
See
- http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
Step 10.
-------
1.
Login and confirm it is working
- SSL -- https://malaln57.sct.com:8443/cas/login (casadmin / u_pick_it )
Should display
Log In Successful
You have successfully logged into the Central Authentication Service.
For security reasons, please Log Out and Exit your web browser when you are
done accessing services that require authentication!
=================
BEIS - SSOMANAGER
=================
All that is needed is the SSOManager parts
Review
- beis80200in.pdf
Download
- BEIS_8.2.zip
Unzip the file
- SSOManager_8.2.zip
Follow the details in Chapter 6 and 7
- Chapter 6 -- SSO Manager Automated Installation
- Chapter 7 -- SSO Manager Manual Installation
Quick Steps
-----------
cd D:\sghe\ban9\BEIS_8.2\Deployables\SSOManager_8.2\ant-installer
java -jar sso-manager-weblogic-installer.jar
Click Next
Check first 2 boxes
- Configure and Save EAR [x]
- Configure and Save SSO Client [x]
Click Next
SSOManager Server Protocol
[x] http
SSOManager Host = malaln34.sct.com
SSOManager Port = 9908
Click Next
Username = ssomgrAdm
Password = u_pick_it
Click Next
CAS Server Protocol
[x] https
CAS Server Host = malaln57.sct.com
CAS Server Port = 8443
CAS Server Contect = cas
Click Next
Save Deployables to Location =
D:\sghe\ban9\BEIS_8.2\Deployables\SSOManager_8.2
Click Next
Click Install
Now Locate the sso-manager.ear in
D:\sghe\ban9\BEIS_8.2\Deployables\SSOManager_8.2
and deploy it onto WebLogic server on managed server running on port 9908
Once deployed you should be able to connect to SSOManager with this example URL
and configure the CAS parts as needed
- http://malaln34.sct.com:9908/ssomanager (ssomgrAdm/u_pick_it)
=========================
SSB configuration for CAS
=========================
Step 1.
-------
Login to SSB as a Web Tailor admin account
- http://malaln24.sct.com:9020/malaln32_ban9/twbkwbis.P_WWWLogin
(111111/111111)
From the Web Tailor Menu, select Web Tailor Parameters.
Change these settings
IDMLOGINURI = https://malaln57.sct.com:8443/cas/login
IDMLOGOUTURI = https://malaln57.sct.com:8443/cas/logout
IDMTIMEOUT = 0
IDMSSO = Y
IDMCOOKIE = IDMSESSID
IDMCOOKIEDOMAIN = sct.com
IDMCOOKIEPATH = /
Step 2.
-------
Login to SSOManager
- http://malaln34.sct.com:9908/ssomanager (ssomgrAdm/u_pick_it)
Choose the default validation service
[x] SAML Validate
Click Save
Click the SSB Configuration Tab
SSB URL =
http://malaln24.sct.com:9020/malaln32_ban9/twbkwbis.P_GenMenu?name=bmenu.P_MainMnu
SSB Deep Linking = CHECKED
Base URL = http://malaln24.sct.com:9020/malaln32_ban9/
URL Parameter Name = pkg
Mode = [x] CAS
Cookie Name = IDMSESSID
Cookie Domain Name = .sct.com
Click Save
Step 3.
------
Access the CAS server management page
- https://malaln57.sct.com:8443/cas/services/manage.html (casadmin/u_pick_it)
Click Add New Service
Name = sso manager cas client
Service URL = http://malaln34.sct.com:9908/ssomanager/**
Description = Protect sso manager client
Status = [x] Enabled [ ] Allowed to proxy [x] SSO Participant [
] Anonymous Access
Attributes = UDC_IDENTIFIER
Save changes
Step 4.
-------
Login to SSOManager
- http://malaln34.sct.com:9908/ssomanager (ssomgrAdm/u_pick_it)
Click the "CAS" link in lower right corner to confirm CAS server is accessed
correctly.
Login to SSOManager
- http://malaln34.sct.com:9908/ssomanager (ssomgrAdm/u_pick_it)
Click the "Self Service Banner" link in upper right corner
Login to CAS as testinb8/u_pick_it
It should log you into SSB
=========================
INB configuration for CAS
=========================
Step 1.
-------
Locate the file
- ssoclient.jar
that was created correctly during the BEIS - SSOMANAGER install
For example
- D:\sghe\ban9\BEIS_8.2\Deployables\SSOManager_8.2\ssoclient.jar
Step 2.
