CASifying Zimbra 6.0/7.0
HOWTO CASify Zimbra 6.0/7.0
Zimbra is open source server software for email and collaboration - email, group calendar, contacts, instant messaging, file storage and web document management.
Configure the Zimbra CACerts keystore
Import your CAS Server certificates (cert and chain if you have one) into the Zimbra CACerts Keystore by executing following commands with the root user :
/opt/zimbra/java/bin/keytool -import -file casserver.cert -alias cascert -trustcacerts -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit /opt/zimbra/java/bin/keytool -import -file casserver.chain -alias caschain -trustcacerts -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
Import the Java CAS Client library
This library is usable for implementing custom CAS functionality and for simply CASifying web applications by application of a filter.- Download it from http://www.ja-sig.org/downloads/cas-clients/. The client version 3.1.x is working fine with Zimbra 6.0.x and CAS Server 3.3.x.
- Copy the cas-client-core-3.1.x.jar into /opt/zimbra/jetty/common/lib.
Modify web.xml files
Zimbra Webapp
Add following lines to /opt/zimbra/jetty/etc/zimbra.web.xml.in before the first
<servlet>
section (~line 230) and replacecas.url.com:port
andzimbra.url.com:port
.
Default ports are 8443 for the CAS Server and 443 for the Zimbra Web Client (or 80 if HTTP is used instead of HTTPS) :<filter> <filter-name>CasSingleSignOutFilter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <filter-mapping> <filter-name>CasSingleSignOutFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <filter> <filter-name>CasAuthenticationFilter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://cas.url.com:port/cas/login</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>https://zimbra.url.com:port</param-value> </init-param> </filter> <filter-mapping> <filter-name>CasAuthenticationFilter</filter-name> <url-pattern>/public/preauth.jsp</url-pattern> </filter-mapping> <filter> <filter-name>CasValidationFilter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://cas.url.com:port/cas</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>https://zimbra.url.com:port</param-value> </init-param> <init-param> <param-name>redirectAfterValidation</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>CasValidationFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>CasHttpServletRequestWrapperFilter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CasHttpServletRequestWrapperFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
ZimbraAdmin Webapp
Add same lines as before to /opt/zimbra/jetty/etc/zimbraAdmin.web.xml.in before the first <servlet> section (~line 230), and replacecas.url.com:port
andzimbra.url.com:port
.
Default ports are 8443 for the CAS Server and 7071 for the Zimbra Admin Console.
Create the PreAuth key
Execute the following command with the Zimbra user :
zmprov gdpak yourdomain.com
This will create the PreAuth key "359d722926fc3daebd0fee5d8b9dad9bbe1646e68041afa8ab662c6a9152e6b9".
Create preauth.jsp files
Zimbra Webapp
- Copy the preauth.jsp-zimbra file (download it from this wiki page attachments) to /opt/zimbra/jetty/webapps/zimbra/public/preauth.jsp.
Replace the DOMAIN_KEY with the key you previously generate with
zmprov
:public static final String DOMAIN_KEY = "359d722926fc3daebd0fee5d8b9dad9bbe1646e68041afa8ab662c6a9152e6b9";
- Replace
yourdomaine.com
with your domain at line 90. Execute the following command with the root user :
chown zimbra:zimbra /opt/zimbra/jetty/webapps/zimbra/public/preauth.jsp
ZimbraAdmin Webapp
- Copy the preauth.jsp-zimbraadmin file (download it from this wiki page attachments) to /opt/zimbra/jetty/webapps/zimbraAdmin/public/preauth.jsp.
Replace the DOMAIN_KEY with the key you previously generate with
zmprov
:public static final String DOMAIN_KEY = "359d722926fc3daebd0fee5d8b9dad9bbe1646e68041afa8ab662c6a9152e6b9";
- Replace
yourdomaine.com
with your domain at line 92. Execute the following command with the root user :
chown zimbra:zimbra /opt/zimbra/jetty/webapps/zimbraAdmin/public/preauth.jsp
Replace login and logout URLs
Execute following commands with the Zimbra user :
zmprov md yourdomain.com zimbraWebClientLoginURL https://zimbra.url.com:port/zimbra/public/preauth.jsp zmprov md yourdomain.com zimbraWebClientLogoutURL https://cas.url.com:port/cas/logout zmprov md yourdomain.com zimbraAdminConsoleLoginURL https://zimbra.url.com:port/zimbraAdmin/public/preauth.jsp zmprov md yourdomain.com zimbraAdminConsoleLogoutURL https://cas.url.com:port/cas/logout zmprov mcf zimbraWebClientLoginURL https://zimbra.url.com:port/zimbra/public/preauth.jsp zmprov mcf zimbraWebClientLogoutURL https://cas.url.com:port/cas/logout
Replace
cas.url.com:port
andzimbra.url.com:port
.
Default ports are 8443 for the CAS Server, 443 for the Zimbra Web Client (or 80 if HTTP is used instead of HTTPS) and 7071 for the Zimbra Admin Console.Restart Zimbra
Execute the following command with the Zimbra user :
zmcontrol restart