Single Sign-On CAS Usage Note (1): preparations and configuration of SSL protocol for CAS-Server, cas-serverssl
Knowledge point:
SSO: Single Sign-on(Single Sign On) is one of the most popular solutions for enterprise business integration. SSO is defined in multiple application systems. Users only need to log on once to access all mutually trusted application systems.
CAS:The Single Sign On system developed by Yale University is called CAS (Central Authentication Server). It is an open-source, relatively easy-to-use SSO solution.
SSL (Secure Sockets Layer) and its successor Transport Layer Security (TLS) are a Security protocol that provides Security and data integrity for network communication. TLS and SSL encrypt network connections at the transport layer.
Background:
Currently, the company has several independent projects related to each other. Single Sign-On (spof) is required for integration to achieve one-site login and full-site access. Select the CAS open-source project.
Status quo:
Because I have not done it before, I can only search, learn, and do it. There are some demands that cannot be found on the network. We can only analyze the CAS source code and adopt a compromise solution. If you find an unreasonable solution, please criticize and correct it at any time.
In addition, at the time of writing this blog post, the Single Sign-On function has basically been completed. Here we review and record the learning process.
------------------------------------------ Split ----------------------------------------------
1. Prepare the development environment
Certificate generation tool: OpenSSL
Server: Ngnix + tomcat
SSO framework: CAS
1.1 first create a local domain name
Demo.testcas.com is used to bind CAS-Server
App1.testcas.com and app1.testcas.com are bound to two test demos to verify login-free processing.
Creation method:
Go:C: \ WINDOWS \ system32 \ drivers \ etc
Open the hosts file.
Add as follows:
127.0.0.1 demo.testcas.com
127.0.0.1 app1.testcas.com
127.0.0.1 app2.testcas.com
1.2 generate a security certificate
Cas server's default security authentication is based on the https protocol, which requires configuring the SSL protocol on the application and CAS Server.
Generally, certificates generated for self-use on the network that are not trusted by the browser are directly produced through the JDK built-in application keytool, but because we use Ngnix as the proxy server,
Ngnix is not compatible with the certificates generated by keytool to deploy HTTPS websites. Therefore, OpenSSL must be used to generate certificates.
1. Install OpenSSL
2. Go to the OpenSSL installation directory. My installation path is D: \ developesoft \ openssl.
3. Enter the bin directory in command mode
D: \ developesoft \ openssl \ bin
4. Generate the CA private key:
Input: openssl genrsa-des3-out ca. key 2048
If the red-line Warning is reported, copy ssl/openssl. cnf in the installation directory to the specified directory c:/openssl/ssl/openssl. cnf and run the command again.
5. ca. crt CA root certificate (Public Key ):
Openssl req-new-x509-days 7305-key ca. key-out ca. crt
6. Generate a certificate for the website and use the CA signature for authentication.
My testing website domain name is demo.testcas.com
Generate the private key of the demo.testcas.com certificate:
Openssl genrsa-des3-out demo.testcas.com. pem 1024
Make the decrypted demo.testcas.com certificate private key:
Openssl rsa-in demo.testcas.com. pem-outDemo.testcas.com. Key
Generate a signature request:
Openssl req-new-key demo.testcas.com. pem-out demo.testcas.com. csr
Common NameEnter the website domain name.
Use CA for signature:
Openssl ca-policy policy_anything-days 1460-cert ca. crt-keyfile ca. key-inDemo.testcas.com. Csr-outDemo.testcas.com. Crt
The generated certificate and private key are displayed in the bin directory of the OpenSSL installation directory.
Demo.testcas.com. crt
Demo.testcas.com. key
1.3 configure https for nginx
1. Download and install nginx. double-click nginx.exe and enter 127.0.0.1 in the address bar of the browser to check whether the installation is successful.
2. Open conf/nginx. conf
Find the # HTTPS server and configure it as follows:
# HTTPS server # server { listen 443 ssl; server_name demo.testcas.com; ssl_certificate demo.testcas.com.crt; ssl_certificate_key demo.test.cas.com.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { #root html; #index index.html index.htm;proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_pass http://demo; } }
The red text is the path of the certificate generated just now. You can copy the certificate directly to the nginx installation directory.
In addition, when a user inputs an http request, the request is directly redirected to an https request.
server { listen 80; server_name demo.testcas.com;rewrite ^(.*)$ https://$host$1 permanent; #charset koi8-r; #access_log logs/host.access.log main; location / { #root html; #index index.html index.htm;proxy_pass http://demo; } }
The full configuration text is as follows:
# User nobody; worker_processes 1; # error_log logs/error. log; # error_log logs/error. log notice; # error_log logs/error. log info; # pid logs/nginx. pid; events {worker_connections 1024;} http {include mime. types; default_type application/octet-stream; # log_format main '$ remote_addr-$ remote_user [$ time_local] "$ request"' # '$ status $ body_bytes_sent "$ http_referer"' # '"$ http_user_agent" "$ http_x_forwarded _ For "'; # access_log logs/access. log main; sendfile on; # tcp_nopush on; # keepalive_timeout 0; keepalive_timeout 65; # gzip on; upstream demo {server 127.0.0.1: 8781;} upstream app1 {server 127.0.0.1: 8380 ;} upstream app2 {server 127.0.0.1: 8680;} upstream myapp {server 127.0.0.1: 8084;} server {listen 80; server_name demo.testcas.com; rewrite ^ (. *) $ https: // $ host $1 permanent; # charset koi8-r; # acces S_log logs/host. access. log main; location/{# root html; # index index.html index.htm; proxy_pass http: // demo ;}} server {listen 80; server_name app1.testcas.com; # charset koi8-r; # access_log logs/host. access. log main; location/{# root html; # index index.html index.htm; proxy_pass http: // app1 ;}} server {listen 80; server_name app2.testcas.com; # charset koi8-r; # access_log logs/host. access. log Main; location/{# root html; # index index.html index.htm; proxy_pass http: // app2 ;}} server {listen 80; server_name myapp.testcas.com; # charset koi8-r; # access_log logs/host. access. log main; location/{# root html; # index index.html index.htm; proxy_pass http: // myapp ;}# another virtual host using mix of IP-, name -, and port-based configuration # server {# listen 8000; # listen somename: 80 80; # server_name somename alias another. alias; # location/{# root html; # index index.html index.htm; #}#}# HTTPS server # server {listen 443 ssl; server_name demo.testcas.com; ssl_certificate mycas. crt; ssl_certificate_key mycas. key; ssl_session_cache shared: SSL: 1 m; ssl_session_timeout 5 m; ssl_ciphers HIGH :! ANULL :! MD5; login on; location/{# root html; # index index.html index.htm; proxy_set_header Host $ host; proxy_set_header X-Real-IP $ remote_addr; proxy_set_header X-Forwarded-For $ login; proxy_pass http: // demo ;}}}View Code
3. Restart nginx and enter demo.testcas.com in the browser.
Indicates that the certificate is successfully installed.
Single Sign-On CAS series:
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