-------
Copy the file
- ssoclient.jar
into ORACLE_HOME/forms/java on the INB WebLogic/OFM server (malaln24)
Login to EM Console
- http://malaln24.sct.com:7001/em (weblogic/manager1)
Open the Forms Folder and Click on Forms
Click on Environment Configuration"
Locate the active ENV setting
Show = "malaln32_ban9_seam.env"
Change
CLASSPATH = C:\Oracle\Middleware\as_1\forms\j2ee\frmsrv.jar;
C:\Oracle\Middleware\as_1\jlib\ldapjclnt11.jar;
C:\Oracle\Middleware\as_1\jlib\debugger.jar;C:\Oracle\Middleware\as_1\jlib\ewt3.jar;
C:\Oracle\Middleware\as_1\jlib\share.jar;C:\Oracle\Middleware\as_1\jlib\utj.jar;
C:\Oracle\Middleware\as_1\jlib\zrclient.jar;C:\Oracle\Middleware\as_1\reports\jlib\rwrun.jar;
C:\Oracle\Middleware\as_1\forms\java\frmwebutil.jar;C:\Oracle\Middleware\as_1/jlib/start_dejvm.jar;
C:\Oracle\Middleware\as_1\opmn\lib\optic.jar;C:\Oracle\Middleware\as_1\forms\java\auainit-8.5.1.jar;
C:\Oracle\Middleware\as_1\forms\java\finaidutils.jar
To
CLASSPATH = C:\Oracle\Middleware\as_1\forms\j2ee\frmsrv.jar;
C:\Oracle\Middleware\as_1\forms\java\ssoclient.jar;
C:\Oracle\Middleware\as_1\jlib\ldapjclnt11.jar;
C:\Oracle\Middleware\as_1\jlib\debugger.jar;C:\Oracle\Middleware\as_1\jlib\ewt3.jar;
C:\Oracle\Middleware\as_1\jlib\share.jar;C:\Oracle\Middleware\as_1\jlib\utj.jar;
C:\Oracle\Middleware\as_1\jlib\zrclient.jar;C:\Oracle\Middleware\as_1\reports\jlib\rwrun.jar;
C:\Oracle\Middleware\as_1\forms\java\frmwebutil.jar;C:\Oracle\Middleware\as_1/jlib/start_dejvm.jar;
C:\Oracle\Middleware\as_1\opmn\lib\optic.jar;C:\Oracle\Middleware\as_1\forms\java\auainit-8.5.1.jar;
C:\Oracle\Middleware\as_1\forms\java\finaidutils.jar
Click Apply
Click "Forms"
Click "Web Configuration"
Locate the INB Web Configuration for examle "malaln32_ban9_seam"
Show = advanced
Click "Override" tab
Locate parameter
otherparams = obr=%obr% record=%record% tracegroup=%tracegroup% log=%log%
term=%term% ssoProxyConnect=%ssoProxyConnect%
Change to
otherparams = obr=%obr% record=%record% tracegroup=%tracegroup% log=%log%
term=%term% ssoProxyConnect=%ssoProxyConnect% iamticket=%iamticket%
Click Apply
Step 3.
-------
Login to SSOManager
- http://malaln34.sct.com:9908/ssomanager (ssomgrAdm/u_pick_it)
Choose the default validation service
[x] SAML Validate
Click Save
Click the SSB Configuration Tab
INB URL = http://malaln24.sct.com:8888/forms/frmservlet
Forms Environment = malaln32_ban9_seam
Mode = [x] CAS
UDC ID Indicator = COOKIE
UDC ID KEY =
Ticket Parameter Name = IAMTICKET
Password Policy
[x] Prompt
Valid Charaters = AlphaNumeric
Minimum Length = 8
Maximum Length = 30
[x] Store Password
Click Save
Step 4.
-------
Note: this may have already been done as part of SSB setup.
Access the CAS server management page
- https://malaln57.sct.com:8443/cas/services/manage.html (casadmin/u_pick_it)
Click Add New Service
Name = sso manager cas client
Service URL = http://malaln34.sct.com:9908/ssomanager/**
Description = Protect sso manager client
Status = [x] Enabled [ ] Allowed to proxy [x] SSO Participant [
] Anonymous Access
Attributes = UDC_IDENTIFIER
Save changes
Step 5.
-------
Login to SSOManager
- http://malaln34.sct.com:9908/ssomanager (ssomgrAdm/u_pick_it)
Click the "CAS" link in lower right corner to confirm CAS server is accessed
correctly.
Login to SSOManager
- http://malaln34.sct.com:9908/ssomanager (ssomgrAdm/u_pick_it)
Click the "Internet Native Banner" link in upper right corner
Login to CAS as testinb8/u_pick_it
It should direct you to this URL the first time
-
http://malaln34.sct.com:9908/ssomanager/c/INB?ticket=ST-16-zSpYqe4QZdbG5ZYWH5bS-malaln57
Oracle Password Prompt
Oracle Password for TESTINB8
u_pick_it
Click Save
It should log you into INB
==============================
Banner 9 configuration for CAS
==============================
The Steps below outline implementing this with the Banner 9 Course Catalog
application.
The steps would be similar for other Banner 9 applications.
Step 1.
-------
Edit the file
D:\sghe\ban9\banner_test_homes\Catalog93\current\instance\config\StudentCourseCatalog_configuration.groovy
Locate this
banner {
sso {
authenticationProvider = 'default' // Valid values are:
'default', 'cas'
authenticationAssertionAttribute = 'UDC_IDENTIFIER'
}
}
Change to
banner {
sso {
authenticationProvider = 'cas' // Valid values are:
'default', 'cas'
authenticationAssertionAttribute = 'UDC_IDENTIFIER'
}
}
Step 2.
