Liferay CAS Integration Part-1

CAS Introduction:

CAS is service which provides Central Authentication. We can authenticate users who are belongs to many application from CAS. We deploy CAS in application server we can use this CAS server for all our applications to do authentication.CAS is best solution for Single Sign On and Single Sign Out.

If we have multiple web applications then we need not provides authentication in each application instead of that we use CAS to authenticate users and user may belongs to any application.

To do so we need to create multiple data sources for CAS so that CAS can authenticate against configured data sources.

We can configure different kind of data sources to CAS like JDBC data source which connect to relational data bases and LDAP data sources which can connect to LDAP servers. Apart from LDAP and JDBC CAS can support many.

We already know CAS is service and we will have client to consume or use service. So that CAS is providing different types of clients to support cross platform application.CAS providing many clients to support in many applications.

How CAS is working?

CAS is ticket based service. Which is working based on tickets and its validation.

 Initially when user send his/her credentials to CAS for authentication it will provide TGT (Ticket Granting Ticket) when user find in data source or we can say after successful authentication by CAS.

 Once we get TGT we will pass TGD and Service URL to CAS then it will give Service Ticket and redirecting to URL which we provided as service URL and service ticket stored in Cookies.

When we redirecting to Service URL/Client Application then client will obtain the service and it will send service ticket and client application URL to CAS to validate on behalf of application URL.

If the validation successful then it will return user principles (username/password) then client application create session for user in applications.

In the application we will use CAS client library for obtain service tickets and validate the tickets on behalf of client application URL/service URL.

Note:

Service URL is nothing but current client application URL for which we are using CAS service.

Generally we use CAS login URL with username user password and service URL to get service ticket

How does liferay support CAS?

Liferay already have CAS client inbuilt so that we need pass CAS service information so that we can enable CAS service in liferay. These are just administration configuration in liferay once we ready with CAS server.

What is SSO?

SSO is Single Sign On service means if we have multiple applications we need not to provide user credentials in each application instead of that we will authenticate the user with CAS and we will use CAS tickets to login into other application here user don’t need enter credentials for each application login.

Note:

To implement CAS SSO we need to use https protocol. SSO need secure protocol. Https use Secure Socket layer mechanism to send data from server to client.

How SSL is working?

To enable SSL to server we need to create SSL certificates and add those cerficates in Server JRE environment. Generally all certificates available in jre\lib\security directory.SSL certificate having public and private keys along with one of encryption algorithm like RSA, SHA

In real environment we need to purchase these SSL certificates from vendors they will give us SSL certificates.

For our Development environment we will create self signed SSL certificates using java key tool or other tools like open SSL tools.

How does https work?

When we are using HTTPS protocol then data transfer from server to client encrypted by SSL certificates with help of public key, private key and encryption algorithm.

When the scenario like CAS server and Client Application reside in two different machines or two different servers which are using different JRE then we need to share same certificate with tow servers JRE. Otherwise we will get encryption decryption problems i.e. SSL hand shaking problem (PKIX exception).

When data comes from one server to other server then we need use same public key, private key and same algorithm required to decrypt or encrypt the data that is why we need to share same SSL certificate with tow server environments.

Now we will have enough information about CAS. Now we are using in liferay. We already know CAS is service and liferay is client to use CAS service. Liferay already have CAS client support.

The following are the required steps to integrate CAS in Liferay.

1. Create CAS server with JDBC support
2. Create SSL certificate using java key tool
3. Add SSL certificate to Server JRE
4. Configure CAS server information In Liferay

Author

Meera Prince

Read More

Liferay CAS Issues and Solutions

1)      PKIX problem

2)      SSL handshaking problem

3)      No name matching your domain  and (www.localhost.com) found

Click following link you can get cas-web and its related files
Download

Steps to configure CAS in Life ray 6.0.6

1)      Build cas-web war file from CAS server source code with your data base credentials and your liferay  algorithm(QueryDatabaseAuthenticationSHA1Base64.java)

2)      Copy the cas-web.war or cas-web  web application to tomcat webapps directory.

3)      Create SSL certificate using key tool.

4)      Change the tomcat server.xml file to enable SSL port or htts protocol.

5)      Make sure key store file location. (Ex: localhost.kestore) is available in your java bin folder.

6)      Modify the CASFilter.java and CASAutologinFilter.java files according to your requirement.

7)      Deploy portal

8)      Run tomcat server and test.

Problems Solutions:

1)      PKIX problem

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

1)      This problem occurred, because of trusted certificate not available in JRE. Means whatever we created SSL certificate not available in jre/lib/security folder.

2)      Generally when we create SSL certificate from the key tool after that we will export this SSL certificate to JRE. I.e. we will import into cascerts file (this is default file to import SSL certificates in JRE) this file is available in jre/lib/security folder.

Solution:

1)      Make sure created SSL certificate exported into cacerts file or not.

Procedure to know this:

Step: 1

Go to jre/lib/security

Compile InstallCert.java file by using following command.

Javac InsertCert.jva   

After successfully compile run java class by using following command.

Java InstallCert localhost:8443

We need pass domain name and secure port number that’s your https port.

