Ubuntu Server Setup for CAS Authentication

While out and about working, I get exposed to all kinds of different technologies, which people are using. One such application is an Authentication platform called “CAS“. This is Java based platform that is built around different providers. You can configure it for your needs, everything from simple user names and password stored within a configuration, LDAP User validation, Certificates to SAML. As with these types of technologies, to understand how it really works you need to setup an environment to play with. I wanted to spin a server up and see if I can get this to work and then step through what it would take to get it working as the authentication mechanism for a SharePoint solution. Firstly let’s build a server.

For this I spun up a new Virtual Machine in my Azure subscription, and used the “Ubuntu Server” template.

I configured the details that were needed, then made sure I had downloaded “Putty” and “WinSCP“, two tools that make life a lot easier. As part of the configuration I chose to not use a “Certificate” for authentication but supplied a password instead.

Putty – http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

WinSCP – http://winscp.net/eng/download.php

Once the “Virtual Machine” is booted up, you need to connect over SSH, using “Putty“. To do this launch “Putty“.

Go into your “Azure Management” console and get the cloud service address that you assigned during creation and populate as needed. This information is found on the “Dashboard” page for the “Virtual Machine“.

With these details entered you can now connect using “Putty“, authenticate and start the configuration process.

Once logged in there are few steps that need to be done. Firstly running an update of the system. This done by using the following command.

sudo apt-get update

This will run and should complete successfully. Then we need to run any upgrades that need doing.

sudo apt-get upgrade

If there are items that need to be upgraded it will prompt for a “Yes” or a “No“.

Once this is done perform a clean reboot, this is done by simply typing “sudo reboot“.

Once it is back then we can start configuring the other components we need. We need to install “Java” and then “Tomcat” components. To install “Java” we need to run the following commands.

Once it has completed we need to check the version so we can then install “Tomcat“. “java –version” is the command and should return the version you have installed.

Now we are ready to install “Tomcat“. We need to run a “WGET” command to get the latest file.

sudo wget http://apache.cs.utah.edu/tomcat/tomcat-8/v8.0.15/bin/apache-tomcat-8.0.15.tar.gz

No we need to extract this into a new location. For my “Virtual Machine” I used the following command.

sudo tar –zxvf apache-tomcat-8.0.15.tar.gz –C /var/local


This will extract the downloaded files into the “/var/local/” folder, creating a new folder called “apache-tomcat-8.0.15“.

Next we need to navigate to the location just created using the following command.

From here we can run the following to “Start” and “Stop” the web server. First by going into the “bin” folder and then running the “startup.sh” script or we can run the “shutdown.sh” script.

If it starts correctly it should display the following.

So now let’s check what ports are open both in “Windows Azure” and the “Ubuntu Server“.

Windows Azure

The needed ports for testing are not open, so I had to create the following endpoints.

Ubuntu

The easiest way of checking this is to use “NMap“, this may not be installed so you will need to run the following first. “sudo apt-get install nmap“. Then you can run the following command.

nmap –v localhost

If it is configured as expected you should see the following ports listed.

If all has gone well you should then be able to browse from your machine to “http://{azure-host-name}:8080” and it should load the “Tomcat” default page.

Next we want to make sure that we run this over “SSL“, for me I already have the ability to generate certificates within my “GoDaddy” account, so decided that I would simply re-key and existing one to be this. For this I used the following commands.

Create a “Keystore” for the Certificate

sudo keytool -keysize 4096 -genkey -alias tomcat -keyalg RSA -keystore cat.keystore

Generate the “certificate request (CSR)“, the one you are going to use with a certificate authority

sudo keytool -certreq -keyalg RSA -alias tomcat -file tomcat.csr -keystore cat.keystore

 

Now we can open the “CSR” file and copy out the text and paste that into our “Certificate Authority” and wait for the return to be posted. Once it is done, launch “WinSCP“, and enter the server details, it may even import them as part of the setup from “Putty” and then connect to the server. Once connected simply find the zip file that contains your certificates and drag it over to the server and let it upload. I use the “/home/{user}” folder to copy it to.