-------
Edit the file
D:\sghe\ban9\banner_test_homes\Catalog93\current\instance\config\StudentCourseCatalog_configuration.groovy
Locate this
grails {
plugins {
springsecurity {
cas {
serverUrlPrefix = 'http://CAS_HOST:PORT/cas'
serviceUrl =
'http://BANNER9_HOST:PORT/APP_NAME/j_spring_cas_security_check'
serverName = 'http://BANNER9_HOST:PORT'
proxyCallbackUrl =
'http://BANNER9_HOST:PORT/APP_NAME/secure/receptor'
loginUri = '/login'
sendRenew = false
proxyReceptorUrl = '/secure/receptor'
useSingleSignout = true
key = 'grails-spring-security-cas'
artifactParameter = 'ticket'
serviceParameter = 'service'
filterProcessesUrl = '/j_spring_cas_security_check'
}
logout {
afterLogoutUrl =
'https://cas-server/logout?url=http://myportal/main_page.html'
}
}
}
}
Change to
grails {
plugins {
springsecurity {
cas {
serverUrlPrefix = 'https://malaln57.sct.com:8443/cas'
serviceUrl =
'http://malaln34.sct.com:8081/StudentCourseCatalog/j_spring_cas_security_check'
serverName = 'http://malaln34.sct.com:8081'
proxyCallbackUrl =
'http://malaln34.sct.com:8081/StudentCourseCatalog/secure/receptor'
loginUri = '/login'
sendRenew = false
proxyReceptorUrl = '/secure/receptor'
useSingleSignout = true
key = 'grails-spring-security-cas'
artifactParameter = 'ticket'
serviceParameter = 'service'
filterProcessesUrl = '/j_spring_cas_security_check'
}
logout {
afterLogoutUrl =
'https://malaln57.sct.com:8443/cas/logout?service=http://malaln31.sct.com/index.html'
}
}
}
}
Note: if you are implementing Seamless Navigation and Application Navigator in
Banner 9
then please set this parameter to true also also.
applicationNavigator=true
Step 3.
-------
cd D:\sghe\ban9\banner_test_homes\Catalog93\current\installer
ant
bin\systool war
Step 4.
-------
Skipped -- Optional
Step 5.
-------
Rename file
-
D:\sghe\ban9\banner_test_homes\Catalog93\current\dist\StudentCourseCatalog-9.3.war
to
- D:\sghe\ban9\banner_test_homes\Catalog93\current\dist\StudentCourseCatalog.war
and deploy it onto WebLogic Server (malaln34)
Confirm you can access it
- http://malaln34.sct.com:8081/StudentCourseCatalog
Step 6.
-------
Access the CAS server management page
- https://malaln57.sct.com:8443/cas/services/manage.html (casadmin/u_pick_it)
Click Add New Service
Name = XEStudentCourseCatalog
Service URL = http://malaln34.sct.com:8081/StudentCourseCatalog/**
Description = StudentCourseCatalog
Status = [x] Enabled [ ] Allowed to proxy [x] SSO Participant [
] Anonymous Access
Attributes = UDC_IDENTIFIER
Save changes
Step 7.
-------
Login to the Banner 9 Application
- http://malaln34.sct.com:8081/StudentCourseCatalog
Enter the CAS credentials
- testinb8/u_pick_it
It should log you into the Banner 9 Application using the CAS credentials
Click "Sign Out" and it should log you out of Banner 9 / CAS and redirect the
browser to your defined portal URL.
*******************************
ADDED DEBUG/INFORMATION SECTION
*******************************
======================
KEY LOG FILE LOCATIONS - For debugging
======================
CAS - malaln57 - /aux/tomcat/apache-tomcat-7.0.57/cas.log
SSO_MANAGER - malaln34 -
\\malaln34\Oracle\Middleware\user_projects\domains\base_domain\servers\SSO_Manager\logs\SSO_Manager.out
OHS1 - malaln24 -
\\malaln24\Oracle\Middleware\asinst_1\diagnostics\logs\OHS\ohs1
=======================
Sample Accounts Details (In these examples all passwords are u_pick_it and all
pins are 111111)
=======================
CAS Oracle/GOAEACC ID PIDM UDC_ID
--- -------------- -- ---- ------
testinb8/u_pick_it testinb8 111111111 509
0D9D446868E04E05A430DCEA2FE030D3
saisusr/u_pick_it saisusr 222222222 510
7F7ABE51F2644B459E031BF8764627C0
student_user/u_pick_it 333333333 527
69DFE7962D3C44A5A5D183EF987B54E2 (Note: no GOAEACC connection)
111111111/111111 444444444 530
EC2E31867A2F42BEAC744607F990295E (Note: no GOAEACC connection)
These are sample ldif files to load the user data. Adjust as needed.
