This document describes how to setup a layered authentication system that requires SSL client authentication to the CAS server and LDAP authentication to validate users.
Environment
Server: Fedora Core 6 + CAS 3.1 + Tomcat 5.5.20 + OpenLDAP 2.3.30 + OpenSSL 0.9.8b
Client: Fedora Core 6 + Firefox 2
Windows XP + IE6 SP2
CAS Login Procedure
Config DNS
To make ssl work properly, I have to give the server a name, here I use auth.langhua.
Create SSL Certificates
1. Make sure openssl has been installed on your server.
2. Create demoCA:
2.1 Edit /etc/pki/tls/openssl.conf
dir = /etc/pki/demoCA
basicConstraints=CA:FASLE -> basicConstraints=CA:TRUE
2.2 Edit /etc/pki/tls/misc/CA
CATOP=/etc/pki/demoCA
2.3 /etc/pki/tls/misc/CA -newca
2.4 Edit /etc/pki/tls/openssl.conf
basicConstraints=CA:TRUE -> basicConstraints=CA:FASLE
2.5 openssl x509 -in /etc/pki/demoCA/cacert.pem -inform PEM -out /etc/pki/demoCA/cacert.der -outform DER
3. Create Tomcat Server Certificate
3.1 keytool -genkey -alias tomcat-server -keyalg RSA -keystore tomcat-server.jks -storepass changeit -keypass changeit -dname "CN=auth.langhua, OU=Research Department, O=Beijing Langhua Ltd., L=Haidian, S=Beijing, C=CN"
3.2 keytool -certreq -keyalg RSA -alias tomcat-server -file tomcat-server.csr -keystore tomcat-server.jks -storepass changeit
3.3 Sign the request
openssl x509 -req -in tomcat-server.csr -out tomcat-server.pem \ -CA /etc/pki/demoCA/cacert.pem -CAkey /etc/pki/demoCA/private/cakey.pem -days 365 -CAcreateserial -sha1 -trustout \ -CA /etc/pki/demoCA/cacert.pem -CAkey /etc/pki/demoCA/private/cakey.pem -days 365 -CAserial /etc/pki/demoCA/serial -sha1 -trustout
openssl verify -CAfile /etc/pki/demoCA/cacert.pem -purpose sslserver tomcat-server.pem
3.4 openssl x509 -in tomcat-server.pem -inform PEM -out tomcat-server.der -outform DER
3.5 Import root certificate:
keytool -import -alias langhua-root -file /etc/pki/demoCA/cacert.der -keystore tomcat-server.jks -storepass changeit
3.6 Import tomcat-server certificate:
keytool -printcert -file tomcat-server.der
keytool -import -trustcacerts -alias tomcat-server -file tomcat-server.der -keystore tomcat-server.jks -storepass changeit
keytool -list -v -keystore tomcat-server.jks -storepass changeit
4. Create OpenLDAP Server Certificate:
4.1 openssl genrsa -out ldap-key.pem 1024
4.2 openssl req -new -out ldap-req.csr -key ldap-key.pem
4.3 Sign the request
openssl ca -policy policy_anything -out ldap-cert.pem -infiles ldap-req.csr
openssl verify -CAfile /etc/pki/demoCA/cacert.pem -purpose sslserver ldap-cert.pem
4.4 chown root:ldap ldap-*.pem
5. Create Browser client certificate
5.1 openssl genrsa -out shijh-key.pem 1024
5.2 openssl req -new -out shijh-req.csr -key shijh-key.pem
5.3 Sign the client request
openssl x509 -req -in shijh-req.csr -out shijh-cert.pem -signkey shijh-key.pem \ -CA /etc/pki/demoCA/cacert.pem -CAkey /etc/pki/demoCA/private/cakey.pem -days 365 -CAcreateserial -sha1 -trustout \ -CA /etc/pki/demoCA/cacert.pem -CAkey /etc/pki/demoCA/private/cakey.pem -days 365 -CAserial /etc/pki/demoCA/serial -sha1 -trustout
openssl verify -CAfile /etc/pki/demoCA/cacert.pem -purpose sslclient shijh-cert.pem
5.4 openssl pkcs12 -export -clcerts -in shijh-cert.pem -inkey shijh-key.pem -out shijh-cert.pfx -name "DemoCA Certificate to Shi Jinghai"