Once it is copied, we then need to move the zip file to the right location and unzip it.

Move the file

sudo mv 9pkr2u3letusnwhbyiouwvbpyhlub5i6.zip /var/local/apache-tomcat-8.0.15/

 

Unzip the file

Navigate to the location you just copied it to: “cd /var/local/apache-tomcat-8.0.15/

sudo unzip 9pkr2u3letusnwhbyiouwvbpyhlub5i6.zip

This should create a folder that contains the “CRT” files. Now we need to run the commands to add the certificates to the “keystore” we created earlier.

 

Add Root Certificate

sudo keytool -import -alias root -keystore cat.keystore -trustcacerts -file gd_bundle-g2-g1.crt

 

Add Intermediate Certificate

sudo keytool -import -alias intermed -keystore cat.keystore -trustcacerts -file gdig2.crt

 

Add Actual Certificate

sudo keytool -import -alias tomcat -keystore cat.keystore -trustcacerts -file 27b21acc4acc38.crt

 

Now to make the magic happen and set the site to run over “SSL“. We need to navigate to the “conf” directory the “tomcat” server.

cd /var/local/apache-tomcat-8.0.15/conf


We then need to edit the “server.xml” file and configure the section for port “8443“.

sudo nano server.xml

This section first needs to be uncommented then modified as below.

Of course if your path is different then use that, and use your own password which was created for the “keystore“. Once done we can “stop” and “start” tomcat and then test our site using “https://{azure-host-name}:8443” instead and it should load, with a certificate error or maybe not depending on what URL you have assigned in the certificate. For me I have a DNS entry pointed to my Azure host and made sure the certificate mapped to that, so I don’t see the SSL error.

So we have built the server, deployed “Java“, “Tomcat” and made it work over “SSL“, now let’s get “CAS” installed.

First we are going to create a core folder to store the “CAS” component, then navigate into the folder and download the latest version into the folder.

mkdir /opt/cas

cd /opt/cas

sudo wget http://downloads.jasig.org/cas/cas-server-4.0.0-release.zip

Now we have the application file downloaded, we need to unzip it, then go into that directory and move some components around for it to work with the “tomcat” web server.

sudo unzip cas-server-4.0.0-release.zip

cd cas-server-4.0.0-release

cp modules/cas-server-webapp-4.0.0.war /var/local/apache-tomcat-8.0.15/webapps/

This command will copy the “war” file which is the package of all the components needed for the site to work. Once this has been copied we need to “stop” and “start” the web server again.

You should now be able to launch the following URL, over SSL successfully.

https://{azure-host-name}:8443/cas-server-webapp-4.0.0/login

If you want to test authentication to itself, you will need to modify the “deployerConfigContext.xml” file found here “/var/local/apache-tomcat-8.0.15/webapps/cas-server-webapp-4.0.0/WEB-INF/“, updating the following section. Changing “casuser” and “Mellon” to something else.

You should then be able to login and get the following response

In another post we will look at configuring it for user access and what it can do using the many supported providers.

NOTE: If you want to not use port 8443 in the URL then you can use the following command to force redirect of all port 443 traffic to retrieve and load internally using port 8443.

iptables -t nat -A PREROUTING -p tcp –dport 443 -j REDIRECT –to-port 8443

Liam Cleary

I work as an Associate Director for Protiviti in Virginia. My main focus is to ensure that SharePoint can either natively or with minimal customization meet the business requirement securely. I am currently a SharePoint MVP focused on Architecture but also cross the boundary into Development and Security. I am often found at user groups, conferences speaking, offering advice, spending time in the community, teaching my kids how to code, raspberry PI programming, hacking the planet and sometimes building Lego robots.

You may also like...