1.
vi /etc/openldap/banner3.ldif
DN: cn= 7F7ABE51F2644B459E031BF8764627C0,ou=users,dc=ellucian,dc=com
objectClass: person
objectClass: uidObject
objectClass: top
cn: 7F7ABE51F2644B459E031BF8764627C0
sn: saisusr
uid: saisusr
userPassword: u_pick_it
ldapadd -x -D "cn=Manager,dc=ellucian,dc=com" -W -f /etc/openldap/banner3.ldif
2.
vi /etc/openldap/banner4.ldif
DN: cn= 69DFE7962D3C44A5A5D183EF987B54E2,ou=users,dc=ellucian,dc=com
objectClass: person
objectClass: uidObject
objectClass: top
cn: 69DFE7962D3C44A5A5D183EF987B54E2
sn: student_user
uid: student_user
userPassword: u_pick_it
ldapadd -x -D "cn=Manager,dc=ellucian,dc=com" -W -f /etc/openldap/banner4.ldif
3.
vi /etc/openldap/banner5.ldif
DN: cn= EC2E31867A2F42BEAC744607F990295E,ou=users,dc=ellucian,dc=com
objectClass: person
objectClass: uidObject
objectClass: top
cn: EC2E31867A2F42BEAC744607F990295E
sn: 111111111
uid: 111111111
userPassword: 111111
ldapadd -x -D "cn=Manager,dc=ellucian,dc=com" -W -f /etc/openldap/banner5.ldif
These SQL selects can help with setting up and debugging user account mapping
issues
1.
select * from GOBUMAP where GOBUMAP_PIDM=509;
Confirm the column GOBUMAP_UDC_ID contains what is in the OpenLDAP server entry
0D9D446868E04E05A430DCEA2FE030D3
Adjust GOBUMAP table or OpenLDAP server as needed to correctly match PIDM and
GOBUMAP_UDC_ID
2.
Confirm TESTINB8 userid = PIDM 509
select * from gobeacc where gobeacc_pidm=509;
509 TESTINB8 SAISUSR
CAS ID is testinb8/u_pick_it
Oracle ID is also testinb8/u_pick_it
3.
Confirm a valid SPRIDEN record exists for the PIDM
select * from spriden where spriden_pidm=509 and spriden_change_ind is null;
4.
Confirm a valid GOBTPAC record exists for the PIDM
select * from gobtpac where gobtpac_pidm=509;
==============
Maven - Error1
==============
[root@malaln57 ~]# mvn install:install-file -Dfile=/usr/share/jdbc/ojdbc6.jar
-DgroupId=com.oracle -DartifactId=ojdbc6 -Dversion=11.2.0 -Dpackaging=jar
[INFO] Scanning for projects...
Downloading:
https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-install-plugin/2.4/maven-install-plugin-2.4.pom
Nov 18, 2014 1:56:05 PM
org.apache.maven.wagon.providers.http.httpclient.impl.execchain.RetryExec
execute
INFO: I/O exception (java.net.SocketException) caught when processing request:
Connection reset
Nov 18, 2014 1:56:05 PM
org.apache.maven.wagon.providers.http.httpclient.impl.execchain.RetryExec
execute
INFO: Retrying request
...
Fix1
----
First confirm the /etc/hosts file is correct
This line was missing
149.24.40.63 malaln57.ellucian.com malaln57.sungardhe.com malaln57.sct.com
malaln57
Then removed this file /root/.m2/settings.xml that was defining the proxy
settings since it wasn't needed
Create and edit the file /root/.m2/settings.xml
For example initially it looked like this
<settings xmlns="http://maven.apache.org/SETTINGS/1.1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.1.0
http://maven.apache.org/xsd/settings-1.1.0.xsd">
<localRepository/>
<interactiveMode/>
<usePluginRegistry/>
<offline/>
<proxies>
<proxy>
<active>true</active>
<protocol>http</protocol>
<host>www-proxy.sct.com</host>
<port>8080</port>
</proxy>
</proxies>
</settings>
Removed the whole file since Proxy Settings were not needed on this server
Also editted the
.bash_profile
and commented out these setting since they also were not needed for proxy setup
#export ANT_OPTS="-Dhttp.proxyHost=www-proxy.sct.com -Dhttp.proxyPort=8080"
#export MAVEN_OPTS="-DproxySet=true -DsocksProxyHost=www-proxy.sct.com
-DsocksProxyPort=8080"
#export http_proxy=http://www-proxy.sct.com:8080
Adding the mvn flags
-e -X
for full debug details helps also
Then ran this test application build
mkdir test
cd test
mvn install:install-file -Dfile=/usr/share/jdbc/ojdbc6.jar
-DgroupId=com.oracle -DartifactId=ojdbc6 -Dversion=11.2.0 -Dpackaging=jar -e -X
it built without issue
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 4.251 s
[INFO] Finished at: 2014-11-18T16:03:52-05:00
[INFO] Final Memory: 8M/29M
[INFO] ------------------------------------------------------------------------
then the command for JDBC built without issue
mvn install:install-file -Dfile=/usr/share/jdbc/ojdbc6.jar
-DgroupId=com.oracle -DartifactId=ojdbc6 -Dversion=11.2.0 -Dpackaging=jar
Should say
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.964 s
[INFO] Finished at: 2014-11-18T16:09:28-05:00
[INFO] Final Memory: 6M/29M
[INFO] -----------------------------------------------------------------------
===============
Maven - Error 2
===============
Running cas.war file build with command
mvn clean package
results in
[ERROR] Failed to execute goal on project cas-server-webapp: Could not resolve
dependencies for project
org.jasig.cas:cas-server-webapp:war:3.4.12: Could not find artifact
com.oracle:ojdbc6:jar:11.2.0.
