Install cas as Administrator

[dpiscia]

Cas server should be deployed in a tomcat managed by CNAG administrator

[miguelbernadi]

Installed and setup as service with automatic start on boot. The public interface no longer has CAS ports enabled, so all communications need to be done through the internal interface: 10.10.0.53

[jmfernandez]

Now no port (but the SSH one) can be reached through a VPN connection. I understand your approach due security reasons. But as we are still developing and testing the whole CAS environment, this security measure forces us to use remote firefox instances through SSH tunnelling, which are between fairly (in the best cases) and very slow when we are testing.

In any case, the system's Tomcat instance is not properly set up, as it is not using the proper SSL ports. Also, it is not using the proper Java keystore, we need an user and a password to deploy Tomcat applications using the Tomcat internal protocol, etc...

Meanwhile, we are keeping our user instance running, so the CAS service is kept working.

[miguelbernadi]

Ok. Sorry, I have just reopened the 9443 port to the public interface.

In order to fix the issues you are pointing out, I need the local user's instance to be stopped so the tests I'm doing are meaningful. Also, I need explanations about the following:

• Which ports should be allowed (now it's 9443, as before)
• There's only CAS as application and no management interface. Which other Tomcat applications are to be deployed?
• What are you referring to with the Java keystore?

I just daemonized and set up a parallel installation of the settings in the already working version, which is what I was asked for.

[acanada]

Thankyou!

I have stopped the user’s instance. Answering to your questions, we just need the port 9443 and we are planning to deploy the cas management interface as well as another app to manage users (we haven’t decided between candidates). With Java keystore we mean that credentials have to be available to the tomcat in order to complete the chain of trust. In our user version we have this "tomcat-server.jks” at "/home/acanada/etc/ssl/rdconnect_demo_CA/tomcat-server.jks”, then the configuration of the connector is, in our case:

<Connector port="9443" protocol="HTTP/1.1" connectionTimeout="20000" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS" keystoreFile="/home/acanada/etc/ssl/rdconnect_demo_CA/tomcat-server.jks" truststoreFile="/home/acanada/etc/ssl/rdconnect_demo_CA/tomcat-server.jks” />

On 18 Jun 2015, at 17:43, Miguel Bernabeu Diaz notifications@github.com<mailto:notifications@github.com> wrote:

Ok. Sorry, I have just reopened the 9443 port to the public interface.

In order to fix the issues you are pointing out, I need the local user's instance to be stopped so the tests I'm doing are meaningful. Also, I need explanations about the following:

• Which ports should be allowed (now it's 9443, as before)
• There's only CAS as application and no management interface. Which other Tomcat applications are to be deployed?
• What are you referring to with the Java keystore?

I just daemonized and set up a parallel installation of the settings in the already working version, which is what I was asked for.

— Reply to this email directly or view it on GitHubhttps://github.com/inab/ldap-rest-cas4-overlay/issues/5#issuecomment-113197195.

[miguelbernadi]

@acanada Now the CAS server can be started correctly, but an error message stating the application is unauthorized to use the CAS appears. Do you know which could be the cause?

I also tried to deploy the cas-manager app and it's failing with an exception at the beginning of the constructor for messageInterpolator. Do you know what can it be about?

I will disconnect the server now and restore your home's server so tomorrow we can devote more time to fix it properly.

[acanada]

It looks like the server cannot read the tomcat-server.jks properly. Probably because you need to add a keystorePass to the configuration(?). I have the same messageInterpolator error for the cas-manager. I will tell you the solution when I get to it

On 18 Jun 2015, at 18:38, Miguel Bernabeu Diaz notifications@github.com<mailto:notifications@github.com> wrote:

@acanadahttps://github.com/acanada Now the CAS server can be started correctly, but an error message stating the application is unauthorized to use the CAS appears. Do you know which could be the cause?

I also tried to deploy the cas-manager app and it's failing with an exception at the beginning of the constructor for messageInterpolator. Do you know what can it be about?

I will disconnect the server now and restore your home's server so tomorrow we can devote more time to fix it properly.

— Reply to this email directly or view it on GitHubhttps://github.com/inab/ldap-rest-cas4-overlay/issues/5#issuecomment-113212926.