Liferay、Zimbra和Processmaker与CAS的单点登陆集成

一.搭建CAS服务器

1.1 CAS下载 http://downloads.jasig.org/

推荐搭建在独立的服务器上

启用Tomcat SSL

编辑 $LIFERAY_HOME/conf/server.xml,反注释SSL配置段,如下:

1.2 使用JDK工具keytool生成SSL证书

在任何目录(我在HOME)下使用命令:

keytool -genkey -alias tomcat -keypass changeit -keyalg RSA

将生成.keystore在$HOME下。
注意:在输入What is your first and last name? 时请使用你的hostname(参考/etc/hosts文件),不要用IP。或者使用hostname命令查看
整个过程如下:

daniel@daniel-desktop:~$ keytool -genkey -alias tomcat -keypass changeit -keyalg RSA
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: daniel-desktop
What is the name of your organizational unit?
[Unknown]: SEE
What is the name of your organization?
[Unknown]: Jinfonet
What is the name of your City or Locality?
[Unknown]: Kunming
What is the name of your State or Province?
[Unknown]: Yunnan
What is the two-letter country code for this unit?
[Unknown]: CN
Is CN=daniel-desktop, OU=SEE, O=Jinfonet, L=Kunming, ST=Yunnan, C=CN correct?
[no]: yes

从keystore中导出证书并将此证书导入到JRE中:

daniel@daniel-desktop:~$ keytool -export -alias tomcat -keypass changeit -file server.cert

这个server.cert以后还会用到,下面的这个导入方法适用于使用的是系统的jre的情况下,下面会介绍其他的情况
daniel@daniel-desktop:~$ keytool -import -alias tomcat -file server.cert -keypass changeit -keystore $JAVA_HOME/jre/lib/security/cacerts

测试SSL连接

访问https://daniel-desktop:8443/cas 成功

1.3 CAS登录验证

在CAS的验证页面,使用test作为帐号,test作为密码(只要帐号==密码就可以了),测试一下能不能通过CAS的验证。结果应该是可以通过,但是跳转也没无任何显示。因为我们并没有真正通过我们的帐号验证。其实CAS也是可以和ldap或者mysql集成的,请参考其他资料 =)

二. Liferay与CAS的单点登陆集成

Liferay的设置相对比较简单,只需要使用之前的server.cert,并导入到自己的jre中的cacerts文件即可,注意网上下载的liferay都是自带jre的。

之后需要往lib中加入cas-client-3.2.0-release包。

然后打开web页面,已管理员账户登陆liferay,选择顶部:管理-控制面板-门户-设置-认证-开启CAS,填写相关的CAS服务器地址,注意不能使用localhost或ip,必须要主机名或者域名

之后可以测试点击主页面的登陆和登出,都会跳转到CAS的认证页面。

三. Zimbra与CAS的单点登陆集成

CAS( Central Authentication Service)是由JA-SIG开发的一套开源的单点登录系统,在教育行业有着非常广泛的应用,有不少企业也在使用它。CAS的特点是安全性非常高,可维护性高。下面详细描述一下如何实现ZCS与CAS的集成。

1.配置ZCS的CACert keystore

在zimbra用户下执行以下脚本,将CAS的服务器证书(证书或证书链)导入到ZCS的CACert keystore中:

/opt/zimbra/java/bin/keytool -import -file casserver.cert -alias cascert -trustcacerts -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
/opt/zimbra/java/bin/keytool -import -file casserver.chain -alias caschain -trustcacerts -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

复制代码

2.部署CAS客户端

[li]从http://www.ja-sig.org/downloads/cas-clients/下载客户端软件包。3.1.x版本的客户端可以与ZCS 6.0.x、CAS服务器. 3.3.x一起工作。[/li][li]复制cas-client-core-3.1.x.jar文件到/opt/zimbra/jetty/common/lib目录。
[/li]