in jasig-repository (http://developer.ja-sig.org/maven2) -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e
switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please
read the following articles:
[ERROR] [Help 1]
http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionException
Fix2
----
in STEP 2 - Edit pom.xml file located in the directory:
/usr/share/cas/cas-server-3.4.12/cas-server-webapp/pom.xml
and make sure it has this info
<!-- Oracle JDBC Driver -->
<dependency>
<groupId>com.oracle</groupId>
<artifactId>ojdbc6</artifactId>
<version>11.2.0</version>
</dependency>
for example the above error was caused when this line had extra "."
<version>11.2.0.</version>
Also make sure the ojdbc6.jar file loaded correctly in STEP 3
mvn install:install-file -Dfile=/usr/share/jdbc/ojdbc6.jar
-DgroupId=com.oracle -DartifactId=ojdbc6 -Dversion=11.2.0 -Dpackaging=jar
===============
Maven - Error 3
===============
Running cas.war file build with command
mvn clean package
results in
[ERROR] Failed to execute goal
org.codehaus.mojo:aspectj-maven-plugin:1.3.1:compile (default) on project
cas-server-webapp:
Compiler errors:
[ERROR] error at (no source information available)
[ERROR]
/usr/share/cas/cas-server-3.4.12/cas-server-webapp/src/main/java/org/jasig/cas/web/flow/GatewayServicesManagementCheck.java:0::0
Internal compiler error
[ERROR] org.aspectj.apache.bcel.classfile.ClassFormatException: File:
'java/lang/reflect/AnnotatedElement.class':
Invalid byte tag in constant pool: 15
[ERROR] at
org.aspectj.apache.bcel.classfile.ClassParser.readConstantPool(ClassParser.java:192)
...
Fix3
----
JDK 1.8.0.25 was being used with Maven and CAS and that resulted in the above
error.
Installed JDK 1.6.0.45 and reran then install command
mvn clean package
and it installed without issues.
================
Tomcat - Error 4
================
Tomcat 8 can not use Java 1.6.0.45
So if you run Tomcat 8 with Java 1.8.0.25 and deploy cas.war and try to start
cas.war
you get the error in /root/cas.log
2014-11-24 15:57:31,236 ERROR [org.jasig.cas.web.init.SafeContextLoaderListener]
- SafeContextLoaderListener:
The Spring ContextLoaderListener we wrap threw on contextInitialized.
But for our having caught this error, the web application context would not have
initialized.
org.springframework.beans.factory.BeanCreationException: Error creating bean wit
h name 'org.springframework.security.filterChainProxy': Cannot create inner bean
'(inner bean)' of type [org.springframework.security.config.http.HttpConfigurat
ionBuilder] while setting bean property 'filterChainMap'; nested exception is or
g.springframework.beans.factory.BeanCreationException: Error creating bean with
name '(inner bean)#10': Initialization of bean failed; nested exception is org.a
spectj.apache.bcel.classfile.ClassFormatException: File: 'java.lang.CharSequence
': Invalid byte tag in constant pool: 15
at org.springframework.beans.factory.support.BeanDefinitionValueResolver
.resolveInnerBean(BeanDefinitionValueResolver.java:281)
Fix4
----
Install Tomcat 7 with Java 1.6.0.45
================
Tomcat - Error 5
================
Deploying cas.war got error
INFO: Deploying web application archive
/aux/tomcat/apache-tomcat-7.0.57/webapps/cas.war
2014-11-24 16:34:54,134 ERROR [org.springframework.web.context.ContextLoader] -
<Context initialization failed>
org.springframework.beans.factory.BeanCreationException: Error creating bean
with name 'cleanerLock': Injection of persistence dependencies failed;
nested exception is
org.springframework.beans.factory.NoSuchBeanDefinitionException: No unique bean
of type [javax.persistence.EntityManagerFactory]
is defined: expected single bean but found 0
at org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProc
Fix5
----
Step 6 of the install is to edit ticketRegistry.xml but only if using JPA-based
session
Don't do this step if using in-memory data store
So removed step and rebuilt cas.war using maven command
=============
CAS - Error 6
=============
Attempting to login to CAS resulted in
- http://malaln57.sct.com:8080/cas/login (casadmin / u_pick_it )
CAS is Unavailable
There was an error trying to complete your request. Please notify your
support desk or try again.
