jasig-cas IRC Logs-2011-09-27

Owned by Apereo Infrastructure
Last updated: Sept 27, 2011Version comment
11 min read

[11:39:25 CDT(-0500)] <ries> Does CAS implement password policies or is this something you need to program yourself? (expire in XX days, password length, password strength etc...)
[12:01:50 CDT(-0500)] <wgthom> ries: we're working on it.
[12:02:11 CDT(-0500)] <wgthom> tenatively scheduled for 3.5 release
[12:03:10 CDT(-0500)] <ries> wgthom: that's within 6month?
[12:03:36 CDT(-0500)] <wgthom> target is this winter yes. if you need it earlier you could try the feature branch
[12:03:52 CDT(-0500)] <wgthom> https://github.com/Jasig/cas/tree/feature-lppe
[12:04:06 CDT(-0500)] <wgthom> we could use help testing, etc
[12:04:26 CDT(-0500)] <ries> If we are going to use CAS, then for sure we can help testing...
[12:04:27 CDT(-0500)] <wgthom> also this might help: https://wiki.jasig.org/display/CAS/CAS+Roadmap
[12:04:50 CDT(-0500)] <ries> our policies are not that strong though…
[12:05:04 CDT(-0500)] <ries> although, I don't have much to compare with
[12:05:32 CDT(-0500)] <wgthom> so, the feature we're working on is mostly notification of policy
[12:05:43 CDT(-0500)] <wgthom> like your password will expire, account is locked, etc
[12:05:48 CDT(-0500)] <wgthom> not enforcement
[12:06:20 CDT(-0500)] <wgthom> with some helpful messaging for self service links
[12:06:28 CDT(-0500)] <wgthom> brb
[12:06:35 CDT(-0500)] <ries> I don't have a list at hand we what currently have in place, but we do have minimum password length, cannot use old passwords for a year, needs upper, lower and letters.. stuff like that
[13:42:25 CDT(-0500)] <kickehy> did someone want me to test a pfx cert?
[14:22:41 CDT(-0500)] <foxnesn> hello
[14:25:10 CDT(-0500)] <wgthom> hi
[14:25:20 CDT(-0500)] <foxnesn> how ya doin?
[14:25:30 CDT(-0500)] <wgthom> good, u?
[14:25:33 CDT(-0500)] <foxnesn> not bad
[14:26:09 CDT(-0500)] <foxnesn> you don't happen to know who is in charge up updating the repos do you?
[14:27:18 CDT(-0500)] <wgthom> cas release engineer updates the repos....why?
[14:27:47 CDT(-0500)] <foxnesn> still running into the issue i had yesterday with the one demo build
[14:27:57 CDT(-0500)] <foxnesn> Access denied to: http://repository.jboss.com/maven2/org/opensaml/opensaml/1.1b/opensaml-1.1b.pom -> [Help 1]
[14:28:05 CDT(-0500)] <foxnesn> i figure i should tell somebody about it
[14:28:13 CDT(-0500)] <wgthom> post to cas-dev
[14:28:19 CDT(-0500)] <wgthom> or cas-user
[14:29:48 CDT(-0500)] <foxnesn> out of curiousity, would you say that jasig-cas is an active community or that most people rely on the vendors who generally roll their own jasig and sell it?
[14:30:12 CDT(-0500)] <foxnesn> we are trying to get away from relying on the vendor and save some money
[14:30:31 CDT(-0500)] <ries> foxnesn: I cam across that swell.. there is a easy fix, still I think it should compile out of the box
[14:30:34 CDT(-0500)] <wgthom> jasig and cas are active communities…just look at the mailing lists
[14:30:41 CDT(-0500)] <foxnesn> ok cool
[14:30:50 CDT(-0500)] <foxnesn> ries, could you point me to the easy fix?
[14:31:09 CDT(-0500)] <wgthom> still you need to source your support from somewhere…. local, community, vendor partner, etc
[14:31:18 CDT(-0500)] <wgthom> mix of all of them
[14:31:23 CDT(-0500)] <foxnesn> yea, mostly community support
[14:31:58 CDT(-0500)] <ries> foxnesn: Add this to your settings.xml : http://pastebin.com/V5CeaDDZ
[14:32:17 CDT(-0500)] <wgthom> by the way, i work for unicon, a jasig affiliate the provides commercial support for cas and lot of other open source for higher ed.