3.修改ZCS的配置文件

3.1 zimbra应用

将下列代码加入到/opt/zimbra/jetty/etc/zimbra.web.xml文件中,插入位置应在前(约230行),然后替换cas.url.com:port和 zimbra.url.com:port。
默认的端口:CAS为8443,ZCS为443或80。


CasSingleSignOutFilter
org.jasig.cas.client.session.SingleSignOutFilter


CasSingleSignOutFilter
/*

org.jasig.cas.client.session.SingleSignOutHttpSessionListener


CasAuthenticationFilter
org.jasig.cas.client.authentication.AuthenticationFilter
casServerLoginUrl https://cas.url.com:port/cas/login
serverName https://zimbra.url.com:port


CasAuthenticationFilter
/public/preauth.jsp


CasValidationFilter
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
casServerUrlPrefix https://cas.url.com:port/cas
serverName https://zimbra.url.com:port
redirectAfterValidation true


CasValidationFilter
/*


CasHttpServletRequestWrapperFilter
org.jasig.cas.client.util.HttpServletRequestWrapperFilter


CasHttpServletRequestWrapperFilter
/*

复制代码

3.2 zimbraAdmin应用

针对/opt/zimbra/jetty/etc/zimbraAdmin.web.xml文件进行同上一步的操作(插入内容、替换关键字)。
ZCS管理控制台的默认端口是7071。

4.建立PreAuth键

在zimbra用户身份下执行以下脚本:
[pre]

zmprov gdpak yourdomain.com

复制代码

[/pre]将会得到这样的PreAuth键值: “359d722926fc3daebd0fee5d8b9dad9bbe1646e68041afa8ab662c6a9152e6b9″。

5.建立preauth.jsp文件

5.1 zimbra应用

[li]将附件(附件为ZIP压缩文件,请将扩展名由GIF改为ZIP后打开)中的preauth.jsp-zimbra复制为: /opt/zimbra/jetty/webapps/zimbra/public/preauth.jsp[/li][li]用上一步提到的PreAuth键值替换其中的DOMAIN_KEY[/li][li]替换第90处的domainname.com[/li]

5.2 zimbraAdmin应用

[li]将 preauth.jsp-zimbraadmin复制为: /opt/zimbra/jetty/webapps/zimbraAdmin/public/preauth.jsp[/li][li]用上一步提到的PreAuth键值替换其中的DOMAIN_KEY[/li][li]替换第92处的domainname.com[/li]

6.替换登录和注销URL

以zimbra用户身份执行以下脚本,替换ZCS默认的登录和注销URL:
[pre]

zmprov md yourdomain.com zimbraWebClientLoginURL https://zimbra.url.com:port/zimbra/public/preauth.jsp
zmprov md yourdomain.com zimbraWebClientLogoutURL https://cas.url.com:port/cas/logout
zmprov md yourdomain.com zimbraAdminConsoleLoginURL https://zimbra.url.com:port/zimbraAdmin/public/preauth.jsp
zmprov md yourdomain.com zimbraAdminConsoleLogoutURL https://cas.url.com:port/cas/logout

复制代码

实践证明,使用zmprov mcf zimbraWebClientLogoutURL http://www.monSiteAuth.com 更好

默认端口同前。
7.重启ZCS

以zimbra身份运行zmcontrol restart命令重启ZCS服务。

四. Processmaker与CAS的单点登陆集成

1. upload the CAS Client library to the /opt/processmaker/gulliver/thirdparty

2. modify /opt/processmaker/workflow/engine/methods/login/authentication.php code as below

add CAS method

At #26 to #40.

