[07:31:33 CDT(-0500)] <ries> Good morning, I have a other related question to CAS. Is it up to CAS to allow/dely access to specific applications, even though the user is logged in. or is ut up to the application to say 'I know Scott, but you cannot access me'.
[07:31:48 CDT(-0500)] <ries> I am trying the understand the wiki here : https://wiki.jasig.org/display/CAS/Home
[07:31:59 CDT(-0500)] <ries> but it doesn't mention that
[07:32:47 CDT(-0500)] <wgthom> authZ is up to the app
[07:34:47 CDT(-0500)] <ries> wgthom: ok thanks...
[09:02:11 CDT(-0500)] <kickehy> I'm having trouble getting ssl to work with tomcat (using guide http://tinyurl.com/3v94ayy ) The only thing that i'm confused about in the server.xml file is the keystoreFile part...i imported my cert into cacerts and copied that file over to the conf tomcat folder (as the example did), but when I stop/start tomcat, I absolutely can't get to https://server:8443 Now, if I go to http://server:8080 it works, I must be missing something
[09:02:44 CDT(-0500)] <kickehy> I don't even get a response back from my cas server
[09:03:35 CDT(-0500)] <wgthom> make sure you have the ssl connecter in server.xml uncommented
[09:03:38 CDT(-0500)] <kickehy> and i changed the keystore to "conf/cacerts"
[09:03:51 CDT(-0500)] <kickehy> i'll double check here...
[09:04:27 CDT(-0500)] <kickehy> all good
[09:04:35 CDT(-0500)] <serac> The output of $TOMCAT_HOME/logs/localhost.log will have details.
[09:05:42 CDT(-0500)] <serac> I need to add a note to that page that discusses filesystem permissions for the keystore file.
[09:05:52 CDT(-0500)] <serac> It contains a private key, so security matters.
[09:06:10 CDT(-0500)] <serac> That's fundamentally different from the system key/truststore that contains exclusively certs by default.
[09:09:21 CDT(-0500)] <kickehy> localhost logs are empty :/
[09:09:49 CDT(-0500)] <serac> catalina.out?
[09:10:27 CDT(-0500)] <kickehy> hey there we go
[09:11:06 CDT(-0500)] <serac>
[09:11:17 CDT(-0500)] <kickehy> w00t must of made my cert wrong then
[09:11:42 CDT(-0500)] <serac> What OS are you running?
[09:11:55 CDT(-0500)] <kickehy> Windows server 2008 r2
[09:12:20 CDT(-0500)] <serac> Wanna be a guinea pig?
[09:12:25 CDT(-0500)] <kickehy> haha sure
[09:12:50 CDT(-0500)] <serac> Generate a pfx file containing your cert/key pair.
[09:13:44 CDT(-0500)] <serac> PFX is mostly the same as a PKCS#12 container.
[09:14:01 CDT(-0500)] <kickehy> from the ca or local computer?
[09:14:23 CDT(-0500)] <serac> I assumed you used the certificate console to generate the cert. Is that correct?
[09:15:02 CDT(-0500)] <kickehy> yes, but this is where certs start to get over my head....i wasn't completely sure what type of template to request the cert as
[09:15:05 CDT(-0500)] <kickehy> so
[09:15:24 CDT(-0500)] <kickehy> i wasn't able to select the "mark as exportable" for the private key
[09:15:42 CDT(-0500)] <kickehy> or is that not what you're talking about?
[09:16:14 CDT(-0500)] <serac> How'd you get the key out for your JKS keystore file, then?
[09:16:37 CDT(-0500)] <serac> You must have the private key in your keystore.
[09:16:51 CDT(-0500)] <serac> (would explain failure if not)
[09:17:39 CDT(-0500)] <kickehy> well rather than using the example's ca (portecle) i used our server 2008 CA
[09:17:45 CDT(-0500)] <kickehy> to make it "official"
[09:18:16 CDT(-0500)] <kickehy> just an fyi, a lot of this is very new to me
[09:18:23 CDT(-0500)] <serac> Sure, it's tough.
[09:18:38 CDT(-0500)] <kickehy> so i'm not sure how the .jks file works in all this
[09:18:44 CDT(-0500)] <kickehy> i assume i don't have one
[09:19:05 CDT(-0500)] <kickehy> as i imported the cert into the cacerts keystore, i assumed i would use that instead of the .jks file
[09:19:08 CDT(-0500)] <serac> conf/ssoServer.jks
[09:19:18 CDT(-0500)] <serac> ssoServer.jks = cacerts
[09:19:22 CDT(-0500)] <kickehy> ok
[09:19:41 CDT(-0500)] <serac> If you just imported the cert, you have only half of what's needed to configure an SSL server.
[09:20:04 CDT(-0500)] <serac> A server needs to possess the private key in order to encrypt an assertion that's sent to the client side that is decrypted with the public key.
[09:20:11 CDT(-0500)] <serac> Sans private key, SSL will never work.
[09:20:20 CDT(-0500)] <serac> So you must generate a key that's exportable.
[09:20:27 CDT(-0500)] <kickehy> ok
[09:20:29 CDT(-0500)] <serac> I use OpenSSL for this generally.