The cas.log on the tomcat server had these details
=============================================================
WHO: [username: casadmin]
WHAT: LDAP_HOST:389; nested exception is javax.naming.CommunicationException:
LDAP_HOST:389 [Root exception is java.net.UnknownHostException: LDAP_HOST]
ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Mon Nov 24 17:04:07 EST 2014
CLIENT IP ADDRESS: 149.24.52.55
SERVER IP ADDRESS: 149.24.40.63
=============================================================
Fix6
----
In Step 5 when you edit
/usr/share/cas/cas-server-3.4.12/cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml
in number 8 you need to make sure this line was update with your LDAP_HOST
Change line
LDAP_HOST
<value>ldap://LDAP_HOST:389</value>
to
<value>ldap://malaln57.sct.com:389</value>
Now save changes and rebuild cas.war using mvn command and redeploy cas.war on
tomcat and retest.
=============
CAS - Error 7
=============
Login to SSOManager
- http://malaln34.sct.com:9908/ssomanager (ssomgrAdm/u_pick_it)
Click the "Self Service Banner" link in upper right corner
Login to CAS as testinb8/u_pick_it
results in error
http://malaln34.sct.com:9908/ssomanager/c/SSB?ticket=ST-7-Fe6ZXvzYQ0OxcqOaQbOV-malaln57
Error 500--Internal Server Error
java.lang.RuntimeException: javax.net.ssl.SSLKeyException:
[Security:090477]Certificate chain received from malaln57 - 149.24.40.63 was
not trusted causing SSL handshake failure.
at
org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:203)
at
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:178)
at
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132)
....
Fix7
----
Install the CAS server certificate (MALALN57) into the WebLogic server
(MALALN34)
Copy the certificate from CAS Server (MALALN57) to the WebLogic server
(MALALN34)
cd C:\TEMP
dir
12/01/2014 10:03 AM 585 malaln57.der.cer
cd C:\Program Files\Java\jdk1.7.0_71\jre
keytool -import -alias malaln57_cas -file C:\temp\malaln57.der.cer -keystore
..\jre\lib\security\cacerts -storepass changeit -noprompt
Certificate was added to keystore
Restart WebLogic Managed Server "SSO_Manager"
Retest the above link
=============
CAS - Error 8
=============
Login to SSOManager
- http://malaln34.sct.com:9908/ssomanager (ssomgrAdm/u_pick_it)
Click the "Internet Native Banner" link in upper right corner
Login to CAS as testinb8/u_pick_it
Oracle forms begin to open and you get this error
Forms
com.sun.xml.internal.ws.wsdl.parser.
InaccessibleWSDLException: 2counts of
InaccessibleWSDLException. java.io.IOException:
Server returned HTTP response code: 500 for URL: http:
//malaln34.sct.com:9908/ssomanager/ws/credential-service.wsdl
java.io.IOException: Se
The SSO_Manager weblogic log file shows
2014-12-01 11:58:11,897 INFO
[com.ellucian.sso.handler.impl.InbHandler.<handle>] - Sending Redirect to
Internet Native Banner
-
http://malaln24.sct.com:8888/forms/frmservlet?config=malaln32_ban9_seam&otherParams=IAMTICKET=09F37D491774167DB16E9AB96D119D26
2014-12-01 11:58:21,895 ERROR
[com.ellucian.sso.inb.ws.security.AuthenticationFilter.<doFilter>]
- No Configuration was registered that can handle the configuration named
myrealm
java.lang.IllegalArgumentException: No Configuration was registered that can
handle the configuration named myrealm
at
com.bea.common.security.jdkutils.JAASConfiguration.getAppConfigurationEntry(JAASConfiguration.java:130)
at javax.security.auth.login.LoginContext.init(LoginContext.java:259)
Fix 8
-----
Review the BEIS install Guide
- beis80200in.pdf
For example make sure the managed server SSO_Manager has the correct "Server
Start"parameters of
Arguments
-Djava.security.auth.login.config=D:\Oracle\Middleware\user_projects\domains\base_domain\config\security\jaas.config
Also make sure the file exists
D:\Oracle\Middleware\user_projects\domains\base_domain\config\security\jaas.config
with correct content of
myrealm {
weblogic.security.auth.login.UsernamePasswordLoginModule
REQUIRED;
};
=============
CAS - Error 9
=============
Login to SSOManager
- http://malaln34.sct.com:9908/ssomanager (ssomgrAdm/u_pick_it)
Click the "Internet Native Banner" link in upper right corner
Login to CAS as testinb8/u_pick_it
Oracle forms begin to open and you get this error at the bottom of the GUAGMNU
menu form
FRM-40735: LEAVE_INITI trigger raised unhandled exception ORA-20104
Fix 9
-----
See
- FAQ 1-1DF524J - GUAINIT error when logging into Banner FRM-40735
LEAVE_INIT_TRIGGER raised unhandled exception ORA-20104
In GSASECR assign form
GSQTOFU - BAN_DEFAULT_M
==============
CAS - Error 10
==============
When you "Sign Out" of Banner 9 application it does not redirect to the proper
defined logout URL portal.
Instead it stays on the default CAS logout page.
Central Authentication Service (CAS)
Logout successful
You have successfully logged out of the Central Authentication Service.
For security reasons, exit your web browser.
