Setting Up CAS with Ofbiz 5



Similar documents
SecuritySpy Setting Up SecuritySpy Over SSL

Installing Dspace 1.8 on Ubuntu 12.04

Enterprise SSL Support

Sun Java System Web Server 6.1 Using Self-Signed OpenSSL Certificate. Brent Wagner, Seeds of Genius October 2007

CERTIFICATE-BASED SINGLE SIGN-ON FOR EMC MY DOCUMENTUM FOR MICROSOFT OUTLOOK USING CA SITEMINDER

i2b2: Security Baseline

User s guide. APACHE SSL Linux. Using non-qualified certificates with APACHE SSL Linux. version 1.3 UNIZETO TECHNOLOGIES S.A.

Protect your CollabNet TeamForge site

HOWTO. Configure Nginx for SSL with DoD CAC Authentication on CentOS 6.3. Joshua Penton Geocent, LLC

Oracle Mobile Security Suite Workshop. Installation

To enable https for appliance

owncloud 8 and DigitalOcean Matthew Davidson Bluegrass Linux User Group 03/09/2015

CentOS. Apache. 1 de 8. Pricing Features Customers Help & Community. Sign Up Login Help & Community. Articles & Tutorials. Questions. Chat.

ViMP 3.0. SSL Configuration in Apache 2.2. Author: ViMP GmbH

Security Workshop. Apache + SSL exercises in Ubuntu. 1 Install apache2 and enable SSL 2. 2 Generate a Local Certificate 2

UNICORE GATEWAY. UNICORE Team. Document Version: Component Version: Date: 19 Apr 2011

Apache, SSL and Digital Signatures Using FreeBSD

Application Note AN1502

Creating Certificate Authorities and self-signed SSL certificates

Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server

Ciphermail Gateway Separate Front-end and Back-end Configuration Guide

To install and configure SSL support on Tomcat 6, you need to follow these simple steps. For more information, read the rest of this HOW-TO.

How to setup HTTP & HTTPS Load balancer for Mediator

Configuring Ubuntu Server as a Firewall and Reverse Proxy for OWA 2007 Configuration Guide

Best Practices in Hardening Apache Services under Linux

Running Multiple Shibboleth IdP Instances on a Single Host

UNICORE GATEWAY. UNICORE Team. Document Version: Component Version: Date:

Laboratory Exercises VI: SSL/TLS - Configuring Apache Server

Technical specification

Apache Security with SSL Using Ubuntu

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

This section describes how to use SSL Certificates with SOA Gateway running on Linux.

Understanding SSL/TLS

Integrating Apache Web Server with Tomcat Application Server

Administrator s Guide: perfsonar MDM 3.0

Encrypted Connections

CORISECIO. Quick Installation Guide Open XML Gateway

Installing an SSL certificate on the InfoVaultz Cloud Appliance

Red Hat Linux Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

IUCLID 5 Guidance and Support

10gAS SSL / Certificate Based Authentication Configuration

By default, STRM provides an untrusted SSL certificate. You can replace the untrusted SSL certificate with a self-signed or trusted certificate.

e-cert (Server) User Guide For Apache Web Server

Server Certificate: Apache + mod_ssl + OpenSSL

Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.

User Guide Generate Certificate Signing Request (CSR) & Installation of SSL Certificate

Exchange Reporter Plus SSL Configuration Guide

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

DoD Public Key Enablement (PKE) Quick Reference Guide. Securing Apache HTTP with mod_ssl for Linux

Install guide for Websphere 7.0

Project Management (PM) Cell

esync - Receiving data over HTTPS

SSL Interception on Proxy SG

COMP 3704 Computer Security

EQUELLA. Clustering Configuration Guide. Version 6.2

CHAPTER 7 SSL CONFIGURATION AND TESTING

GlobalSign Solutions

SOLR INSTALLATION & CONFIGURATION GUIDE FOR USE IN THE NTER SYSTEM

SpagoBI Tomcat Clustering Using mod_jk and httpd on Centos - In-Memory Session Replication.

