Vous êtes sur la page 1sur 41

Andy Michaelis SUNY Oswego andy@oswego.

edu

Why

use CAS ? History of how we got into CAS Standalone CAS server and single sign on, what is needed ?
CAS server SSOmanager
Overview

Tomcat Oracle Fusion Middleware

of installing required components for the CAS server BEIS and the SSOmanager

Our

campus is looking to make logon to the many services offered easier for students and staff. Banner 9, slices ? Oh No! and what does that mean ?

Luminis

? Proof of concept. ITEC hosted a Luminis 5 sandbox for SUNY Oswego. BEIS was required for this, but not ALL of the BEIS components. Banner 9
After setup of a banner 9 slice and reading

Ellucian documentation, it seems CAS will be needed or you will have to login to each slice

http://BEIS-srv.oswego.edu:9001/ssomanager/c/SSB

The SSOmanager on the BEIS server will have a chat with the CAS server. Hey does this dude have a certificate ? User is presented with the CAS Login Page

NO

Y e s

User enters a URL to sign into SSB banner. Instead of the main link of the nature twbkwbis.P_WWWLogin, this URL link is to the SSO manager, an Ellucian tool for single sign on that will communicate with CAS or other third party authentication servers. The SSO manager will connect with the CAS server. How does it know where? You specify the CAS server in the casconfig.properties file and rebuild the ear file. Then when configuring the SSO manager, you also specify the link to your self service Banner pages. The CAS server will check if the client has a ticket, if not it will present a logon page. The CAS server has plugins for LDAP authentication. Not only do we authenticate against LDAP, but we will retrieve specific LDAP attributes, one of which is the UDC Identifier, a unique value per spriden ID.

The SSO manager connects to your banner database and reads the gobumap table, looking for the PIDM matching the UDC identifier. It then uses this result to connect the user into Self Service Banner as the persons with the resulting PIDM.

show CAS logon example here

What is the UDC Identifier ?


UDC Identifiers are unique 32 character alphanumeric

strings. e.g. 36BE6D6D18560C44E0440003BA33B440 Assigner one of the BEIS Identity Data Export Utilities. This is yet another tool which is deployed as a war file, and run as a web based client.

How does it get populated ?


UDC identifiers are assigned using the UDCIdentifier

What happens when new IDs are created in banner, and how do I get new UDC Identifiers?
Manually run the BEIS utility periodicallyYUCK! The Ellucian full blown BEIS model of oracle streams,

SPML messages, SPML consumers, another serverand more. It works but very bulky. More YUCK.

So

how can we fool the SSO manager.

If your campus has another unique identifier per entity

( spriden_id ) you should be able to use that. For Oswego our LakerNetID or even College ID number is unique. Can we just update gobumap table with this. YES
What

happens when new IDs are created in banner, and how do I get new UDC Identifiers?
We can create a local trigger on gobtpac table to insert

or update gobumap accordingly, or on spriden if we use the the College ID number.

1. 2.

Setup CAS server Setup SSOmanager

I installed all on Oracle Enterprise Linux 5.6 ( 64 bit )


Java

Development Kit

Jdk 1.6 or higher recommended. Installed jdk 1.6.0_32 Installed Tomcat 6.0.35

Servlet Container

Maven ( to build the cas project )

Installed maven 2.2.1

download jdk, and unbundle the bin file in prefered java_home directory:
mkdir -p /usr/java cp /downloads/jdk-6u32-linux-x64.bin cd /usr/java ./jdk-6u32-linux-x64.bin /usr/java/

Will unpack the downloaded file. Set your JAVA_HOME environment variable, and modify PATH
export JAVA_HOME=/usr/java/jdk1.6.0_32 export PATH=$JAVA_HOME/bin:$PATH # VALIDATE THE JAVA INSTALL... which java java -version

Unbundle the tar file in preferred home directory for tomcat


mkdir -p /usr/tomcat cd /usr/tomcat tar zxvf /downloads/apache-tomcat-6.0.35.tar.gz

Will untar the downloaded file. Set your CATALINA_HOME and other required environment variables. I created a tomcat.sh file.
# SETUP THE JAVA ENVIRONMENT NEEDED FOR TOMCAT export JAVA_HOME=/usr/java/jdk1.6.0_32 export PATH=$JAVA_HOME/bin:$PATH # SETUP THE TOMCAT ENVIROMNENT export CATALINA_HOME=/usr/tomcat/apache-tomcat-6.0.35 export CATALINA_BASE=/usr/tomcat/apache-tomcat-6.0.35 # ADDED LINE BELOW BASED ON ELLUCIAN RECOMMENDED VALUES export CATALINA_OPTS="-server -Xms2048m -Xmx4g -XX:MaxPermSize=256m"

Generate a self signed certificate. Ensure that the First and Last Name = server you are installing on. keytool -genkey -alias tomcat -keyalg RSA -validity 730 Edit $TOMCAT_HOME/conf/server.xml and uncomment this section to enable SSL.
<!-<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> -->

Next stop and then restart tomcat and visit the URL to ensure SSL is working, of course you will be alerted by you browser. https://cas-server.oswego.edu:8443
show example here

You

will need to export this new self signed certificate so that you can import it into other servers that will trust it. Like BEIS-server, where the SSOmanager is running on.
keytool -export -alias tomcat -file cas-server.crt

Use

the key tool to add trusted certificate to the cacerts file. Issue this command on the BEIS server.
keytool -import -file cas-server.crt keystore $JAVA_HOME/jre/lib/security/cacerts -alias tomcat

Unbundle the tar file in preferred home directory for maven


mkdir -p /usr/maven cd /usr/maven tar zxvf /downloads/apache-maven-2.2.1-bin.tar

Will untar the downloaded file. Set your MAVEN_HOME and other required environment variables. I created a maven.sh file.
# SETUP THE MAVEN ENVIROMNENT export PROJECT_HOME=/at/tomcat/work/cas export MAVEN_HOME=/usr/maven/apache-maven-2.2.1 export M2_HOME=$MAVEN_HOME export M2=$M2_HOME/bin export MAVEN_OPTS="-Xms256m -Xmx512m" PATH=$M2:$PATH

Create

your Project Object Model pom.xml file. maven uses the pom.xml to build your project. Our project is a CAS server with the LDAP plugin, so CAS will look to LDAP for attributes.
You enter the dependencies, build, and repository

definitions.

Ensure you have sourced your maven.shl script so that all maven environment variables are set. Change directory to the project home and build it.

cd $PROJECT_HOME mvn clean package

When your done you will have a cas.war file in your $PROJECT_HOME/target directory. So far all you have is what could have been downloaded for jasig.org/cas But deploy this war file and test to ensure you now have a CAS server. This also shows that maven is setup correctly.

Next we will utilize the maven WAR overlay method to replace default configuration values with our preferred ones. We do this by creating a src/main directory under the project home. Maven will use these files to replace the main files when building our CAS project.
mkdir $PROJECT_HOME/src/main/webapp/WEB-INF/ cd $PROJECT_HOME/src/main/webapp/WEB-INF

Next we will modify two files. First we need to copy the default ones out of the $PROJECT_HOME/target/war/work sub directory. You will have to drill down a bit.
1. 2.

cas.properties ( file contains values for server name etc ) deployerConfigContext.xml ( Wow ! Many changes in here. I will attach our sample file )

This

config file is the guts of what will get built. In here you name things such as:
1. LDAP server and LDAP details:
LDAP attribute mappings. Search base What LDAP user will be authorized to cas/services

2. Add authentication methods, comment out to

remove default dummy methods.

<bean id="attributeRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> <property name="baseDN" value="ou=People,dc=oswego,dc=edu" /> <property name="contextSource" ref="contextSource" /> <property name="requireAllQueryAttributes" value="true" /> <property name="queryAttributeMapping"> <map> <entry key="username" value="uid" /> </map> </property> <property name="resultAttributeMapping"> <map> <entry key="uid" value="uid" />

<entry key="uid" value="UDC_IDENTIFIER" />


<entry key="cn" value="cn" /> <entry key="givenname" value="Formatted Name" /> <entry key="mail" value="EmailAddress" /> </map> </property> </bean>

OK,

we have edited our config files, lets rebuild a new cas.war file with maven. Redeploy this new cas.war to tomcat, or push the new war and restart tomcat. Test our CAS server. We want to test that this newly deployed CAS server is now checking credentials against our LDAP server.
https://cas-server.oswego.edu:8443/cas/login
We

should get our login page, login with your LDAP credentials. You should get.

show example here

When

we setup our CAS server configuration, in deployerConfigContext file, we set our CAS administrator. Login as that user now.
https://cas-server.oswego.edu:8443/cas/services

We

should get our login page, login with your LDAP credentials. You should get.

Ensure you select UDC_IDENTIFIER, and other(s) needed. Click Save

show example here

Recall

that we need two components for Single Sign on to function. We needed our CAS server authenticating against LDAP, but we still need the SSOmanager to perform the single sign on into SSB and INB banner.

Install

SSOmanager on a separate sever Install into Oracle Fusion Middleware


Create a Basic Domain
Download

patch p1-136b1ic_beis8010502 Unzip the patch.


You need the sso-manager.ear file

In the sql subdirectory, manually create the user and

objects for the SSOmanager. I created ssomgr manually, login as ssomgr then run db_create.sql

Obtain the Banner Enterprise Identity Services handbook, release 8.1.5, revision 2 ( Jan 2012) Follow instructions for installation of the SSO manager in chapter 11, specifically do the manual steps in section Complete the installation on Oracle WebLogic Server 11g
Create the database user and objects for sso manager Define 3 weblogic data sources, pay close attention to the JNDI

names Create a security user, this user is used to login and access the SSOmanager. unjar the sso-manager.ear file, modify config file, re-jar and then deploy the sso-manager.ear file.

Once ear file has been deployed, you can logon the the SSOmanger to setup some required values.
http://BEIS-server.oswego.edu:9001/ssomanager

show example here

Next enter some required web-tailor parameters

Now we are ready to test the self service single sign on. There are test links inside of the SSO manager.

You do need to modify the forms server other parmaters to include iamticket=%iamticket%

The rest is fully documented, I will not reiterate. Follow the steps instructions in BEIS 8.1.5 handbook on pages 11-80, but DO NOT put the modified baniam.jar file into the forms directory as the instructions tell you. Doing so will expose your SSO manager username, password and full URL to all users who can access INB banner. You will compromise the SSO manager. I have reported this to Ellucian. The work around is put the file in another directory not accessible via the web, and modify accordingly. Set CLASSPATH and include this new directory
/oracle/middleware/as_1/<newdirectory>/baniam.jar

CAS Download and general reading


http://www.jasig.org/cas

Building CAS using Maven Overlay


http://wiki.jasig.org/display/CASUM/Best+Practice++Setting+Up+CAS+Locally+using+the+Maven2+WAR+Overlay+Method

CAS and LDAP


http://wiki.jasig.org/display/CASUM/LDAP

CAS and LDAP attribute values


http://wiki.jasig.org/display/CASUM/Attributes

Ellucian Commons : stand-alone CAS configuration for LP5 and SSO Manager (samlValidate)
http://www.edu1world.org/CommonsLuminis/wiki/document/6251

Vous aimerez peut-être aussi