Fix 10
------
Part 1
Change the logout URL in the Banner 9 application .groovy file
from
afterLogoutUrl =
'https://malaln57.sct.com:8443/cas/logout?url=http://malaln31.sct.com/index.html'
to
afterLogoutUrl =
'https://malaln57.sct.com:8443/cas/logout?service=http://malaln31.sct.com/index.html'
Notice "?url" changed to "?service"
Rebuild and redeploy the WAR file.
Part2 edit the file
/usr/share/cas/cas-server-3.4.12/cas-server-webapp/target/cas-server-webapp-3.4.12/WEB-INF/cas-servlet.xml
Locate this
<bean id="logoutController" class="org.jasig.cas.web.LogoutController"
p:centralAuthenticationService-ref="centralAuthenticationService"
p:logoutView="casLogoutView"
p:warnCookieGenerator-ref="warnCookieGenerator"
p:ticketGrantingTicketCookieGenerator-ref="ticketGrantingTicketCookieGenerator"
/>
Change to
<bean id="logoutController" class="org.jasig.cas.web.LogoutController"
p:centralAuthenticationService-ref="centralAuthenticationService"
p:logoutView="casLogoutView"
p:warnCookieGenerator-ref="warnCookieGenerator"
p:ticketGrantingTicketCookieGenerator-ref="ticketGrantingTicketCookieGenerator"
p:followServiceRedirects="true"
/>
This requires a rebuild and redeployment of cas.war
==============
CAS - Error 11
==============
Login to SSOManager
- http://malaln34.sct.com:9908/ssomanager (ssomgrAdm/u_pick_it)
Click the "Self Service Banner" link in upper right corner
Login to CAS as testinb8/u_pick_it
results in no errors but you are then prompted to login to SSB against with a
ID/PIN which is not correct.
Fix 11
------
When deploying BEIS sso-manager.ear make sure that the CAS server hostname
(malaln57.sct.com) is specified
with its fully qualified doamin name throughout instead of as the hostname
alone (malaln57).
This will addressed the cookie issue preventing the proper SSB login.
For example this part of BEIS sso-manager.ear build needed the ".sct.com" added
to it
Click Next
CAS Server Protocol
[x] https
CAS Server Host = malaln57.sct.com
CAS Server Port = 8443
CAS Server Contect = cas
Click Next
Save Deployables to Location =
D:\sghe\ban9\BEIS_8.2\Deployables\SSOManager_8.2
Click Next
Click Install
==============
CAS - Error 12
==============
Attempting to access the CAS server management page
- https://malaln57.sct.com:8443/cas/services/manage.html (casadmin/u_pick_it)
Results in browser error - HTTP Status 404
If you access the NON-SSL cas login page
- http://malaln57.sct.com:8080/cas/login
it displays fine
Fix 12
------
CAS with INB/SSB SSO requires SSL implentation.
Confirm SSL has been implemented correctly in Tomcat for example edit
- $CATALINA_HOME/conf/server.xml
to look like this
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" />
which enables the full set of SSL protocols needed for CAS.
Also make sure when creating the SSL certificate for tomcat make sure you used
the server name here
What is your first and last name?
[Unknown]: malaln57
==============
CAS - Error 13
==============
After restarting the CAS server on tomcat the CAS server management page no
longer displays the services you added.
For example
Access the CAS server management page
- https://malaln57.sct.com:8443/cas/services/manage.html (casadmin/u_pick_it)
You no longer see the service for
"sso manager cas client"
Fix 13
------
This is the result of implementing CAS with "in-memory data store" instead of
"JPA-based session Persistence"
You can manually rebuild the missing service again and it will continue to work
until the CAS server is restarted again
or you can implement CAS Persistence as outlined in the documentation
- CAS Single Sign On Handbook.pdf (Starting on Page 22 see notes for steps
with JPA-based session)
Once you implement CAS with "JPA-based session Persistence" the data is then
stored in Oracle tables on the database
typically in the SSOMGR schema instead of in runtime memory.
The CAS tables are typically these objects listed below.
select object_name,created from dba_objects
where owner='SSOMGR' and object_type='TABLE'
order by CREATED;
CAS tables created under SSOMGR schema are typically
- TICKETGRANTINGTICKET
- RS_ATTRIBUTES
- REGISTEREDSERVICEIMPL
- LOCKS
- SERVICETICKET
Note the other tables listed were created as part of the SSOManager install for
example
SSOManager tables created under SSOMGR schema are typically
- APP_CONFIG
- UDC_CREDENTIAL_SERVICES
- UDC_TICKET_SERVICES
- UDC_CREDENTIAL_INFO
==============
CAS - Error 14
==============
Logging into Banner 9 Application
- http://malaln34.sct.com:8081/StudentOverall (testinb8/u_pick_it)
with valid CAS credentials results in the Banner 9 Login screen displaying the
the error
invalid username/password; logon denied
And in the WebLogic Application Server log it shows
<Dec 2, 2014 5:20:26 PM EST> <Error> <HTTP> <BEA-101020>
<[ServletContext@104570679[app:StudentOverall module:StudentOverall.war
path:/StudentOverall spec-version:2.5]] Servlet failed with Exception
java.lang.RuntimeException: javax.net.ssl.SSLKeyException:
[Security:090504]Certificate chain received from malaln57.sct.com -
149.24.40.63 failed hostname verification check.