Code: Select all
require_once ‘CAS-1.0.1/CAS.php’; //这里要写自己的版本号
// initialize phpCAS
phpCAS::client(CAS_VERSION_2_0,’oa.cybercloud.com’,8443,); //这里要写自己的CAS服务器地址和端口

// no SSL validation for the CAS server
phpCAS::setNoCasServerValidation();

// force CAS authentication
phpCAS::forceAuthentication();

if( phpCAS::isAuthenticated() == true )$casAuth = CASAuthIsTrue;

$_POST[‘form’][‘USR_USERNAME’] = phpCAS::getUser();
$_POST[‘form’][‘USR_PASSWORD’] = $casAuth;

3. modify /opt/processmaker/rbac/engine/classes/model/RbacUsers.php

change password check to CAS auth check. This is a tricky method. I use “password” as check CAS Authenticated or not. But I think this is not a good way. 😛

At line #71 & #72.
// if ( $aFields[‘USR_PASSWORD’] == md5 ($sPassword ) || ‘md5:’.$aFields[‘USR_PASSWORD’] === $sPassword) {
if ( $sPassword == CASAuthIsTrue) {

4. add javascript to submit form

/opt/processmaker/workflow/engine/xmlform/login/login.xml

在最后几行加入
document.login.submit();

五.Q&A

基本完成了CAS的单点集成登陆。

其他的一些问题:

1.出现如下异常:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

这是缺少安全证书时出现的异常,解决方案就是将你要访问的webservice的安全认证证书导入到客户端即可。以下是获取安全证书的一种方法

1,写一个程序专门获取安全证书,参考InstallCert.java

2.执行 java InstallCert hostname 比如

java InstallCert 192.168.1.137:8443

会看到如下信息:

java InstallCert ecc.fedora.redhat.com Loading KeyStore /usr/jdk/instances/jdk1.5.0/jre/lib/security/cacerts… Opening connection to ecc.fedora.redhat.com:443… Starting SSL handshake…

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:846) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038) at InstallCert.main(InstallCert.java:63) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145) at sun.security.validator.Validator.validate(Validator.java:203) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172) at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:158) at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:839) … 7 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216) … 13 more

Server sent 2 certificate(s):

1 Subject CN=ecc.fedora.redhat.com, O=example.com, C=US

Issuer CN=Certificate Shack, O=example.com, C=US
sha1 2e 7f 76 9b 52 91 09 2e 5d 8f 6b 61 39 2d 5e 06 e4 d8 e9 c7
md5 dd d1 a8 03 d7 6c 4b 11 a7 3d 74 28 89 d0 67 54

2 Subject CN=Certificate Shack, O=example.com, C=US

Issuer CN=Certificate Shack, O=example.com, C=US
sha1 fb 58 a7 03 c4 4e 3b 0e e3 2c 40 2f 87 64 13 4d df e1 a1 a6
md5 72 a0 95 43 7e 41 88 18 ae 2f 6d 98 01 2c 89 68

Enter certificate to add to trusted keystore or ‘q’ to quit: [1] 3.输入1,然后直接回车,会在相应的目录下产生一个名为‘jssecacerts’的证书。将证书copy到$JAVA_HOME/jre/lib/security目录下,或者通过以下方式

System.setProperty(“javax.net.ssl.trustStore”, “D:\UTA\DOC_E_Health_XML\Keystore\jssecacerts

Zimbra cacerts证书坏了之后,可以暂停了服务之后重新签发证书

用root执行

/opt/zimbra/bin/zmcertmgr createca -new

/opt/zimbra/bin/zmcertmgr deployca

/opt/zimbra/bin/zmcertmgr createcrt -new -days 7300

/opt/zimbra/bin/zmcertmgr deploycrt self

/opt/zimbra/bin/zmcertmgr viewdeployedcrt

六. 参考资料

InstallCert.java

Preauth.jsp-zimbra

Preauth.jsp-zimbraAdmin

Liferay 5.1.1 安装与整合CAS
http://blog.csdn.net/DL88250/archive/2008/08/20/2802525.aspx

ZCS与CAS(Central Authentication Service)单点登录系统的集成
http://opengeek.cn/thread-151-1-1.html

ProcessMaker与CAS集成 http://forum.processmaker.com/viewtopic.php?f=9&t=930

使用 CAS 在 Tomcat 中实现单点登录 http://www.ibm.com/developerworks/cn/opensource/os-cn-cas/
【原创】CAS调研总结 http://www.iteye.com/topic/544899

ZCS证书的重新签发 http://opengeek.cn/thread-492-1-1.html