Installing CAS for MIV

Owned by Richard Hendricks (Unlicensed)
Last updated: Dec 10, 2008 by Stephen PaulsenVersion comment
4 min read

To switch to CAS we need to do the following things on the system

1. Install the Apache module mod_auth_cas
2. Configure Apache to load mod_auth_cas
3. Configure the module
4. Apply the CAS filter to our protected location(s)
5. Configure tomcat to keep its hands off user authentication
6. Create the directory for the CAS tickets (CAS "Cookies")
7. Update/Import root certificates if_required

1) Install mod_auth_cas

  • mod_auth_cas.so is in the project's trunk/config/system directory.
  • Copy mod_auth_cas.so into /etc/httpd/modules

2) Configure Apache

  • Edit /etc/httpd/conf/httpd.conf
  • Load the module after the last existing "mod_auth*" line:
    /etc/httpd/conf/httpd.conf

    LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
    LoadModule auth_cas_module modules/mod_auth_cas.so
    LoadModule include_module modules/mod_include.so

3) Configure the CAS module in Apache

  • Add the following block immediately after the "ServerSignature" line
    (line 524 on tygra, line 536 on production)
    /etc/httpd/conf/httpd.conf

    ### CAS Configuration
    <IfModule mod_auth_cas.c>
    CASLoginUrl https://cas.ucdavis.edu/cas/login
    CASValidateURL https://cas.ucdavis.edu/cas/serviceValidate
    CASValidateServer On
    CASCertificatePath /etc/pki/tls/cert.pem
    CASCookiePath /var/tmp/cas/

    #CASTicketRedirect On
    # Time out after a whole work day, including lunch. 34,000 is about 9 hours and 26 minutes
    CASTimeout 34000
    # We want CAS idle timout to be just a little longer than our session timeout
    # so the timeout notification can still get resources from CAS protected areas.
    # 14,400 is 4 hours exactly; 15,000 is about 4 hours and 10 minutes
    CASIdleTimeout 15000
    # Change to "CASDebug On" for extra logging to debug problems.
    CASDebug Off
    </IfModule>
### CAS Configuration

  • Note the trailing slash ('/') on the CASCookiePath is required.
  • Also change "ServerSignature On" to "ServerSignature Off", a commonly recommended security precaution.

4) Apply the CAS filter to the / path

  • Edit /etc/httpd/conf.d/ssl.conf
  • Insert the CAS configuration block between these sections:
    /etc/httpd/conf.d/ssl.conf

    <Directory "/usr/local/tomcat/webapps/miv">
    [...]
    </Directory>
    (insert here)
    # Deny direct access to WEB-INF and META-INF
    <Location "/miv/WEB-INF/*">
    [...]
    </Location>

  • The block should now read:
    /etc/httpd/conf.d/ssl.conf

    <Directory "/usr/local/tomcat/webapps/miv">
    [...]
    </Directory>

    ### CAS Configuration
    <Location "/">
        Options Indexes
        Order allow,deny
        Allow from all
        <IfModule mod_auth_cas.c>
            AuthType CAS
            AuthName "UC Davis CAS"
            Require valid-user
            CASScope /
        </IfModule>
    </Location>
### CAS Configuration

    # Deny direct access to WEB-INF and META-INF
    <Location "/miv/WEB-INF/*">
    [...]
    </Location>

5) Configure tomcat

  • Edit ${TOMCAT_HOME}/conf/server.xml
  • Add the attribute tomcatAuthentication="false" to the <Connector port="8009" ... > tag
  • Original from production: 
    <Connector port="8009"
  maxThreads="300" minSpareThreads="25" maxSpareThreads="75"
  emptySessionPath="true"
  enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
    After modification: 
    <Connector port="8009" redirectPort="8443" protocol="AJP/1.3"
  maxThreads="300" minSpareThreads="25" maxSpareThreads="75"
  emptySessionPath="true"
  enableLookups="false"
  tomcatAuthentication="false"
/>

6) Create the CAS tickets directory

  • This is the location specified in step 3 as "CASCookiePath /var/tmp/cas/"
    *** Note! This directory should NOT be in /tmp for production since it must
    persist over nightly cleanups, system restarts, etc.
  • Appropriate directories may be "/var/lib/cas/tickets/" or "/var/tmp/cas/" depending on your *nix flavor and site preferences.
  • Make sure the directory is writable by the apache / httpd user. The "apache" user may be the appropriate owner
    (warning) Make sure the configured directory exists and is writable, or the system can become unresponsive due to constant logging of errors.

7) Make sure CASValidateServer is set to "On" as shown above in the "CAS Configuration" block in step 3.
(This is the default, but we want to be explicit in this case)
If GeoTrust is not a trusted provider with a root certificate on your machine you will need to import the GeoTrust root certificate, or more simply and as
the CAS FAQ suggests, download the cas.pem file and point CASCertificatePath to the downloaded cas.pem file instead of cert.pem

The cas.pem file is available for download from either the mod_auth_cas page or the CAS FAQ page.