Installation & Upgrade Guide

EventTracker Windows syslog User Guide

Configuring TLS Security for Cloudera Manager

Installing Booked scheduler on CentOS 6.5

Administrator s Guide

How to: Install an SSL certificate

Single Node Hadoop Cluster Setup

Securing Your Apache Web Server With a Thawte Digital Certificate

EQUELLA. Clustering Configuration Guide. Version 6.0

Obtaining SSL Certificates for VMware View Servers

Tableau Spark SQL Setup Instructions

Implementing a Weblogic Architecture with High Availability

CA Nimsoft Unified Management Portal

Installation, Configuration and Administration Guide

CLEARSWIFT SECURE Web Gateway HTTPS/SSL decryption

Cassandra Installation over Ubuntu 1. Installing VMware player:

C-Series How to configure SSL

Installation of the Shibboleth-Apache Authorisation Module. 2. Obtain and compile the Apache server software

Cloud Homework instructions for AWS default instance (Red Hat based)

Administering mod_jk. To Enable mod_jk

Installation Guide for WebSphere Application Server (WAS) and its Fix Packs on AIX V5.3L

Technical Report. Implementation and Performance Testing of Business Rules Evaluation Systems in a Computing Grid. Brian Fletcher x

Enabling SSL and Client Certificates on the SAP J2EE Engine

Setup a Virtual Host/Website

VMware Identity Manager Connector Installation and Configuration

Implementing HTTPS in CONTENTdm 6 September 5, 2012

Spectrum Spatial Analyst Version 4.0. Installation Guide for Linux. Contents:

PowerChute TM Network Shutdown Security Features & Deployment

Configuring BEA WebLogic Server for Web Authentication with SAS 9.2 Web Applications

Administrator s Guide June 2008

Domino and Internet. Security. IBM Collaboration Solutions. Ask the Experts 12/16/2014

Crypto Lab Public-Key Cryptography and PKI

Using Client Side SSL Certificate Authentication on the WebMux

Use Enterprise SSO as the Credential Server for Protected Sites

SSL Considerations for CAS: Planning, Management, and Troubleshooting. Marvin Addison Middleware Services Virginia Tech October 13, 2010

Installation Guide for contineo

LoadMaster SSL Certificate Quickstart Guide

Securing the OpenAdmin Tool for Informix web server with HTTPS

AN054 SERIAL TO WI-FI (S2W) HTTPS (SSL) AND EAP SECURITY

Linux Deployment Guide. How to deploy Network Shutdown Module for Linux

Transcription:

1 of 11 20/01/2009 9:56 AM Setting Up CAS with Ofbiz 5 This wiki explains how to setup and test CAS-Ofbiz5 integration and testing on a Centos 5.2 box called "elachi". In this configuration Ofbiz and the CAS server are both running on the same box. Supporting Applications Install some supporting applications if you don't have them already. Java 1.6 "Clean" way of installing Java: http://trac.arlnet.com/wiki/arlbasilsetup- Java#Java1.6.6install OR a quick-and-dirty way Download latest Java JDK RPM from http://java.sun.com for your CPU (32bit or 64bit). Then run the downloaded file. This will unzip and then try and rpm install so you will need root privileges. Setting Up CAS with Ofbiz 5 Supporting Applications Java 1.6 Apache Ant Maven (to build CAS Client and Server) Setting up Ofbiz 5 Check Out, Patch and Update Ofbiz Code Turn on Remote User Login in Ofbiz Setup Ofbiz Applications to Use CAS Client (Filter) Build and Integrate CAS Client into Ofbiz Configuring Ofbiz Application's web.xml Configure Ofbiz logout URL CAS Server Install Tomcat Building the CAS Server Configure Apache Setting up SSL Certificate Creating the Certificates Set up SSL on Apache Tell Java to Trust Our CA sudo sh jdk-6u11-linux-x64-rpm.bin (it will unpack and rpm install for you) We then need to tell the system to use Java 1.6 (latest) for running Java programs: alternatives --install /usr/bin/java java /usr/java/latest/bin/java 2 alternatives --config java And compiling Java programs: alternatives --install /usr/bin/javac javac /usr/java/latest/bin/javac 2 alternatives --config javac Next we need to set JAVA_HOME so Ant, Tomcat and Ofbiz know where to find Java: In ~/.bash_profile add: JAVA_HOME=<directory Java lives> export JAVA_HOME

2 of 11 20/01/2009 9:56 AM Apache Ant You will need this to build Ofbiz. Should be able to install it via yum. In ~/.bash_profile add: ANT_HOME=<directory Ant lives> export ANT_HOME Maven (to build CAS Client and Server) Should be able to install Maven via yum but if you can't it can be manually install by downloading the latest stable release from http://maven.apache.org/download.html. Then unpack it and place it somewhere sensible (I like /opt): sudo tar -zxvf apache-maven-2.0.9-bin.tar.gz -C /opt/ In ~/.bash_profile add: PATH=$PATH:/opt/apache-maven-2.0.9/bin export PATH Setting up Ofbiz 5 Check Out, Patch and Update Ofbiz Code In your home directory create a directory to put the Ofbiz code in and pull down revision 682577. (Why this revision? Because that's the version we had when we created the patch.) mkdir -p ~/projects/arl cd mkdir -p projects/arl svn co -r 682577 http://svn.apache.org/repos/asf/ofbiz/trunk ofbiz If our patch (https://issues.apache.org/jira/browse/ofbiz-1906) has been applied then just run: svn co http://svn.apache.org/repos/asf/ofbiz/trunk ofbiz

