Single Sign-On CAS Usage Note (1): preparations and configuration of SSL protocol for CAS-Server, cas-serverssl

Source: Internet
Author: User
Tags install openssl openssl rsa

Single Sign-On CAS Usage Note (1): preparations and configuration of SSL protocol for CAS-Server, cas-serverssl

Knowledge point:

SSO: Single Sign-on(Single Sign On) is one of the most popular solutions for enterprise business integration. SSO is defined in multiple application systems. Users only need to log on once to access all mutually trusted application systems.

CAS:The Single Sign On system developed by Yale University is called CAS (Central Authentication Server). It is an open-source, relatively easy-to-use SSO solution.

SSL (Secure Sockets Layer) and its successor Transport Layer Security (TLS) are a Security protocol that provides Security and data integrity for network communication. TLS and SSL encrypt network connections at the transport layer.

 

Background:

Currently, the company has several independent projects related to each other. Single Sign-On (spof) is required for integration to achieve one-site login and full-site access. Select the CAS open-source project.

 

Status quo:

Because I have not done it before, I can only search, learn, and do it. There are some demands that cannot be found on the network. We can only analyze the CAS source code and adopt a compromise solution. If you find an unreasonable solution, please criticize and correct it at any time.

In addition, at the time of writing this blog post, the Single Sign-On function has basically been completed. Here we review and record the learning process.

------------------------------------------ Split ----------------------------------------------

1. Prepare the development environment

Certificate generation tool: OpenSSL

Server: Ngnix + tomcat

SSO framework: CAS

 

1.1 first create a local domain name

Demo.testcas.com is used to bind CAS-Server

App1.testcas.com and app1.testcas.com are bound to two test demos to verify login-free processing.

Creation method:

Go:C: \ WINDOWS \ system32 \ drivers \ etc

Open the hosts file.

Add as follows:

127.0.0.1 demo.testcas.com
127.0.0.1 app1.testcas.com
127.0.0.1 app2.testcas.com

 

1.2 generate a security certificate

Cas server's default security authentication is based on the https protocol, which requires configuring the SSL protocol on the application and CAS Server.

Generally, certificates generated for self-use on the network that are not trusted by the browser are directly produced through the JDK built-in application keytool, but because we use Ngnix as the proxy server,

Ngnix is not compatible with the certificates generated by keytool to deploy HTTPS websites. Therefore, OpenSSL must be used to generate certificates.

 

1. Install OpenSSL

2. Go to the OpenSSL installation directory. My installation path is D: \ developesoft \ openssl.

3. Enter the bin directory in command mode

D: \ developesoft \ openssl \ bin

4. Generate the CA private key:

Input: openssl genrsa-des3-out ca. key 2048

If the red-line Warning is reported, copy ssl/openssl. cnf in the installation directory to the specified directory c:/openssl/ssl/openssl. cnf and run the command again.

 

5. ca. crt CA root certificate (Public Key ):

Openssl req-new-x509-days 7305-key ca. key-out ca. crt

 

 

6. Generate a certificate for the website and use the CA signature for authentication.

My testing website domain name is demo.testcas.com

Generate the private key of the demo.testcas.com certificate:

Openssl genrsa-des3-out demo.testcas.com. pem 1024

 

Make the decrypted demo.testcas.com certificate private key:

Openssl rsa-in demo.testcas.com. pem-outDemo.testcas.com. Key

 

Generate a signature request:

Openssl req-new-key demo.testcas.com. pem-out demo.testcas.com. csr

Common NameEnter the website domain name.

 

Use CA for signature:

Openssl ca-policy policy_anything-days 1460-cert ca. crt-keyfile ca. key-inDemo.testcas.com. Csr-outDemo.testcas.com. Crt

 

The generated certificate and private key are displayed in the bin directory of the OpenSSL installation directory.

Demo.testcas.com. crt

Demo.testcas.com. key

 

1.3 configure https for nginx

1. Download and install nginx. double-click nginx.exe and enter 127.0.0.1 in the address bar of the browser to check whether the installation is successful.

