Wednesday, June 20, 2012

CAS- Install & Configured CAS Server in UBUNTU

Reference site: https://help.ubuntu.com/community/CentralAuthenticationService


1) Install TOMCAT on Ubuntu 
  
   # sudo apt-get update
   # sudo apt-get install tomcat6
   OR
   # sudo aptitude install tomcat6
   # sudo apt-get install openjdk-6-jdk

   Verify Java Installation
   # java -version

check installation done
dpkg --get-selections | grep jdk

2) Install Maven
   # sudo apt-get install maven2

3) Optionally you can install maven-ant-helper in case you decide to use Ant to create deployment tasks:

   # sudo apt-get install ant
   # sudo apt-get install maven-ant-helper

  
4) Configuring CAS Server Build for Maven.
   Get the latest CAS server archive from JASig: http://www.ja-sig.org/downloads/cas
           -----------------
   # wget http://www.ja-sig.org/downloads/cas/cas-server-3.3.5-release.tar.gz
   # tar -xvzf cas-server-3.5.0-RC1-release.tar.gz
   # cd cas-server-3.5.0-RC1

5) Edit pom.xml
   # cd cas-server-wepapps/
   # nano pom.xml

   and add this line:

[dependency]
 ${project.groupId}
             cas-server-support-ldap
             ${project.version}
[/dependency]
   *Change [ ] to < and > & Save file.

6) Edit server.xml
   # nano /var/lib/tomcat6/conf/server.xml

   *Make sure you add or enable this
[Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" /]


   [Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" /]

   **Change [ ] to < and > & Save file.


7) Run this command in cas-server-3.5.0-RC1/cas-server-webapp directory
  # cd cas-server-3.5.0-RC1/cas-server-webapp
  # mvn clean package

8) Copy all content from content from cas-server-3.5.0-RC1/cas-server-webapp/target/cas-server-3.5.0-RC1/
  # cd cas-server-3.5.0-RC1/cas-server-webapp/target/cas-server-3.5.0-RC1/
  # cp -Rp * /var/lib/tomcat6/webapps/ROOT/

9) Restart tomcat service
  #service tomcat6 restart
  OR
  # /etc/init.d/tomcat6 restart

10)Setup SSL (self signed cert) with tomcat
  # keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/tomcat6/keystore

* You will be requested for data that will show on your user browser's certificate:
  Enter keystore password: abc123
  Re-enter new password: abc123
  What is your first and last name: Jeremy Atkins
  What is your organizational unit: OU
  What is the name of your organization: NOYO
  What is the name of your city or your locality: MyCity
  What is the name of your state or province: Saudi Arabia
  What is the two-letter country code for this unit:  uk
  Is the entered data correct: yes>


11) Edit server.xml again
           [Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

           maxThreads="150" scheme="https" secure="true"

           clientAuth="false" sslProtocol="TLS" 

           keystoreFile="/etc/tomcat6/keystore" 

           keystorePass="abc123" /]
**Change [ ] to < and > & Save file.

 12) Restart tomcat service
  # service tomcat6 restart 
  OR
  # /etc/init.d/tomcat6 restart


13) Make sure firewall allow port 8080, 8443, 8009, 389.
    Test telnet the port within server sso and ldap through all related port.
  # telnet  serverip 8443
  # telnet  serverip 8080
  # telnet  serverip 8009
  # telnet  serverip 389

14) ** Test site >> http://serveraddress:8080

15) Configure deployerConfigContex.xml
#/var/lib/tomcat6/webapps/ROOT/WEB-INF

Add this line at   :
----------------------------------------------------------------------------
[bean class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler"]
[property name="filter" value="cn=%u,ou=people,dc=student,dc=contoso,dc=edu,dc=sa"  /]
[property name="contextSource" ref="contextSource" /] [/bean]
----------------------------------------------------------------------------

And this line after :
------------------------------------------------------------
 [bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource"]
                [property name="pooled" value="true"/]
                [property name="urls"]
                    [list>
                        [value]ldap://serverldap_ip/[/value]
                    [/list]
                [/property]
                [property name="userDn" value="cn=admin,dc=it,dc=mycompany,dc=com"/]
                [property name="password" value="asdfgh"/]
                [property name="baseEnvironmentProperties"]
                    [map]
                        [entry]
                            [key]
                                [value]java.naming.security.authentication[/value]
                            [/key]
                            [value]simple[/value]
                        [/entry]
                    [/map]
                [/property]
        [/bean]
-----------------------------------------------------------
**Change [ ] to < and > & Save file.                                