6. Create CAS SSL client certificate
6.1 Create a certificate in $JRE_HOME/lib/security/cacerts cd $JRE_HOME/lib/security/
keytool -genkey -alias cas-ldap-client -keyalg RSA -keystore cacerts -storepass changeit -keypass changeit -dname "CN=auth.langhua, OU=Research Department, O=Beijing Langhua Ltd., L=Haidian, S=Beijing, C=CN"
6.2 keytool -certreq -keyalg RSA -alias cas-ldap-client -file cas-ldap-client.csr -keystore cacerts -storepass changeit
6.3 Sign the request
openssl x509 -req -in cas-ldap-client.csr -out cas-ldap-client.pem \ -CA /etc/pki/demoCA/cacert.pem -CAkey /etc/pki/demoCA/private/cakey.pem -days 365 -CAcreateserial -sha1 -trustout \ -CA /etc/pki/demoCA/cacert.pem -CAkey /etc/pki/demoCA/private/cakey.pem -days 365 -CAserial /etc/pki/demoCA/serial -sha1 -trustout
openssl verify -CAfile /etc/pki/demoCA/cacert.pem -purpose sslclient cas-ldap-client.pem
6.4 openssl x509 -in cas-ldap-client.pem -inform PEM -out cas-ldap-client.der -outform DER
6.5 keytool -import -alias langhua-root -file /etc/pki/demoCA/cacert.der -keystore cacerts -storepass changeit
6.6 Import the signed certificate:
keytool -printcert -file cas-ldap-client.der
keytool -import -trustcacerts -alias cas-ldap-client -file cas-ldap-client.der -keystore cacerts -storepass changeit
keytool -list -v -keystore cacerts -storepass changeit
Config Tomcat 5.5.20 Edit $tomcat_home/conf/server.xml:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true" URIEncoding="UTF-8"
clientAuth="true" sslProtocol="TLS" keyAlias="tomcat-server"
keystorePass="changeit" truststorePass="changeit"
keystoreType="JKS" truststoreType="JKS"
keystoreFile="/etc/pki/demoCA/certs/tomcat-server.jks"
truststoreFile="/etc/pki/demoCA/certs/tomcat-server.jks"/>
Deploy CAS 3.1 under $tomca_home/webapps/cas/ and change its configuration
Edit $tomca_home/webapps/cas/WEB-INF/deployerConfigContext.xml:
<bean
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="uid=%u" />
<property name="searchBase" value="o=langhua,c=cn" />
<property
name="contextSource"
ref="contextSource" />
</bean>
<bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
<property name="anonymousReadOnly" value="false" />
<property name="pooled" value="true" />
<property name="urls">
<list>
<value>ldaps://auth.langhua/</value>
</list>
</property>
<property name="baseEnvironmentProperties">
<map>
<entry>
<key><value>java.naming.security.protocol</value></key>
<value>ssl</value>
</entry>
<entry>
<key><value>java.naming.security.authentication</value></key>
<value>simple</value>
</entry>
</map>
</property>
</bean>
Restart Tomcat
/etc/init.d/tomcat5 restart
Change OpenLDAP configuration and Restart OpenLDAP
Edit /etc/openldap/slapd.conf:
TLSCACertificateFile /etc/pki/demoCA/cacert.pem
TLSCertificateFile /etc/pki/demoCA/certs/ldap-cert.pem
TLSCertificateKeyFile /etc/pki/demoCA/certs/ldap-key.pem
/etc/init.d/ldap restart
Import root certificate of demoCA and p12 format ssl client certificate to Firefox2 and IE 6
Import /etc/pki/demoCA/cacert.derto Firefox2 and IE 6.
Import shijh-cert.pfx to Firefox2 and IE 6.
Visit https://auth.langhua:8443/cas/
Type your username and password which can login OpenLDAP into the CAS login form. You should be able to login the CAS successfully.
Good Luck!
Shi Yusen/Beijing Langhua Ltd.
http://www.langhua.cn/;