1. Single Sign-on server CAS application is configured under Tomcat.
1) Key generation:
Keytool-genkey-alias Mycas-keyalg rsa-keysize 2048-keystore/mnt/disk1/keys/mycas.keystore
Keytool-export-file/mnt/disk1/keys/mycas.crt-alias Mycas-keystore/mnt/disk1/keys/mycas.keystore
2) CAs release Tomcat in Server.xml configuration
<ConnectorPort= "8443"Protocol= "http/1.1"sslenabled= "true"MaxThreads= "Max"Scheme= "https"Secure= "true"ClientAuth= "false"Sslprotocol= "TLS"Keystorefile= "/mnt/disk1/keys/mycas.keystore"Keystorepass= "123456" />
3) If you do not use a cluster and connect to the CAS server through the Java side via the CAS client, you will need to import the appropriate certificate file in the JDK:
Keytool-delete-alias Mycas-keystore \usr\local\jdk\jre\lib\security\cacerts Delete a certificate
Keytool-import-keystore \usr\local\jdk\jre\lib\security\cacerts-file/mnt/disk1/keys/mycas.crt-alias Myca//Import Certificate
2.nginx Load multiple Tomcat
1) Nginx SSL certificate generation
Cd/mnt/disk1/nginxkeys entering the certificate store folder
OpenSSL genrsa-des3-out server.key 1024 Creating a server private key
OpenSSL req-new-key server.key-out SERVER.CSR Create a Certificate signing request (CSR)
[
Country Name (2 letter code) [GB]:CN
State or province name (full name) [BERKSHIRE]:BJ
Locality Name (eg, city) [NEWBURY]:BJ
Organization Name (eg, company) [My company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common name (eg, your name or your server ' s hostname) []:cas112.test.com ( You must fill in the domain name here when using Casclient, otherwise error )
Email Address []:[email protected]
]
CP Server.key server.key.org Remove the required password when loading SSL-supported Nginx and using the above private key
OpenSSL rsa-in server.key.org-out server.key Remove the required password when loading SSL-supported Nginx and using the above private key
OpenSSL x509-req-days 365-in server.csr-signkey server.key-out SERVER.CRT Use the above private key to export the CSR,CRT signing certificate:
2) Nginx HTTPS interface configuration
upstream Cas_server_ssl {#ip_hash; Server localhost:8443; } Server {Listen443; server_name localhost; SSL on; Ssl_certificate/mnt/disk1/nginx_keys/SERVER.CRT; Ssl_certificate_key/mnt/disk1/nginx_keys/Server.key; Location/{root HTML; Index index.html index.htm; Proxy_redirect off; Proxy_set_header Host $host; Proxy_set_header X-real-IP $remote _addr; Proxy_set_header X-forwarded-For $proxy _add_x_forwarded_for; Proxy_pass https://Cas_server_ssl; } }
3. Client Configuration
Similar to not using the Nginx cluster configuration, the SERVER.CRT is imported by the client to use the machine.
Keytool-delete-alias Mycas-keystore \usr\local\jdk\jre\lib\security\cacerts Delete a certificate
Keytool-import-keystore \usr\local\jdk\jre\lib\security\cacerts-file/mnt/disk1/keys/server.crt-alias NGINXCA//import Certificate
Implementation of single Sign-on for Linux nginx cluster CAs