Server: Fedora Core 6 + CAS 3.1 + Tomcat 5.5.20 + OpenLDAP 2.3.30 + OpenSSL 0.9.8b
Client: Fedora Core 6 + Firefox 2
Windows XP + IE6 SP2

Open

To make ssl work properly, I have to give the server a name, here I use auth.langhua.

2.1 Edit /etc/pki/tls/openssl.conf
dir = /etc/pki/demoCA
basicConstraints=CA:FASLE -> basicConstraints=CA:TRUE
2.2 Edit /etc/pki/tls/misc/CA
CATOP=/etc/pki/demoCA
2.3 /etc/pki/tls/misc/CA -newca
2.4 Edit /etc/pki/tls/openssl.conf
basicConstraints=CA:TRUE -> basicConstraints=CA:FASLE
2.5 openssl x509 -in /etc/pki/demoCA/cacert.pem -inform PEM -out /etc/pki/demoCA/cacert.der -outform DER

3.1 keytool -genkey -alias tomcat-server -keyalg RSA -keystore tomcat-server.jks -storepass changeit -keypass changeit -dname "CN=auth.langhua, OU=Research Department, O=Beijing Langhua Ltd., L=Haidian, S=Beijing, C=CN"
3.2 keytool -certreq -keyalg RSA -alias tomcat-server -file tomcat-server.csr -keystore tomcat-server.jks -storepass changeit
3.3 Sign the request
openssl x509 -req -in tomcat-server.csr -out tomcat-server.pem \ -CA /etc/pki/demoCA/cacert.pem -CAkey /etc/pki/demoCA/private/cakey.pem -days 365 -CAcreateserial -sha1 -trustout \ -CA /etc/pki/demoCA/cacert.pem -CAkey /etc/pki/demoCA/private/cakey.pem -days 365 -CAserial /etc/pki/demoCA/serial -sha1 -trustout
openssl verify -CAfile /etc/pki/demoCA/cacert.pem -purpose sslserver tomcat-server.pem
3.4 openssl x509 -in tomcat-server.pem -inform PEM -out tomcat-server.der -outform DER
3.5 Import root certificate:
keytool -import -alias langhua-root -file /etc/pki/demoCA/cacert.der -keystore tomcat-server.jks -storepass changeit
3.6 Import tomcat-server certificate:
keytool -printcert -file tomcat-server.der
keytool -import -trustcacerts -alias tomcat-server -file tomcat-server.der -keystore tomcat-server.jks -storepass changeit
keytool -list -v -keystore tomcat-server.jks -storepass changeit

4.1 openssl genrsa -out ldap-key.pem 1024
4.2 openssl req -new -out ldap-req.csr -key ldap-key.pem
4.3 Sign the request
openssl ca -policy policy_anything -out ldap-cert.pem -infiles ldap-req.csr
openssl verify -CAfile /etc/pki/demoCA/cacert.pem -purpose sslserver ldap-cert.pem
4.4 chown root:ldap ldap-*.pem

5.1 openssl genrsa -out shijh-key.pem 1024
5.2 openssl req -new -out shijh-req.csr -key shijh-key.pem
5.3 Sign the client request
openssl x509 -req -in shijh-req.csr -out shijh-cert.pem -signkey shijh-key.pem \ -CA /etc/pki/demoCA/cacert.pem -CAkey /etc/pki/demoCA/private/cakey.pem -days 365 -CAcreateserial -sha1 -trustout \ -CA /etc/pki/demoCA/cacert.pem -CAkey /etc/pki/demoCA/private/cakey.pem -days 365 -CAserial /etc/pki/demoCA/serial -sha1 -trustout
openssl verify -CAfile /etc/pki/demoCA/cacert.pem -purpose sslclient shijh-cert.pem
5.4 openssl pkcs12 -export -clcerts -in shijh-cert.pem -inkey shijh-key.pem -out shijh-cert.pfx -name "DemoCA Certificate to Shi Jinghai"

6.1 Create a certificate in $JRE_HOME/lib/security/cacerts cd $JRE_HOME/lib/security/
keytool -genkey -alias cas-ldap-client -keyalg RSA -keystore cacerts -storepass changeit -keypass changeit -dname "CN=auth.langhua, OU=Research Department, O=Beijing Langhua Ltd., L=Haidian, S=Beijing, C=CN"
6.2 keytool -certreq -keyalg RSA -alias cas-ldap-client -file cas-ldap-client.csr -keystore cacerts -storepass changeit
6.3 Sign the request
openssl x509 -req -in cas-ldap-client.csr -out cas-ldap-client.pem \ -CA /etc/pki/demoCA/cacert.pem -CAkey /etc/pki/demoCA/private/cakey.pem -days 365 -CAcreateserial -sha1 -trustout \ -CA /etc/pki/demoCA/cacert.pem -CAkey /etc/pki/demoCA/private/cakey.pem -days 365 -CAserial /etc/pki/demoCA/serial -sha1 -trustout
openssl verify -CAfile /etc/pki/demoCA/cacert.pem -purpose sslclient cas-ldap-client.pem
6.4 openssl x509 -in cas-ldap-client.pem -inform PEM -out cas-ldap-client.der -outform DER
6.5 keytool -import -alias langhua-root -file /etc/pki/demoCA/cacert.der -keystore cacerts -storepass changeit
6.6 Import the signed certificate:
keytool -printcert -file cas-ldap-client.der
keytool -import -trustcacerts -alias cas-ldap-client -file cas-ldap-client.der -keystore cacerts -storepass changeit
keytool -list -v -keystore cacerts -storepass changeit

<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true" URIEncoding="UTF-8"
clientAuth="true" sslProtocol="TLS" keyAlias="tomcat-server"
keystorePass="changeit" truststorePass="changeit"
keystoreType="JKS" truststoreType="JKS"
keystoreFile="/etc/pki/demoCA/certs/tomcat-server.jks"
truststoreFile="/etc/pki/demoCA/certs/tomcat-server.jks"/>

Edit $tomca_home/webapps/cas/WEB-INF/deployerConfigContext.xml:
<bean
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="uid=%u" />
<property name="searchBase" value="o=langhua,c=cn" />
<property
name="contextSource"
ref="contextSource" />
</bean>
<bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
<property name="anonymousReadOnly" value="false" />
<property name="pooled" value="true" />
<property name="urls">
<list>
<value>ldaps://auth.langhua/</value>
</list>
</property>
<property name="baseEnvironmentProperties">
<map>
<entry>
<key><value>java.naming.security.protocol</value></key>
<value>ssl</value>
</entry>
<entry>
<key><value>java.naming.security.authentication</value></key>
<value>simple</value>
</entry>
</map>
</property>
</bean>

/etc/init.d/tomcat5 restart

Edit /etc/openldap/slapd.conf:
TLSCACertificateFile /etc/pki/demoCA/cacert.pem
TLSCertificateFile /etc/pki/demoCA/certs/ldap-cert.pem
TLSCertificateKeyFile /etc/pki/demoCA/certs/ldap-key.pem
/etc/init.d/ldap restart

Import /etc/pki/demoCA/cacert.derto Firefox2 and IE 6.
Import shijh-cert.pfx to Firefox2 and IE 6.

Type your username and password which can login OpenLDAP into the CAS login form. You should be able to login the CAS successfully.
Good Luck!
Shi Yusen/Beijing Langhua Ltd.
http://www.langhua.cn/;