[14:32:27 CDT(-0500)] <foxnesn> we use Luminis by Sungard for the portal which uses uportal and jasig-cas
[14:32:38 CDT(-0500)] <wgthom> ah, yes
[14:32:42 CDT(-0500)] <foxnesn> luminis is garbage
[14:32:46 CDT(-0500)] <foxnesn> imho
[14:33:00 CDT(-0500)] <foxnesn> so we are planning on throwing it away and rolling our own
[14:34:18 CDT(-0500)] <ries> foxnesn: I got the fix from here : http://jasig.275507.n4.nabble.com/JBoss-Repository-Error-td3548011.html
[14:35:07 CDT(-0500)] <foxnesn> great thanks
[14:35:36 CDT(-0500)] <ries> foxnesn: I am new to CAS myself, but I find the CAS community very helpfull
[14:35:57 CDT(-0500)] <foxnesn> very good to know
[14:36:06 CDT(-0500)] <foxnesn> i know little about cas except for what ive read in the wiki
[14:36:20 CDT(-0500)] <ries> I am just a 5 day user, well more sort of a tester actually… to see if we can use CAS for a client
[14:36:23 CDT(-0500)] <foxnesn> but i am excited to learn
[14:36:37 CDT(-0500)] <foxnesn> 5 day user?
[14:36:41 CDT(-0500)] <ries> yup (big grin)
[14:36:54 CDT(-0500)] <foxnesn> oh, this is your 5th day of using it? or you only use it monday-friday?
[14:37:12 CDT(-0500)] <ries> started last Wednesday with CAS to see if I could get it up and running… made a demo for the rest of the team so we can discuss it
[14:37:46 CDT(-0500)] <foxnesn> awesome
[14:37:47 CDT(-0500)] <ries> I am trying to prevent creating our own SSO system…
[14:37:49 CDT(-0500)] <wgthom> ries: is the project for a university?
[14:37:59 CDT(-0500)] <ries> wgthom: No, automotive company
[14:38:18 CDT(-0500)] <wgthom> who did you come to know cas?
[14:38:49 CDT(-0500)] <wgthom> how did you...?
[14:39:37 CDT(-0500)] <ries> wgthom: well, the company I work for created there own SSO system which I could poke holes in that quite quickly… I showed it and warned them about the issues (months ago). Now 2 weeks before launch the found out… well issues with it (smile) some as I predicted
[14:40:03 CDT(-0500)] <ries> so I told them that there open source projects that can do what we want to do and as such I said 'Don't try to be smarter then smart people'.
[14:40:04 CDT(-0500)] <foxnesn> hehe
[14:40:12 CDT(-0500)] <wgthom> lol
[14:40:28 CDT(-0500)] <ries> Searching on the internet I found some projects OpenSSO, OpenAM, Shibboleth and CAS
[14:40:35 CDT(-0500)] <wgthom> cool
[14:40:53 CDT(-0500)] <ries> CAS seemed to be able to fit the bill for easy. Easy deployment and beale to authenticate against a standard database
[14:41:01 CDT(-0500)] <wgthom> yep
[14:41:07 CDT(-0500)] <ries> OpenAM needs LDAP I believe, and I don't want to implement a LDAP solution at this time
[14:41:10 CDT(-0500)] <wgthom> how many apps are you tying together?
[14:41:32 CDT(-0500)] <ries> Currently we have 13K users within a CMS, so I expect that at initial launch
[14:41:51 CDT(-0500)] <ries> When europe joins I think we will at least double that, but I don't have statistics around it.
[14:42:17 CDT(-0500)] <ries> I think using CAS would be a good start, later we can implement Shibboleth to it, but that all depends...
[14:42:33 CDT(-0500)] <wgthom> sure. depends on what you need.
[14:42:38 CDT(-0500)] <ries> We don't have to many applications, give or take 8
[14:42:55 CDT(-0500)] <wgthom> will you be implementing SLO?
[14:43:28 CDT(-0500)] <ries> Is that a trick question?? (big grin)
[14:43:34 CDT(-0500)] <ries> not sure what SLO is...
[14:43:57 CDT(-0500)] <ries> Single Log On...
[14:44:00 CDT(-0500)] <wgthom> how will you handle users logging out of the apps?
[14:44:15 CDT(-0500)] <wgthom> kill the sso session or no?
[14:44:17 CDT(-0500)] <ries> wgthom: with car I could already demonstrate to go to the logout URL, that worked fine
[14:44:25 CDT(-0500)] <ries> s/car/cas/
[14:44:57 CDT(-0500)] <wgthom> sure to kill the sso session. what about the application session?
[14:44:58 CDT(-0500)] <ries> Our applications are mostly simple JSP pages with some flex work
[14:45:29 CDT(-0500)] <ries> We have one CMS running (Jahia) that we would need to casify, but that doesn't seem to be a big deal
[14:45:48 CDT(-0500)] <ries> Within jahia we have some reporting items we iFrame..
[14:46:05 CDT(-0500)] <ries> Logging in into Jahia will be done with CAS, so from there it's just a portal to other applications….
[14:46:30 CDT(-0500)] <ries> currently I don't see any issues in that
[14:49:15 CDT(-0500)] <ries> I forgot to answer… The application session… with my initial tests I was logged out just by visiting the CAS logout URL
[14:49:27 CDT(-0500)] <wgthom> hmmm
[14:49:28 CDT(-0500)] <ries> I expect some problems with Jahia though, so I am not sure how to solve that
[14:50:24 CDT(-0500)] <wgthom> make sure you check on that. normally the app session is indendent of the sso sessino
[14:51:25 CDT(-0500)] <ries> I am planning to.. I already discovered some 'interesting' (un expected) things when a proxy server was in the middle..