16) Restart tomcat service
  #service tomcat6 restart

17) Allow port 8443  >  443  
    # nano /etc/sysctl.conf  add  ->   sysctl net.ipv4.ip_forward=1

    Run iptable command:
    # iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination serverapps_ip:8443 

18) Test site >> http://serveraddress 

19) Test Login


----------------------------------------------------------------------------------- 
Reference site:

http://rackerhacker.com/2009/11/16/automatically-loading-iptables-on-debianubuntu/
http://stackoverflow.com/questions/2619798/setup-ssl-self-signed-cert-with-tomcat
https://help.ubuntu.com/community/IptablesHowTo

Wednesday, June 13, 2012

Howto-FreeBSD9-CAS-Server

After settled Create New Server + Config IP,hostname

1. Download latest diablo-jdk-freebsd and cp to /usr/ports/distfiles
2. Download latest tzupdater and cp to /usr/ports/distfiles
3. cd /usr/ports/java/diablo-jdk16/ && make install clean
4. cd /usr/ports/www/tomcat6/ && make install clean
5 Install apache22 + Apache Setup
Add: apache22_enable="YES"
tomcat60_enable="YES"


6 Install mod_jk (connector used by appche to connect to servlet container)
7 Configure Apache SSL (HTTPS) - refer to apache documentation

8. Edit /usr/local/etc/apache22/httpd.conf
Change this parameter ->
Listen 80 to Listen 443

9. Make sure this module load at apache start

Enable this in httpd.conf -> LoadModule jk_module libexec/apache22/mod_jk.so

10.Add this in httpd.conf -> Include etc/apache22/mod_jk.conf

11.Create new file
#ee /usr/local/etc/apache22/mod_jk.conf

   And add this
  
        JkWorkersFile /usr/local/etc/apache22/workers.properties

        JkLogFile /var/log/jk.log
        JkShmFile /var/log/jk-runtime-status
        JkLogLevel error 


   Save mod_jk.conf

12.Create new file
#   ee /usr/local/etc/apache22/workers.properties
   and add this

worker.list=host-name-newsso01

worker.
host-name-newsso01.port=8009
worker.
host-name-newsso01.host= host-name-newsso01 
worker.
host-name-newsso01.type=ajp13
worker.
host-name-newsso01.lbfactor=1

Save workers.properties

Note : please change all "  host-name-newsso01 " with your own server name

13.Edit /usr/local/etc/apache22/extra/httpd-ssl.conf

Disable Listen 443

Add this (bottom of file before )

JkMount /*  host-name-newsso01 
JkMount /*.jsp 
host-name-newsso01

Note : please change all " host-name-newsso01  with your own server name

14. cd /usr/local/apache-tomcat-6.0/conf

15. ee server.xml

*Make sure you add or enable this

  connectionTimeout="20000"
redirectPort="8443" />

  maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />


save server.xml

16. Edit /etc/rc.conf and add this line if not yet(STEP 5)

apache22_enable="YES"
tomcat60_enable="YES"


save rc.conf

17. Start apache and tomcat

18. Test access tomcat (non secure using http://servername:8080)
then try access secure connection https using https://servername:8080
**Unable to make a secure connection to the server.
This may be a problem with the server or it may be requiring a client authentication certificate that you don't have

CONFIGURE CAS SERVER

1. Install apache MAVEN -

 # cd /usr/ports/devel/maven2 && make install clean ; rehash

2. Download latest JASIG CAS Server from http://downloads.jasig.org/cas/ and save in your home directory

3. Extract downloaded CAS Server

For example if latest version is cas-server-3.4.11-release.tar.gz

#tar -xzf cas-server-3.4.11-release.tar.gz

#cd cas-server-3.4.11/cas-server-webapp

#ee pom.xml and add this line


${project.groupId}
cas-server-support-ldap
${project.version}


save file

4.Run this command in cas-server-3.4.11/cas-server-webapp directory

# mvn clean package

5.Run this command in cas-server-3.4.11/cas-server-webapp/target/cas-server-webapp-3.4.11/
Stop apache tomcat

# /usr/local/etc/rc.d/tomcat6 stop

6.Replace all content in /usr/local/apache-tomcat-6.0/webapps/ROOT/ with content from cas-server-3.4.11/cas-server-webapp/target/cas-server-webapp-3.4.11/

# cp -Rp * /usr/local/apache-tomcat-6.0/webapps/ROOT/

:/var/lib/tomcat6/webapps/ROOT (UBUNTU)

7.Edit deployerConfigContext.xml

# ee /usr/local/apache-tomcat-6.0/webapps/ROOT/WEB-INF/deployerConfigContext.xml

  make sure you configure this parameter same like this

8.Add this line at   :
--------------------------------------------------------------------------------
[bean class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler"]
[property name="filter" value="uid=%u,ou=people,dc=lms,dc=contoso,dc=edu,dc=my" /]
[property name="contextSource" ref="contextSource" /] [/bean]
-------------------------------------------------------------------------------

and put this in ldap server parameter (For lms LDAP)

[value]ldap://xxx.xxx.xxx.xx/[/value]