3 of 11 20/01/2009 9:56 AM and skip to the next section :-) If our patch has not been applied to the trunk download patch from https://issues.apache.org/jira/browse/ofbiz-1906: wget https://issues.apache.org/jira/secure/attachment/12387539/security-remoteuser_login.diff -O ~/security-remoteuser Then lets apply the patch (which is in our home dir) patch -b -p0 -i ~/security-remoteuser_login.diff -d ~/projects/arl/ofbiz/ patching file framework/common/webcommon/web-inf/common-controller.xml patching file framework/webapp/src/org/ofbiz/webapp/control/loginworker.java patching file framework/security/config/security.properties Ok now that we have applied the patch we can update Ofbiz to the latest reversion. cd ~/projects/arl/ofbiz/ svn update Turn on Remote User Login in Ofbiz CAS overloads the Session.getRemoteUser() method to return a remote user if CAS login was successful. We need to tell Ofbiz to look for users using the getremoteuser() method (this is basically our patch). Edit framework/security/config/security.properties and uncomment security.login.http.servlet.remoteuserlogin.allow=true: # -- HttpServletRequest getremoteuser() based ID (for integrations; uncomment to enable) security.login.http.servlet.remoteuserlogin.allow=true Setup Ofbiz Applications to Use CAS Client (Filter) We want Ofbiz web applications (accounting, e-commerce etc) to first talk to the CAS server before the goto the Ofbiz code. Once we are talking to Ofbiz the getremoteuser() method should have a username. To do this we need to install the latest CAS client jars and configure each applications web.xml file. Build and Integrate CAS Client into Ofbiz Download the latest client from: http://www.ja-sig.org/products/cas/downloads/index.html (you want the "JA-SIG CAS Java Client"). This will give you no documentation or jar files you need to build it :-)

4 of 11 20/01/2009 9:56 AM Untar the package and then goto the cas-client-core directory: cd cas-client-3.1.3/cas-client-core Inside the cas-client-core directory we will build the CAS client jar using Maven: mvn clean package This will create a target directory which contains the CAS client jar which we need to copy into Ofbiz so we can reference CAS classes in each application's web.xml: cp target/cas-client-core-3.1.3.jar <ofbiz home>/framework/base/lib/ We place the jar in <ofbiz home>/framework/base/lib/ directory because this is viewable by all applications. If you want to see the Java documentation for the CAS client run the following in cas-client-core: mvn javadoc:javadoc You can then point your browser at the file cas-client-core/target/site/apidocs/index.html to read the Javadoc. Configuring Ofbiz Application's web.xml For every application you want to have CAS protect you need to add the following to the application's WEB-INF/web.xml (changing host to what is appropriate for you setup Please note we will be setting up traffic to go through Apache so standard ports (80 and 443) are used). Make sure that for each section (<filter>, <filter-mapping>, <listener>) the CAS stuff stuff comes before the Ofbiz stuff. Filters:

5 of 11 20/01/2009 9:56 AM <!-- CAS Filter Stuff --> <filter> <filter-name>cas Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.singlesignoutfilter</filter-class> </filter> <filter> <filter-name>cas Authentication Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.authenticationfilter</filter-class> <init-param> <param-name>casserverloginurl</param-name> <param-value>https://elachi/authenticate_au/login</param-value> </init-param> <init-param> <param-name>servername</param-name> <param-value>elachi</param-value> </init-param> </filter> <filter> <filter-name>cas Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.cas10ticketvalidationfilter</filter-class> <init-param> <param-name>casserverurlprefix</param-name> <param-value>https://elachi/authenticate_au</param-value> </init-param> <init-param> <param-name>servername</param-name> <param-value>elachi</param-value> </init-param> </filter> <filter> <filter-name>cas HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.httpservletrequestwrapperfilter</filter-class> </filter> <!-- END: CAS Filter stuff --> Other filter tags Filter-Mappings:

6 of 11 20/01/2009 9:56 AM <!-- CAS Filter Mapping stuff --> <filter-mapping> <filter-name>cas Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>cas Authentication Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>cas Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>cas HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- END: CAS Filter Mapping stuff --> Other filter-mapping tags Listeners: <!-- CAS Listener stuff --> <listener> <listener-class>org.jasig.cas.client.session.singlesignouthttpsessionlistener</listener-class> </listener> <!-- END: CAS Listener stuff --> Other listener tags Repeat for each Ofbiz web application you want protected Configure Ofbiz logout URL In framework/common/webcommon/web-inf/common-controller.xml, change to:

