Set up CAS for SSO ¶
1. Create Server Certificate for JBoss
CAS largely depends on secure transfer layer (STL), so having SSL enabled on JBoss server is critical to this application.
Firstly we will create the server certificate:
keytool -genkey -alias jboss -keyalg RSA -keystore server.keystore or keytool -genkey -alias devdap1 -keyalg RSA -keystore devdap1.keystore
Caution:
1: Give the keystore a password (hereinafter referred as keystore password). There is another password in the end, which will be referred to as alias password.
2: Use the full domain name of the server machine as the first and last name, as well as the organization unit. Don’t use the IP address here, or you will fail the SSL verification later. And try to avoid using “localhost” also since you may need to deploy CAS on some dedicated server and there are applications that are trying to access it from some remote JVM.
3: We may have multiple machines that need their own certificates and do the cross-certified (we will cover this later), so a wise way to arrange the them is to name it based on the hostname. In the above example, say we have a machine whose hostname is devdap1, we can name the keystore file as devdap1.keystore and give it an alias as devdap1.
Then we will export a server certificate for installation on the client machines, we actually can skip these steps since in a Browser client, the browser will download the server cert automatically.
keytool -export -file devdap1.crt -alias devdap1 -keystore devdap1.keystore keytool -import -keystore "%JAVA_HOME%\jre\lib\security\cacerts” -file devdap1.crt -alias devdap1 (On Linux: keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file devdap1.crt -alias devdap1)
2. Cross-Certified
We may have a group of servers to host all the applications. Let’s say we have a CAS server deployed on a JBoss server running on a box with the hostname devdap1 (the full domain name is devdap1.monitor110.com). And we have another box named “reader” hosting the reader application. When “reader” wants to access CAS server, it needs to install devdap1’s certificate installed in the JVM that runs the reader application.
Firstly, we copy the devdap1.crt file that generated in the above step to the reader machine.
Then we run the following command to install the certificate:
keytool -import -keystore "%JAVA_HOME%\jre\lib\security\cacerts” -file devdap1.crt -alias devdap1 (On Linux: keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file devdap1.crt -alias devdap1)
The default password of keystore cacerts is “changeit”.
You may also want to delete the alias first if that alias has been installed before.
keytool -delete -keystore $JAVA_HOME/jre/lib/security/cacerts -alias devdap1
If you want to enable SSL on “reader” machine and use proxyTicket over SSL, you need to generate the certificate of “reader” machine, and install it on CAS (devdap1) machine as well. Let’s say you will generate files “reader1.keystore” and “reader1.crt”, and use an alias “reader1” for this certificate when doing import/export and installation. This way you won’t mess up all those certificates.
3. Enable SSL for JBoss
We take JBoss App Server 4.0.3 as example. We use $JBOSS_HOME to refer to the location where JBoss is installed.
Firstly copy the server.keystore file that generated in the above step to the location of $JBOSS_HOME/server/default/conf.
Then modify this file: $JBOSS_HOME/server/default/deploy/jbossweb-tomcat55.sar/server.xml. Uncomment this configuration directive:
<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
keystorePass="123456" sslProtocol = "TLS" />
The keystorePass used here is the key store password we mentioned in the above step 1.
Restart the JBoss server and verify the SSL installation by entering this URL in the browser: https://localhost:8443/
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