2. Open conf/nginx. conf

Find the # HTTPS server and configure it as follows:

  # HTTPS server    #    server {        listen       443 ssl;        server_name  demo.testcas.com;        ssl_certificate      demo.testcas.com.crt;        ssl_certificate_key  demo.test.cas.com.key;        ssl_session_cache    shared:SSL:1m;        ssl_session_timeout  5m;        ssl_ciphers  HIGH:!aNULL:!MD5;        ssl_prefer_server_ciphers  on;        location / {            #root   html;            #index  index.html index.htm;proxy_set_header        Host $host;            proxy_set_header        X-Real-IP $remote_addr;proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;proxy_pass http://demo;        }    }

 

The red text is the path of the certificate generated just now. You can copy the certificate directly to the nginx installation directory.

In addition, when a user inputs an http request, the request is directly redirected to an https request.

server {        listen       80;        server_name  demo.testcas.com;rewrite ^(.*)$  https://$host$1 permanent;        #charset koi8-r;        #access_log  logs/host.access.log  main;        location / {            #root   html;            #index  index.html index.htm;proxy_pass http://demo;        }    }

 

The full configuration text is as follows:

# User nobody; worker_processes 1; # error_log logs/error. log; # error_log logs/error. log notice; # error_log logs/error. log info; # pid logs/nginx. pid; events {worker_connections 1024;} http {include mime. types; default_type application/octet-stream; # log_format main '$ remote_addr-$ remote_user [$ time_local] "$ request"' # '$ status $ body_bytes_sent "$ http_referer"' # '"$ http_user_agent" "$ http_x_forwarded _ For "'; # access_log logs/access. log main; sendfile on; # tcp_nopush on; # keepalive_timeout 0; keepalive_timeout 65; # gzip on; upstream demo {server 127.0.0.1: 8781;} upstream app1 {server 127.0.0.1: 8380 ;} upstream app2 {server 127.0.0.1: 8680;} upstream myapp {server 127.0.0.1: 8084;} server {listen 80; server_name demo.testcas.com; rewrite ^ (. *) $ https: // $ host $1 permanent; # charset koi8-r; # acces S_log logs/host. access. log main; location/{# root html; # index index.html index.htm; proxy_pass http: // demo ;}} server {listen 80; server_name app1.testcas.com; # charset koi8-r; # access_log logs/host. access. log main; location/{# root html; # index index.html index.htm; proxy_pass http: // app1 ;}} server {listen 80; server_name app2.testcas.com; # charset koi8-r; # access_log logs/host. access. log Main; location/{# root html; # index index.html index.htm; proxy_pass http: // app2 ;}} server {listen 80; server_name myapp.testcas.com; # charset koi8-r; # access_log logs/host. access. log main; location/{# root html; # index index.html index.htm; proxy_pass http: // myapp ;}# another virtual host using mix of IP-, name -, and port-based configuration # server {# listen 8000; # listen somename: 80 80; # server_name somename alias another. alias; # location/{# root html; # index index.html index.htm; #}#}# HTTPS server # server {listen 443 ssl; server_name demo.testcas.com; ssl_certificate mycas. crt; ssl_certificate_key mycas. key; ssl_session_cache shared: SSL: 1 m; ssl_session_timeout 5 m; ssl_ciphers HIGH :! ANULL :! MD5; login on; location/{# root html; # index index.html index.htm; proxy_set_header Host $ host; proxy_set_header X-Real-IP $ remote_addr; proxy_set_header X-Forwarded-For $ login; proxy_pass http: // demo ;}}}View Code

 

 

3. Restart nginx and enter demo.testcas.com in the browser.

 

Indicates that the certificate is successfully installed.

 

Single Sign-On CAS series:

  • Single Sign-On CAS Usage Note (1): preparations and configuration of SSL protocol for CAS-Server
  • Single Sign-On CAS Usage Note (2): deploy CAS servers and clients
  • Single Sign-On CAS Usage Note (3): Implement custom authentication for User Login
  • Single Sign-On CAS Usage Note (4): Add a verification code to the logon page
  • Single Sign-On CAS Usage Note (5): cas-client does not intercept static resources and does not require logon requests.
  • CAS usage notes for Single Sign-On (6): single sign-off and single sign-off
  • CAS usage for Single Sign-On (7): Analysis on server timeout and client timeout
  • Single Sign-On CAS Usage Note (8): Using maven overlay to implement non-intrusive CAS Transformation

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.