CAS 5.X 安装

官方文档： https://apereo.github.io/cas/5.1.x/index.html

几个基本概念

CAS Server： SSO服务器端
CAS Client : SSO客户端，内置于各个子应用
ST: Service Ticket 用于登录验证
TGC：Ticket Granted Cookie 用于验证是否已经登录，保存在客户端Cookie
TGT：Ticket Granting Ticket 跟TGC对应，保存于服务器

server端： 建议用overlay模式安装，源码在：https://github.com/apereo/cas-overlay-template，下载好之后用执行 build package生成war包，放到tomcat的webapp下

client端：可以参考：https://github.com/akononowicz/cas-sample-java-webapp

---

 关于服务注册

service的注册可以使用json方式，方法如下：

在/etc/cas/config/cas.properties如下配置：

cas.serviceRegistry.config.location: classpath:/services
cas.serviceRegistry.watcherEnabled=true
cas.serviceRegistry.repeatInterval=10000
cas.serviceRegistry.startDelay=5000
cas.serviceRegistry.initFromJson=true

然后在classpath下的service目录下添加自己service的配置，当然，文件名需要遵循 [name] + "-" + [id] + ".json"的方式

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^https://172.17.20.20:8443/client2",
  "name" : "client2",
  "theme" : "apereo",
  "id" : 2000,
  "description" : "Cient2 sample service",
  "evaluationOrder" : 1,
    "logoutType" : "BACK_CHANNEL",
  "logoutUrl" : "https://172.17.20.20/client2/logout.jsp",
}

---

 关于SSL证书

比较麻烦的是ssl证书的生成

1. Tomcat 证书导入

keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/apache-tomcat-8.5.9/conf/.keystore

然后修改tomcat的server.xml

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" keystoreFile="/opt/apache-tomcat-8.5.9/conf/.keystore" keystorePass="liuwei" sslProtocol="TLS" />

2. JDK证书导入

p12生成
keytool -importkeystore -srckeystore /opt/apache-tomcat-8.5.9/conf/.keystore \
-destkeystore tomcat.p12 \
-srcstoretype jks \
-deststoretype pkcs12

pem生成
openssl pkcs12 -in tomcat.p12 -out tomcat.pem

der生成
openssl x509 -in tomcat.pem -out tomcat.der -outform DER

导入JDK
keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file tomcat.der -alias tomcat

我遇到的错误如下：

1. cas-client端，需要指向server时，linux自己配置的ssl设置firstname和lastname时需要指定域名而不是IP，当然host文件(/etc/hosts)也需要改，否则会出现如下错误

2. 另外，JDK的ssl也需要配置（默认密码changeit），否则会出现如下错误

具体可参考：https://wiki.jasig.org/display/casum/ssl+troubleshooting+and+reference+guide#SSLTroubleshootingandReferenceGuide-ImportTrustedCertificate

java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:443)
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41)
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)
org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97)