CAS 5.X 安裝

官方文檔： https://apereo.github.io/cas/5.1.x/index.html

幾個基本概念

CAS Server： SSO服務器端
CAS Client : SSO客戶端，內置於各個子應用
ST: Service Ticket 用於登錄驗證
TGC：Ticket Granted Cookie 用於驗證是否已經登錄，保存在客戶端Cookie
TGT：Ticket Granting Ticket 跟TGC對應，保存於服務器

server端： 建議用overlay模式安裝，源碼在：https://github.com/apereo/cas-overlay-template，下載好之后用執行 build package生成war包，放到tomcat的webapp下

client端：可以參考：https://github.com/akononowicz/cas-sample-java-webapp

 

---

 關於服務注冊

service的注冊可以使用json方式，方法如下：

在/etc/cas/config/cas.properties如下配置：

cas.serviceRegistry.config.location: classpath:/services
cas.serviceRegistry.watcherEnabled=true
cas.serviceRegistry.repeatInterval=10000
cas.serviceRegistry.startDelay=5000
cas.serviceRegistry.initFromJson=true

然后在classpath下的service目錄下添加自己service的配置，當然，文件名需要遵循 [name] + "-" + [id] + ".json"的方式

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https://172.17.20.20:8443/client2",
  "name" : "client2",
  "theme" : "apereo",
  "id" : 2000,
  "description" : "Cient2 sample service",
  "evaluationOrder" : 1,
    "logoutType" : "BACK_CHANNEL",
  "logoutUrl" : "https://172.17.20.20/client2/logout.jsp",
}

 

 

---

 關於SSL證書

比較麻煩的是ssl證書的生成

1. Tomcat 證書導入

keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/apache-tomcat-8.5.9/conf/.keystore

然后修改tomcat的server.xml

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" keystoreFile="/opt/apache-tomcat-8.5.9/conf/.keystore" keystorePass="liuwei" sslProtocol="TLS" />

 

2. JDK證書導入

p12生成
keytool -importkeystore -srckeystore /opt/apache-tomcat-8.5.9/conf/.keystore \
-destkeystore tomcat.p12 \
-srcstoretype jks \
-deststoretype pkcs12

pem生成
openssl pkcs12 -in tomcat.p12 -out tomcat.pem

der生成
openssl x509 -in tomcat.pem -out tomcat.der -outform DER

導入JDK
keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file tomcat.der -alias tomcat

 

我遇到的錯誤如下：

1. cas-client端，需要指向server時，linux自己配置的ssl設置firstname和lastname時需要指定域名而不是IP，當然host文件(/etc/hosts)也需要改，否則會出現如下錯誤

2. 另外，JDK的ssl也需要配置（默認密碼changeit），否則會出現如下錯誤

具體可參考：https://wiki.jasig.org/display/casum/ssl+troubleshooting+and+reference+guide#SSLTroubleshootingandReferenceGuide-ImportTrustedCertificate

java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:443)
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41)
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)
org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97)