Certificate contained malaln57 but check expected malaln57.sct.com
at
org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:203)
at
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:178)
at
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132)
at
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at
org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:106)
Truncated. see log file for complete stacktrace
Caused By: javax.net.ssl.SSLKeyException: [Security:090504]Certificate chain
received from malaln57.sct.com - 149.24.40.63 failed hostname verification
check.
Certificate contained malaln57 but check expected malaln57.sct.com
at
com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
at
com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
at
com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at
com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at
com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown
Source)
Truncated. see log file for complete stacktrace
>
Fix 14
------
This error is the result of the CAS Server SSL certificate (malaln57) imported
into the WebLogic server (malaln34) keystore.
The CAS Server SSL certificate was built without the fully qualified domain for
example malaln57 instead of malaln57.sct.com.
Ideally you would want to create and import a fully qualified domain
certificate to avoid this error
but Ii webLogic you can skip the hostname verification check be following these
steps below
In the WebLogic Server Administration Console:
- http://malaln34.sct.com:7001/console
If you have not already done so, in the Change Center of the Administration
Console, click Lock & Edit
In the left pane of the Console, expand Environment and select Servers
Click the name of the server for which you want to disable host name
verification. "Banner9"
Select Configuration > SSL , and click Advanced at the bottom of the page.
Set the Hostname Verification field to "None". (The default is "BEA Hostname
Verifier"
Save and Activate change and Restart Banner9 server.
Now retest the URL
==============
CAS - Error 15
==============
Logging into Banner 9 Application
- http://malaln34.sct.com:8081/StudentCourseCatalog (testinb8/u_pick_it)
with valid CAS credentials results in CAS error
Application Not Authorized to Use CAS
The application you attempted to authenticate to is not authorized to use CAS.
Fix 15
------
Make sure this Application URL is defined correctly to CAS Server.
The fully qualified domains also have to match.
Access the CAS server management page
- https://malaln57.sct.com:8443/cas/services/manage.html (casadmin/u_pick_it)
Click Add New Service
Name = XEStudentCourseCatalog
Service URL = http://malaln34.sct.com:8081/StudentCourseCatalog/**
Description = StudentCourseCatalog
Status = [x] Enabled [ ] Allowed to proxy [x] SSO Participant [
] Anonymous Access
Attributes = UDC_IDENTIFIER
Save changes
==============
CAS - Error 16
==============
Logging into Banner 9 Application
- http://malaln34.sct.com:8081/StudentCourseCatalog (testinb8/u_pick_it)
with valid CAS credentials results in CAS error
Servlet failed with Exception
java.lang.RuntimeException: javax.net.ssl.SSLKeyException:
[Security:090479]Certificate chain received from malaln57.sct.com -
149.24.40.63 failed date validity checks.
at
org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:203)
Fix 16
-------
Confirm the CAS server and Banner 9 server have system clock that are in sync.
Also confirm certificate use to implement CAS SSL has not expired.
If it has expired you will need to recreate it with a valid date range and
confirm tomcat is using it
and also confirm the JDK running Banner 9 application is using the new
certificate.
See "Fix 7" above for added details
==============
CAS - Error 17
==============
Logging into CAS Services Managment console
- https://malaln57.sct.com:8443/cas/services/manage.html
(casadmin/u_pick_it)
with valid CAS credentials results in CAS error
(CAS)
CAS is Unavailable
There was an error trying to complete your request. Please notify your
support desk or try again.
Checking the catalina.log shows these error details
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
Fix 17
------
In this cAS implementation 3 main setting needed to be udpated dues to a change
in the SSL certificate to a fully qualified domain .sct.com
a.
Update the CAS Services URL
sqlplus system/manager
update ssomgr.REGISTEREDSERVICEIMPL set
SERVICEID='https://malaln57.sct.com:8443/cas/services/**'
where SERVICEID='https://malaln57:8443/cas/services/**';
commit;
b.
su - tomcat
Update the file
/aux/tomcat/apache-tomcat-7.0.57/webapps/cas/WEB-INF/cas.properties
Change this
server.prefix=https://malaln57:8443/cas
to
server.prefix=https://malaln57.sct.com:8443/cas
c.
su - root
cd /usr/java/jdk1.6.0_45/jre/lib/security
keytool -delete -alias malaln57_cas -keystore cacerts -storepass changeit
keytool -delete -alias malaln57_cas1 -keystore cacerts -storepass changeit
keytool -import -alias malaln57_cas -file /aux/tomcat/malaln57.crt -keystore
cacerts -storepass changeit -noprompt
keytool -list -keystore cacerts -storepass changeit
Once all 3 changes were made then stop and restart tomcat
su - tomcat
/aux/tomcat/apache-tomcat-7.0.57/bin/shutdown.sh
/aux/tomcat/apache-tomcat-7.0.57/bin/startup.sh
and retest CAS Services URL and it worked without any further errors.
===================
mtytler 09-APR-2015