Wednesday, September 9, 2015

Jasig CAS with LDAP

In this tutorial, we used Linux Centos 6 as our operating system. Below is the items required:
  • CAS server (you can download it from here - https://www.apereo.org/projects/cas/download-cas). But in this tutorial, we're using cas server version 3.5.2
  • Maven (for build CAS Server)
  • Tomcat (we used apache-tomcat-7.0.42)
* In this tutorial, we assumed that LDAP has been installed on your server. We are not going cover anything about LDAP here.
* One more thing, please make sure maven has been setup on your local machine.This will be used for build the CAS Server (See here for tutorial: http://thisismynota.blogspot.com/2014/02/install-maven-on-centos-65.html)

Steps:

  1. Download the CAS Server and extract it.
  2. Go to the extracted file using command line (Console) and edit file pom.xml
    cd cas-­server-­3.5.2/cas­-server­-webapp
    vi pom.xml


  3. Now add the following lines before </dependencies> tag
    <dependency>
    <groupid>org.jasig.cas</groupid>
    <artifactid>cas-­server­-support­-ldap</artifactid>
    <version>3.5.2</version>
    </dependency>


  4. Next, build the CAS Server
    cd cas-server-­3.5.2/cas­-server­-webapp
    mvn install package

    * wait until you see BUILD SUCCESSFUL


  5. Next, copy cas.war file on cas-server-3.5.2/cas-server-webapp/target folder and paste into tomcat webapps folder and start the tomcat server
    cp cas-server-3.5.2/cas-server-webapp/target/cas.war /apache-tomcat-7.0.42/webapps
    ./apache-tomcat-7.0.42/bin/startup.sh


  6. After startup complete, down the tomcat We need to edit deployerConfigContext.xml file
    ./apache-tomcat-7.0.42/bin/shutdown.sh
    vi /apache-tomcat-7.0.42/webapps/cas/WEB-INF/deployerConfigContext.xml


  7. Find the <bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" /> words and comment it. Add BindLdapAuthenticationHandler tag under the commented line. You'll have something like below:
    <!­­--bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswo rdAuthenticationHandler" / --­­>
    <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" p:filter="cn=%u" p:searchBase="ou=user,dc=example,dc=com,dc=my" p:contextSource­ref="contextSource" />

    * note that, in this example the CAS will authenticate using cn (common name). If you like to using another options of authentication e.g mail or etc, change the red coloured text as per your environment configuration.


  8. On the same file (deployerConfigContext.xml), put the following lines before</beans> tag. (Again, please change all the red coloured text as per your environment configuration):
    <bean id="contextSource"
    class="org.springframework.ldap.core.support.LdapContextSource">
      <!­­ DO NOT enable JNDI pooling for context sources that perform LDAP bind operations. ­­>
      <property name="pooled" value="false"/>
    <!­­-- Although multiple URLs may defined, it's strongly recommended to avoid this configuration since the implementation attempts hosts in sequence and requires a connection timeout prior to attempting the next host, which incurs unacceptable latency on node failure. A proper HA setup for LDAP directories should use a single virtual host that maps to
    multiple real hosts using a hardware load balancer. -->
      <property name="url" value="ldap://your_ldap_server_address:389" />

      <!­­-- Manager credentials are only required if your directory does not support anonymous searches. Never provide these credentials for FastBindLdapAuthenticationHandler since the user's credentials are used for the bind operation. -->
      <property name="userDn" value="cn=Manager,dc=example,dc=com,dc=my"/>
      <property name="password" value="your_ldap_manager_password"/>

      <!­­-- Place JNDI environment properties here. ­­-->
      <property name="baseEnvironmentProperties">
        <map>
          <!--­­ Three seconds is an eternity to users. --­­>
          <entry key="com.sun.jndi.ldap.connect.timeout" value="3000" />
          <entry key="com.sun.jndi.ldap.read.timeout" value="3000" />
    <!­­-- Explained at http://download.oracle.com/javase/1.3/docs/api/javax/naming/Context.html#SECURITY_AUTHENTICATION ­­-->
          <entry key="java.naming.security.authentication" value="simple" />
        </map>
      </property>
    </bean>


  9. In order tomake CAS work properly, we must enable SSL on tomcat. In this example we used self-signed certificate to make the CAS Server running on SSL protocol. Generate self-signed certificate.
    keytool ­-genkey ­-alias sso -­keyalg RSA -­keysize 2048 -­keystore sso.jks

    Enable SSL on tomcat
    vi /apache-tomcat-7.0.42/conf/server.xml

    <!­­-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 ­­-->
    <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="1000"
    minSpareThreads="25" protocol="HTTP/1.1" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/path/to/sso.jks"
    keystorePass="changeit" />
     
  10. Start the tomcat and access your CAS Server using https://localhost:8443

Monday, September 7, 2015

How to - Secure Socket Layer (SSL) Certificate for Apache Tomcat

  1. Create Certificate Signing Request (CSR)

    a) Create a keystore file :
    keytool -genkey -alias the_alias_name -keyalg RSA -keysize 2048 -keystore keystore_filename.jks

    b) Create CSR file (this file will be send to Certification Authority (CA) company e.g, digicert, entrust etc.) :
    keytool -certreq -alias the_alias_name -keystore keystore_filename.jks -file csr_file_name.csr

    * In this example, we used Entrust as CA company. You'll get 3 files from CA (Download from CA website). Those files are: root, chain, server certificate. Now, proceed to the below steps.

  2. Import the generated certificate into the keystore file

    a) Import root certificate :
    keytool -importcert -trustcacerts -file L1Croot.txt -keystore keystore_filename.jks -alias root

    b) Import chain certificate :
    keytool -importcert -trustcacerts -file L1Cchain.txt -keystore keystore_filename.jks -alias intermediateCA

    c) Import server certificate:
    keytool -importcert -trustcacerts -file entrustcert.crt -keystore keystore_filename.jks -alias the_alias_name
* Note: Please change the bold text with your own value

Bypass prompting username/password for OBIEE weblogic 11g

When starting/stopping the Managed Server or Admin Server (WebLogic), the user is prompted to enter username and password.


Both of these command will prompting the username and password.
./startManagedWebLogic.sh bi_server1 http://hostname:7001
./startWebLogic.sh


Instead, you can enable auto login using a boot identity file. A boot identity file contains user credentials for starting and stopping an instance of WebLogic  Server. An Administration Server can refer to this file for user credentials instead of prompting you to provide them. Because the credentials are encrypted, using a boot identity file is more secure than storing unencrypted credentials in a startup or shutdown script. If there is no boot identity file when
you start a server, the server instance prompts you to enter a username and password. The boot identity file can be different for each server instance in the domain.

To configure the boot.properties file for the Managed Server, perform the following steps: