Installing CAS for MIV
To switch to CAS we need to do the following things on the system
1. Install the Apache module mod_auth_cas
2. Configure Apache to load mod_auth_cas
3. Configure the module
4. Apply the CAS filter to our protected location(s)
5. Configure tomcat to keep its hands off user authentication
6. Create the directory for the CAS tickets (CAS "Cookies")
7. Update/Import root certificates if_required
1) Install mod_auth_cas
mod_auth_cas.so
is in the project'strunk/config/system
directory.- Copy
mod_auth_cas.so
into/etc/httpd/modules
2) Configure Apache
- Edit
/etc/httpd/conf/httpd.conf
- Load the module after the last existing "mod_auth*" line:
/etc/httpd/conf/httpd.conf
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule auth_cas_module modules/mod_auth_cas.so
LoadModule include_module modules/mod_include.so
3) Configure the CAS module in Apache
- Add the following block immediately after the "ServerSignature" line
(line 524 on tygra, line 536 on production)/etc/httpd/conf/httpd.conf### CAS Configuration <IfModule mod_auth_cas.c> CASLoginUrl https://cas.ucdavis.edu/cas/login CASValidateURL https://cas.ucdavis.edu/cas/serviceValidate CASValidateServer On CASCertificatePath /etc/pki/tls/cert.pem CASCookiePath /var/tmp/cas/ #CASTicketRedirect On # Time out after a whole work day, including lunch. 34,000 is about 9 hours and 26 minutes CASTimeout 34000 # We want CAS idle timout to be just a little longer than our session timeout # so the timeout notification can still get resources from CAS protected areas. # 14,400 is 4 hours exactly; 15,000 is about 4 hours and 10 minutes CASIdleTimeout 15000 # Change to "CASDebug On" for extra logging to debug problems. CASDebug Off </IfModule> ### CAS Configuration
- Note the trailing slash ('/') on the CASCookiePath is required.
- Also change "ServerSignature On" to "ServerSignature Off", a commonly recommended security precaution.
4) Apply the CAS filter to the / path
- Edit
/etc/httpd/conf.d/ssl.conf
- Insert the CAS configuration block between these sections:
/etc/httpd/conf.d/ssl.conf
<Directory "/usr/local/tomcat/webapps/miv">
[...]
</Directory>
(insert here)
# Deny direct access to WEB-INF and META-INF
<Location "/miv/WEB-INF/*">
[...]
</Location>
- The block should now read:
/etc/httpd/conf.d/ssl.conf
<Directory "/usr/local/tomcat/webapps/miv">
[...]
</Directory>
### CAS Configuration <Location "/"> Options Indexes Order allow,deny Allow from all <IfModule mod_auth_cas.c> AuthType CAS AuthName "UC Davis CAS" Require valid-user CASScope / </IfModule> </Location> ### CAS Configuration
# Deny direct access to WEB-INF and META-INF
<Location "/miv/WEB-INF/*">
[...]
</Location>
5) Configure tomcat
- Edit
${TOMCAT_HOME}/conf/server.xml
- Add the attribute tomcatAuthentication="false" to the <Connector port="8009" ... > tag
- Original from production:
After modification:
<Connector port="8009" maxThreads="300" minSpareThreads="25" maxSpareThreads="75" emptySessionPath="true" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
<Connector port="8009" redirectPort="8443" protocol="AJP/1.3" maxThreads="300" minSpareThreads="25" maxSpareThreads="75" emptySessionPath="true" enableLookups="false" tomcatAuthentication="false" />
6) Create the CAS tickets directory
- This is the location specified in step 3 as "CASCookiePath /var/tmp/cas/"
*** Note! This directory should NOT be in /tmp for production since it must
persist over nightly cleanups, system restarts, etc. - Appropriate directories may be "/var/lib/cas/tickets/" or "/var/tmp/cas/" depending on your *nix flavor and site preferences.
- Make sure the directory is writable by the apache / httpd user. The "apache" user may be the appropriate owner
Make sure the configured directory exists and is writable, or the system can become unresponsive due to constant logging of errors.
7) Make sure CASValidateServer
is set to "On" as shown above in the "CAS Configuration" block in step 3.
(This is the default, but we want to be explicit in this case)
If GeoTrust is not a trusted provider with a root certificate on your machine you will need to import the GeoTrust root certificate, or more simply and as
the CAS FAQ suggests, download the cas.pem file and point CASCertificatePath
to the downloaded cas.pem file instead of cert.pem
The cas.pem file is available for download from either the mod_auth_cas page or the CAS FAQ page.