7 of 11 20/01/2009 9:56 AM <request-map uri="logout"> <security https="true" auth="true"/> <event type="java" path="org.ofbiz.webapp.control.loginworker" invoke="logout"/> <response name="success" type="url" value="https://elachi/authenticate_au/logout"/> <response name="error" type="url" value="https://elachi/authenticate_au/logout"/> </request-map> Note: https://elachi/authenticate_au/logout is specific for the CAS server. CAS Server Install Tomcat "Clean" way of installing Tomcat: http://trac.arlnet.com/wiki/arlbasilsetup-java#tomcat5install OR a quick-and-dirty way Download latest stable release from http://tomcat.apache.org/download-60.cgi (download Core tar.gz) sudo tar -zxvf apache-tomcat-6.0.18.tar.gz -C /opt/ We are not going to talk to Tomcat server directly. Instead we will have Apache talk to Tomcat via AJP. So in <tomcat home>/conf/server.xml we can comment out all the other ports (8080 and 8443). We don't want Ofbiz's embedded Tomcat's AJP (running on 8009) to clash with CAS server's Tomcat so change AJP port to 9009: sudo vim /opt/apache-tomcat-6.0.18/conf/server.xml Start up the server: sudo sh /opt/apache-tomcat-6.0.18/bin/startup.sh Building the CAS Server The CAS server we are using is customised for ARLnet so you need to check it out of CVS (Maven will pull all the standard CAS libraries from the Internet). First we need to tell our box how to talk to the CVS server and were the CVS root directory is: export CVS_RSH="ssh" export CVSROOT=:ext:guy@turmeric:/var/lib/cvs Goto a temporary directory and checkout the Arlnet CAS server code:

8 of 11 20/01/2009 9:56 AM cvs checkout ArlnetCasServer Edit cas.properties to point to the right hosts and ports: sudo vim ArlnetCasServer/src/main/webapp/WEB-INF/cas.properties Edit deployerconfigcontext.xml to point to the right database with valid username and password: sudo vim ArlnetCasServer/src/main/webapp/WEB-INF/deployerConfigContext.xml Then we need to build the server with Maven (make sure your JAVA_HOME is defined): cd ArlnetCasServer mvn clean package Maven will download all stuff it needs, compile the code and then, in the target directory, package it all into a WAR file which we can deploy to our Tomcat server: sudo cp target/authenticate_au.war /opt/apache-tomcat-6.0.18/webapps/ Tomcat should pick up the application without a restart. Check the log /opt/apache-tomcat-6.0.18/catalina.out to make sure everything went OK. Configure Apache Have a look at http://sivel.net/2007/05/apache-tomcat-centos4/ for connecting Tomcat (embedded in Ofbiz) and Apache on Centos 4 (which does not have mod_proxy_ajp). If one is using Centos 5, which is what we are using in production, you might prefer to use mod_proxy and mod_proxy_ajp. In Centos 5 when you install apache it also installs mod_proxy and mod_proxy_ajp so all you need to do is: sudo yum install httpd-2.2.8-1 Then start the server: sudo /sbin/service httpd start Make sure when the machine is restarted Apache automatically comes up: sudo /sbin/chkconfig httpd on We then create a configuration file that knows how to redirect traffic to Ofbiz and CAS when a user hits our server with the name (elachi). We