If you get following output then SSL hand shaking is filed i.e. your certificate is not imported properly into cacerts file means that is not trusted certificate.

Loading KeyStore \jre6\lib\security\cacerts... Opening connection to localhost:8443... Starting SSL handshake... javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security. provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Step: 2

When you get PKIX problem means SSL hand shaking is failed for your certificate. Then do the following thing.

When you get above step enter 1 and press enter. Then you will get the following output.

Enter certificate to add to trusted keystore or 'q' to quit: [1]

1

  Version: V3

  Subject: CN=localhost, OU=vidyayug, O=vyug, L= hyd, ST=ap, C=In

  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits

  modulus: 1129473579651954554552730664834664064459539051598864058082387115962631728819634110255367718769683451438528187

923246533854744470790959477657386037636238098777089479256059697784394926741427654735994678054030193662669088404706890444

59364523220747231216704221781747262219695262340353839314222273672957748320603247

  public exponent: 65537

  Validity: [From: Tue Dec 14 15:13:51 SGT 2010,

               To: Mon Mar 14 15:13:51 SGT 2011]

  Issuer: CN=yong mook kim, OU=mkyong, O=mkyong, L=puchong, ST=PJ, C=my

  SerialNumber: [    4d07192f]

]

  Algorithm: [SHA1withRSA]

  Signature:

0000: 38 E4 F4 D9 51 B1 5F C1   01 13 32 79 DE 97 26 58  8...Q._...2y..&X

0010: 13 08 F1 A0 33 DB B9 90   AF EE 9E AE B9 9B 68 7D  ....3.........h.

0020: DF E8 7D 79 9D 92 24 4A   76 C9 4C 28 DA 68 B0 62  ...y..$Jv.L(.h.b

0030: FF AB 27 03 5C DD 1F C8   77 A2 25 18 DF 0C DC FD  ..'.\...w.%.....

0040: D3 39 5D 18 B4 BA 4B 36   8C FD C5 80 FF F2 E3 4D  .9]...K6.......M

0050: 0A 28 57 B9 04 D8 25 F6   FB CA DA 13 0C 36 FB 02  .(W...%......6..

0060: 9A B3 B1 28 46 D1 8E C7   D9 1A 5B CE BB A6 6F FD  ...(F.....[...o.

0070: 6D F2 35 D9 95 43 6E 38   2A 56 E7 31 21 D9 F0 90  m.5..Cn8*V.1!...

]

Added certificate to keystore 'jssecacerts' using alias 'localhost-1'

If you get above output then your certificate trusted. Here we need identify one thing. Generally when we export SSL certificate by using key tool by default it will insert into cacert file. But here if you observe the above screen you can find jssecacers file. It will automatically create when we run above program.

 Enter q to quit this process.

Step: 3

Run again InstallCerts.java program to pass inputs domain and SSL port

Java InstallCert localhost:8443

If you get following output then SSL hand shaking is successful and your certificate added to jaascaserts file and it is trusted certificate. Here you will get message certificate is already trusted.

Here we need identify the CN=localhost   this is very important. whatever the CN name you need give in CAS settings. Otherwise you will get No Name matching to the URL .

20:42:38,109 ERROR [CommonUtils:294] java.security.cert.CertificateException: No name matching www.localhost.com found javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching www.localhost.com found

Note: So whatever the CN name that is only your CAS settings.

Assume if your CN name is local host then the following are the your CAS settings

So we have the solutions for

1)      PKIX

2)      No Name matching to your domain name

Still you are getting PKIX problem?

Make sure which jre your application server is using means JVM used by your server. here we need consider location of jre and version of jre.

Whatever the JRE your server is using in that make sure trusted certificate is available or not means run above whole process from this JRE location (jre/lib/security)

How to know which jre our server is using?

From Eclipse(Windows Environment):

Generally Eclipse will create JRE in  the following location:

C:/Program Files/Java

If you create server from Eclipse it will use eclipse generated default JRE until you mention new jre. i.e.

C:/Program Files/Java/jre

So that you need to export SSL certificate into this jre by using key tool or you can run above whole process from this location.

In Eclipse you can find which jre your server is using

Go to Windows>>Preferense>>Java>>Installed JRE’s

By Using Cygwin:

If you are running portal without Eclipse then you can find JRE that is used by your Server (Tomcat)

Run which java command in cygwin prompt.

The following screen will specify the location of java.

Go to That location and make sure SSL had shaking is successful for your domain.

If you run server from cygwin  prompt also you can know the JRE is used by your Server(Tomcat)

Run the following command form your server bin directory.

Use   ./startup.sh

The following screen shot wil tells you which jre is using. In this location you need to have trusted certificates.

Pure windows Environment

In windows environment serve generally use the JRE that is mentioned in JAVA_HOME environment variable.

That JRE server is using. In this JRE we have trusted certificates.

Note: ü     Identify the JRE and make sure SSL hand shaking is successful in this location for yor domain. jre/lib/security  from this folder we will have InsertCert.java run this program and give the appropriate domain name and SSL  port number. ü   Make sure where ever the CN name that should be your CAS settings. Ex:  CN=localhost Your CAS setting should use localhost only.

Read More