OR paste this line (For LDAP):
------------------------------------------------------------
 [bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource"]
                [property name="pooled" value="true"/]
                [property name="urls"]
                    [list]
                        [value]ldap://xxx.xxx.xx.xx/[/value]
                    [/list]
                [/property]
                [property name="userDn" value="cn=admin,dc=it,dc=mycompany,dc=com"/]       
----------------------------------------------------------------

9. Start apache tomcat

#/usr/local/etc/rc.d/tomcat6 start

10.Create Server Key
http://www.digicert.com/csr-creation-apache.htm

11.Run this command in your home
# openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

**Check https details/info from current https site - https://sso.contoso.edu.my
Klik dekat lock, view certificate details > subjects

12.Get server key from server.csr
- Open server.csr
- Copy key inside .csr and paste in notepad (make sure only key copied)
________________________________________________________________

(Common Name)CN :*.contoso.sdn.bhd
(Organization)O :Contoso Sdn Bhd (CONTOS)
(Locality) L :Shah Alam
(State) S :Selangor
(Country) C :MY
________________________________________________________________

13.Register/Create New SSL certificate from digicert

- Login Digicert
- Reissue action
- Get duplicate (To get duplicate certificate)
- Paste key from notepad
- Server software : Apache
- Note : New SSO Staff
- Others lets default
- Process


** Wait until u get mail for the new cert(cert.zip)

14.Download cert > Unzip cert > copy to sso server(your home)

15.Create folder certs in apache22

#cd /usr/local/etc/apache22/
#mkdir cert

17. Move all key and cert file to this directory

#cd /home/you/
#mv server.key /usr/local/etc/apache22/cert
#mv DigiCertCA.crt /usr/local/etc/apache22/cert
#mv star_contoso_edu_my.crt /usr/local/etc/apache22/cert


** Make sure all 3 key inside cert folder

-rw-r--r-- 1 root wheel 3858 May 4 02:38 DigiCertCA.crt
-rw-r--r-- 1 root wheel 1679 May 4 02:37 server.key
-rw-r--r-- 1 root wheel 2450 May 4 02:38 star_contoso_edu_my.crt


** After all setting ok, setchmod to 444 for all

18.Configure SSL cert in your server.Edit httpd-ssl.conf

#ee /usr/local/etc/apache22/extra/httpd-ssl.conf

Enable and define right path for this SSL Cert:
____________________________________________________________________________

SSLCertificateFile "/usr/local/etc/apache22/cert/star_contoso_edu_my.crt"
SSLCertificateKeyFile "/usr/local/etc/apache22/cert/server.key"
SSLCertificateChainFile "/usr/local/etc/apache22/cert/DigiCertCA.crt"

____________________________________________________________________________

19.Test Config Apache
#apachectl configtest

20.Enable httpd-ssl-conf in basic apache setting http.conf
#ee /usr/local/etc/apache22/extra/httpd.conf

Include etc/apache22/extra/http-default.conf

21. Stop & Start Apache
#/usr/local/etc/rc.d/apache22 stop
#/usr/local/etc/rc.d/apache22 start


22. Now you should able to access you CAS server
https://servername/login

Done.

How To Connect To Amazon EC2 Linux Instance Using PuTTY Private Key On Windows

When first setting up an Amazon EC2 server, you receive an ssh key to connect to the instance. Example: contoso.pem

Convert Amazon EC2 PEM files to PPK
Open Puttygen, if you dont have puttygen, you can get it for download at http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html


OR use PuTTYgen from WinSCP, go to Windows Start Menu -> All Programs -> WinSCP ->Key Tools -> PuTTYgen
  • Now click Conversions > Import.
  • Choose your PEM file that was downloaded from the Amazon EC2 dashboard
  • Click on Save Private Key and name it something .ppk
  • Voila, use your ppk to login through Putty to your Amazon EC2 Instance

Use putty to access cloud server

  • Open PuTTY and enter your host


  • Select “data” on the left hand side under “auto-login username” enter the user “root”




  • Select “Auth” on the left hand side then under “private key for authentication” select the .ppk file we just created with PuTTYGen.
  • Go back to the top(Session) and connect to your instance.

  • Open putty connection




Thursday, June 7, 2012

Access Cloud

Usually I never care how to access cloud.. but today since sister salina is on leave, so I have to assist bro John.
#sudo su
#password aminah:

Firsty we do remote the cloud using unix server. In my case im using Ubuntu server to ssh the cloud server.

1. Copy contoso.pem to /home/aminah
2. chmod 400 contoso.pem
3. ssh -i contoso.pem ubuntu@xxx-ip-ip-ip-ip.ap-southeast-1.compute.amazonaws.com (this we can get from below step)
  • step to get command. 
    • Go to amazon (https://console.aws.amazon.com)-> login
    • EC2 -> instance 
    • right click to the instance  -> connect
    • choose tab  Connect with a standalone SSH Client  ->  copy
    • ps: the command line is the ssh command in step 2.
done.. 
If you want to copy, I choose to use reverse copy.