Configuration of the Yale CAS server/client environment and deployment of the SSL security protocol on the Tomcat server

Introduction to the configuration of CAS server and the configuration method of CAS Server Client

Because CAS requires HTTPS to communicate with the client, Tomcat must be configured to support SSL. To achieve SSL, A Web service must have an associated certificate for each external interface or IP address that accepts a secure connection, digital Certificates are generally obtained from a famous Certificate Authority (Certificate Authority CA) such as Verisign or thawte, or if identity authentication is not very important, for example, if the administrator only wants to ensure that the data sent and received by the server is private and cannot be snooped by any eavesdroppers in the connection, the administrator can only use a self-signed certificate, this saves the time and cost for obtaining the CA certificate. The self-signed certificate is used as the credential for secure communication between the client and the server.

This section describes how to create a server keystore named server. keystore and a client keystore named client. keystore. These two files form a key pair. These files are usually created in the <atat_home> directory or in the application directory.

We use the keytool to create a keystore file. You can find the keytool in the <java_home>/bin directory.

1. Generate a key pair

Keytool-genkey-alias tomcat-server-keyalg RSA-keypass changeit-storepass changeit-keystore server. keystore

2. Export the server certificate as a certificate file:

Keytool-export-alias tomcat-server-storepass changeit-file server. cer-keystore server. keystore
Enter the password (changeit ):

Keytool returns the following message:

Certificate stored in file <server. Cer>

 

3. Use keytool to create a client certificate in the selected keystore file:

Keytool-genkey-alias tomcat-client-keyalg RSA-keypass changeit-storepass changeit-keystore client. keystore

4. Export the new client certificate from keystore to the certificate file:

Keytool-export-alias tomcat-client-storepass changeit-file client. cer-keystore client. keystore

Enter the keystore password (changeit ). Keytool returns the message:

Certificate stored in file <client. Cer>

5. Import the server. CER and client. Cer certificates under the Tomcat root directory obtained in the preceding steps to the cacerts file,
The cacerts file is generated under the Tomcat root directory by default.

Keytool-import-trustcacerts-alias server-file server. cer-keystore cacerts-storepass changeit

Keytool-import-trustcacerts-alias client-file client. cer-keystore cacerts-storepass changeit

6. Find the cacerts file in the Tomcat root directory and copy it to the <java_home>/JRE/lib/security file.

Find cas. war under the target file from the latest version of the downloaded cas-server3 and copy it to the <tomcat_home>/webapp directory
Modify the server. xml file under <tomcat_home>/conf and add the following:

<Connector Port = "8443" maxhttpheadersize = "8192"
Maxthreads = "150" minsparethreads = "25" maxsparethreads = "75"
Enablelookups = "false" disableuploadtimeout = "true"
Acceptcount = "100" Scheme = "HTTPS" secure = "true"
Clientauth = "false" sslprotocol = "TLS" keystorefile = "/server. keystore" keystorepass = "changeit"/>


7 by default, CAS is set to log on as long as the user name and password are the same, which is not allowed in actual use. We changed it to using the app_user table in MySQL's test database as the user data source. First, create a table in the test database:
Create Table 'app _ user '(
'Username' varchar (30) not null default '',
'Password' varchar (45) not null default '',
Primary Key ('username ')
) Engine = InnoDB default charset = utf8;
Add the following users:
Insert into 'app _ user' ('username', 'Password') Values
('Dianne ', 'emu '),
('Marissa ', 'koala '),
('Peter ', 'opal '),
('Scott ', 'wombat ');
Open % catalina_home %/webapps/CAS/WEB-INF/deployerconfigcontext. XML in the editor and find
<Bean class = "org. JASIG. Cas. Authentication. handler. Support. simpletestusernamepasswordauthenticationhandler"/>
Comment out the row and add it to it:
<Bean class = "org. JASIG. Cas. adaptors. JDBC. querydatabaseauthenticationhandler">
<Property name = "SQL" value = "select password from app_user where username =? "/>
<Property name = "datasource" ref = "datasource"/>
</Bean>
And add a bean:
<Bean id = "datasource" class = "org. springframework. JDBC. datasource. drivermanagerdatasource" Destroy-method = "close">
<Property name = "driverclassname"> <value> com. MySQL. JDBC. Driver </value> </property>
<Property name = "url"> <value> JDBC: mysql: // localhost: 3306/test </value> </property>
<Property name = "username"> <value> test </value> </property>
<Property name = "password"> <value> test </value> </property>
</Bean>
Copy the cas-server-jdbc-3.0.5-rc2.jar and mysql-connector-java-3.1.12-bin.jar to % catalina_home %/webapps/CAS/WEB-INF/lib.

8. Start startup. bat. After running tomcat, enter https: // localhost: 8443 in the new browser to see the secure connection dialog box. After selecting it, you can see that Tomcat is running normally!

--- Now, the configuration of the CAS server has been completed. After configuring the client, you can use the CAS authentication server to achieve single-point unified login between subsystems!

 

The client configuration is as follows:

1. Open the Web. xml file on the client and add the following

<! -- CAS filters -->
<Filter>
<Filter-Name> casfilter </filter-Name>
<Filter-class>
Edu. Yale. Its. Tp. Cas. Client. Filter. casfilter
</Filter-class>
<Init-param>
<Param-Name>
Edu. Yale. Its. Tp. Cas. Client. Filter. loginurl
</Param-Name>
<Param-value> https: /localhost: 8443/CAS/login </param-value>
</Init-param> <! -- The server here is the IP address of the server -->
<Init-param>
<Param-Name>
Edu. Yale. Its. Tp. Cas. Client. Filter. validateurl
</Param-Name>
<Param-value>
Https: // localhost: 8443/CAS/proxyvalidate
</Param-value>
</Init-param> <! -- The sername here is the host name of the server, and must be -->
<Init-param>
<Param-Name>
Edu. Yale. Its. Tp. Cas. Client. Filter. servername
</Param-Name>
<Param-value> localhost: 8443 </param-value> <! -- Client: port is the address and port to be intercepted by CAS. Generally, it is the IP address and port started by Tomcat. -->
</Init-param>
</Filter>

<Filter-mapping>
<Filter-Name> casfilter </filter-Name>
<URL-pattern>/secure/* </url-pattern> <! -- The settings here are for servlets-examples, and for JSP-examples, set it to/* -->
</Filter-mapping>
 
 
2. Copy the CasClient. jar file downloaded from the CAS-server website to the Lib of the client;
 
 
After the CAS server and the client are all deployed, you can use the CAS unified authentication server to implement Single-point login in the application system, so that part of the login authentication logic is
The sub-system is stripped out and handed over to the CAS certification server!