9 of 11 20/01/2009 9:56 AM also tell Apache which SSL certificates we want to use for this domain. We create the file in /etc/httpd/conf.d where apache will pick the configuration automatically (don't need to edit http.conf). Because the configurations are loaded in alphabetical order and we want the Proxy and SSL files read first we prefix the file with zzz so it will be read last: sudo vim /etc/httpd/conf.d/elachi.conf Should look something like: <VirtualHost *> ServerName elachi ProxyTimeout 300 ProxyStatus On ProxyPass /accounting/ ajp://localhost:8009/accounting/ keepalive=on ProxyPass /admin/ ajp://localhost:8009/admin/ keepalive=on ProxyPass /arlnet_images/ ajp://localhost:8009/arlnet_images/ keepalive=on ProxyPass /catalog/ ajp://localhost:8009/catalog/ keepalive=on ProxyPass /content/ ajp://localhost:8009/content/ keepalive=on ProxyPass /doc/ ajp://localhost:8009/doc/ keepalive=on ProxyPass /images/ ajp://localhost:8009/images/ keepalive=on ProxyPass /interface/ ajp://localhost:8009/interface/ keepalive=on ProxyPass /ordermgr/ ajp://localhost:8009/ordermgr/ keepalive=on ProxyPass /partymgr/ ajp://localhost:8009/partymgr/ keepalive=on ProxyPass /shop/ ajp://localhost:8009/shop/ keepalive=on ProxyPass /user/ ajp://localhost:8009/user/ keepalive=on ProxyPass /webtools/ ajp://localhost:8009/webtools/ keepalive=on ProxyPass /authenticate_au/ ajp://localhost:9009/authenticate_au/ keepalive=on SSLEngine on SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire SSLCACertificateFile /etc/httpd/ssl/ca.crt SSLCertificateFile /etc/httpd/ssl/server.crt SSLCertificateKeyFile /etc/httpd/ssl/server.key.nopass </VirtualHost> DON'T PANIC at this point the server won't restart because we haven't set up the SSL certificates. Read on. Setting up SSL Certificate We must setup some certificate things in order to get Ofbiz's Java to trust CAS's Java and vice versa. First we want to set up a self signed certificate ie:

10 of 11 20/01/2009 9:56 AM Create a key (CAK) and certificate (CAC) for fake Certificate Authority (CA) Create a key (SK) and Certificate Signing Request (SCSR) for our server Have our fake CA sign the CSR with their key and then produce a certificate (SC) for our server. and then we tell Apache and Java (which is running CAS and Ofbiz) to trust us. Creating the Certificates The process described here is from http://www.perturb.org/display/entry/754/. Goto a directory where you can play (I am using ~/tmp) 1. CAK - First lets create the Certificate Authority private key (using openssl): openssl genrsa -des3 -out ca.key 4096 2. CAC - We then create a certificate that is sign with our own key: openssl req -new -x509 -days 3650 -key ca.key -out ca.crt 3. SK - Now lets generate the private key for your server 4. openssl genrsa -des3 -out server.key 4096 SCSR - Create a CSR (certificate signing request) which we will later sign with our CA key. Please note that your answers to the questions are not very import except Common Name this should be exactly match the name of the server you want to use (in my case "elachi" note not www.elachi or elachi.arlnet.com doesn't matter as long as consistent): openssl req -new -key server.key -out server.csr 5. SC - Sign the CSR with the CA key we made earlier: 6. openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt Optionally remove the password from your key (if you do this protect your key!!!). We want to do this otherwise every time Apache is started the password needs to be entered.. not useful on development machine. Set up SSL on Apache openssl rsa -in server.key -out server.key.nopass Now we have the CA certificate (which we want Apache to trust), the server's private key (which we use to encrypt SSL traffic) and the server's certificate (which clients can use) we want to put them somewhere Apache can use them so:

11 of 11 20/01/2009 9:56 AM sudo mkdir /etc/httpd/ssl sudo cp ca.crt /etc/httpd/ssl/ sudo cp server.crt /etc/httpd/ssl/ sudo cp server.key.nopass /etc/httpd/ssl/ Note that in zzz_elachi.conf we have told Apache where to find these files: SSLEngine on SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire SSLCACertificateFile /etc/httpd/ssl/ca.crt SSLCertificateFile /etc/httpd/ssl/server.crt SSLCertificateKeyFile /etc/httpd/ssl/server.key.nopass IMPORTANT The file /etc/httpd/conf.d/ssl.conf has a virtual domain defined that overlapes our and has another SSL certificate defined this causes greif to some newer browsers to open the ssl.conf file and comment out all the lines starting from <VirtualHost _default_:443> till (and including) </VirtualHost>. At this point you should be able to start the httpd server: sudo /sbin/service httpd restart Then point your browser at your server i.e. https://elachi/ and tell it to trust the certificate. Tell Java to Trust Our CA For Ofbiz and CAS (running in Tomcat), which are both running in Java VMs, to trust us we need to tell Java to trust our fake certificate authority. To do this we add our certificate authority's certificate to Java's trusted CA keystore. Make sure you do this for all the versions of Java you are using i.e. if you are using Java 1.5 for Ofbiz and 1.6 for CAS both versions need to trust our CA: Import our CA cert (password for keystore is "changeit") into "latest" Java version's CA certificate keystore: sudo /usr/java/latest/bin/keytool -import -trustcacerts -file ~/tmp/ca.crt -alias elachica -keystore /usr/java/latest/ It is a good idea to restart CAS (Tomcat) and Ofbiz so they load the new keystore entry. Now it should all work. Point your browser at something like https://elachi/accouting/ and you should be grilled by CAS and then forwarded to Ofbiz.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information