[09:20:39 CDT(-0500)] <serac> You should use whatever you're comfortable with.
[09:21:06 CDT(-0500)] <kickehy> have any experience setting up a CA on Windows?
[09:21:10 CDT(-0500)] <serac> Certificate MMC snap-in is a good choice, but I'm honestly only vaguely familiar with it. Mostly just guessing what to do.
[09:21:16 CDT(-0500)] <kickehy> heh
[09:21:30 CDT(-0500)] <serac> I use it for development/testing on Windows.
[09:21:36 CDT(-0500)] <serac> But no production experience.
[09:21:46 CDT(-0500)] <kickehy> my problem is that all my templates don't show up for my CA when i request a cert from the web interface
[09:22:17 CDT(-0500)] <serac> Yeah, can't help you there.
[09:22:22 CDT(-0500)] <kickehy> heh
[09:22:27 CDT(-0500)] <serac> All I can say is that you need to be able to export the private key.
[09:22:39 CDT(-0500)] <serac> PFX is the appropriate format on Windows.
[09:22:45 CDT(-0500)] <serac> From there should be easy.
[09:22:52 CDT(-0500)] <kickehy> mmmk I'll see if i can get that working first and i'll get back to ya
[09:23:01 CDT(-0500)] <serac> Sounds good.
[09:23:06 CDT(-0500)] <kickehy> thanks
[09:26:35 CDT(-0500)] <kickehy> one other thought, do i need to import the ca's cert into the store?
[09:27:23 CDT(-0500)] <serac> Yes. The exported PFX file should contain the complete certificate chain.
[09:27:33 CDT(-0500)] <kickehy> ok
[09:27:51 CDT(-0500)] <serac> While many browsers will blithely work without the full validation path, it's best practice.
[10:06:51 CDT(-0500)] <ries> Gents, if I go to : http://192.168.1.194:37210/cas/logout then I see Logout successful, should all my other apps be logged out?
[10:07:09 CDT(-0500)] <wgthom> it depends.
[10:07:23 CDT(-0500)] <wgthom> generally, no
[10:08:32 CDT(-0500)] <wgthom> unless you've configured all of your applications to deal with the SLO callback. and even then it's a crap shoot
[10:08:40 CDT(-0500)] <ries> ic...
[10:09:08 CDT(-0500)] <ries> I just quit my browsers, and one application showed the login, and the other app showed up again
[10:09:22 CDT(-0500)] <serac> Do you have session restore enabled? Firefox perhaps?
[10:09:46 CDT(-0500)] <ries> serac: Safari, I even have no idea how to turn it off
[10:09:47 CDT(-0500)] <serac> Additionally, I'd recommend you treat "crap shoot" as hyperbole.
[10:11:08 CDT(-0500)] <serac> You should investigate the session storage behavior of Safari. I can't say for certain with Safari, but it's a known issue with FF for a particular configuration.
[10:11:25 CDT(-0500)] <ries> I wonder how you can logout somebody reliable...
[10:11:34 CDT(-0500)] <wgthom> logout of what?
[10:11:39 CDT(-0500)] <serac> It's a fundamentally hard problem.
[10:11:54 CDT(-0500)] <serac> To log out of everything accessed in an SSO session.
[10:11:54 CDT(-0500)] <ries> wgthom: logout, so that I get the login screen again
[10:12:16 CDT(-0500)] <ries> serac: I can imagine you need to go through each application and do some for of redirect...
[10:12:17 CDT(-0500)] <wgthom> logout of the application session? logout of cas sso session?
[10:13:09 CDT(-0500)] <serac> Some CAS clients have support for single sign out, but there are issues and limitations as wgthom implied.
[10:13:11 CDT(-0500)] <ries> application session 'I think'...
[10:13:15 CDT(-0500)] <wgthom> s/hard problem/crap shoot/
[10:13:27 CDT(-0500)] <ries> I can imagine it's a problem...
[10:13:46 CDT(-0500)] <ries> I am trying to setup a demo where my 'boss' can test it.. I am sure he wants to see a logout function somehow
[10:14:56 CDT(-0500)] <serac> You'll need to configure the clients single sign-out capability.
[10:15:01 CDT(-0500)] <serac> Java, php, .NET, what?
[10:15:17 CDT(-0500)] <ries> Java
[10:15:17 CDT(-0500)] <ries> +
[10:15:25 CDT(-0500)] <ries> only JSP pages for testing
[10:15:36 CDT(-0500)] <wgthom> re logout you'll have to thinking about what you want the behavior to be between app logout and sso "logout"
[10:15:39 CDT(-0500)] <serac> Have you read https://wiki.jasig.org/display/CASUM/Single+Sign+Out?
[10:16:02 CDT(-0500)] <serac> Here's the setup for Java client, https://wiki.jasig.org/display/CASC/Configuring+Single+Sign+Out.
[10:16:23 CDT(-0500)] <ries> thanks for the links
[10:16:27 CDT(-0500)] <wgthom> one perspective if CAS a psuedo application session manager. that's SLO
[10:16:28 CDT(-0500)] <serac> np
[10:17:01 CDT(-0500)] <wgthom> another is CAS as enterprise WebSSO where the app sessions are more independent of CAS
Page Comparison
General
Content
Integrations