[14:51:46 CDT(-0500)] <ries> But it seems that it can be done… so I am currently not to worried about that
[14:51:52 CDT(-0500)] <foxnesn> ries, thanks for the fix it works now
[14:51:54 CDT(-0500)] <ries> Our applications are very simple JSP pages..
[14:52:08 CDT(-0500)] <ries> some are secured with a username/password but that just checks for a session using a JSP include.
[14:52:17 CDT(-0500)] <ries> foxnesn: glad it does (smile)
[14:52:33 CDT(-0500)] <ries> so I will just rip that out and put CAS in front of it using the filters..
[14:52:46 CDT(-0500)] <foxnesn> if i get the info, all of tomorrow i will be getting this cas to authenticate against our AD
[14:52:55 CDT(-0500)] <foxnesn> in development of course, not prod
[14:53:21 CDT(-0500)] <foxnesn> ries, are you planning high availability for your cas setup?
[14:54:01 CDT(-0500)] <ries> foxnesn: planning yes… but it will be fairly simple, we only have two application servers and one loadbalancer/failover
[14:54:09 CDT(-0500)] <foxnesn> oh
[14:54:14 CDT(-0500)] <foxnesn> should be simple then i guess
[14:54:32 CDT(-0500)] <foxnesn> we also have two app servers
[14:54:44 CDT(-0500)] <foxnesn> do you post in the mailing lists or anything?
[14:54:58 CDT(-0500)] <ries> foxnesn: I don't have experience with HA though… so to be honest I have no idea how clustering with CAS, or in general with Java works
[14:55:07 CDT(-0500)] <ries> foxnesn: I just hangout here...
[14:55:09 CDT(-0500)] <ries> for now :9
[14:55:10 CDT(-0500)] <ries> (smile)
[14:55:11 CDT(-0500)] <foxnesn> hehe
[14:55:37 CDT(-0500)] <ries> not that I am java newbie… it just never came up and our applications where never important enough for HA
[14:56:06 CDT(-0500)] <ries> I know that they have implemented HA for some applications, but since they are simple java applications with a DB backend, I think that was done simple..
[14:56:18 CDT(-0500)] <foxnesn> i see
[14:56:22 CDT(-0500)] <ries> simple but deploying the apps on two glassfish servers, and that's it
[14:56:29 CDT(-0500)] <ries> I don't think they even clustered glassfish
[14:59:11 CDT(-0500)] <ries> I hope I don't sound to much like a newbie (big grin)
[14:59:30 CDT(-0500)] <foxnesn> well im a noob as well
[14:59:34 CDT(-0500)] <foxnesn> so you dont ha
[15:11:55 CDT(-0500)] <foxnesn> so to auth with AD it is really as simply as adding the dependency to the pom.xml file and adding the bean to src/main/webapp/web-inf ?
[15:12:11 CDT(-0500)] <foxnesn> teh building the pack?
[15:19:06 CDT(-0500)] <foxnesn> ries, do you use the spring configuration at all?
[15:23:07 CDT(-0500)] <foxnesn> wgthom: i just checked out unicon, im currently our moodle admin
[15:23:07 CDT(-0500)] <foxnesn> lol
[15:25:06 CDT(-0500)] <wgthom> not sure i follow… your our moodle admin?
[15:25:21 CDT(-0500)] <foxnesn> oops
[15:25:28 CDT(-0500)] <foxnesn> yea, im the moodle admin here
[15:25:37 CDT(-0500)] <foxnesn> not 'our'
[15:25:44 CDT(-0500)] <wgthom> where's here?
[15:25:54 CDT(-0500)] <foxnesn> this small liberal arts college in PA
[15:26:05 CDT(-0500)] <wgthom> cool. i'm im nj
[15:26:22 CDT(-0500)] <foxnesn> apparently we are looking into liferay
[15:26:33 CDT(-0500)] <foxnesn> for the portal
[15:26:47 CDT(-0500)] <foxnesn> i wonder if you guys have been contacted yet
[15:27:04 CDT(-0500)] <foxnesn> unless there is a closer affiliate to us
[15:28:14 CDT(-0500)] <foxnesn> oh sungard
[15:28:16 CDT(-0500)] <foxnesn> of course
[15:28:17 CDT(-0500)] <foxnesn> lol
[15:39:44 CDT(-0500)] <kickehy> anyone mind helping me with tomcat/ssl/cacerts?
[15:39:50 CDT(-0500)] <kickehy> it's driving me crazy
[15:40:19 CDT(-0500)] <foxnesn> keytool ?
[15:40:26 CDT(-0500)] <kickehy> that's part of it
[15:40:27 CDT(-0500)] <kickehy> but
[15:40:40 CDT(-0500)] <kickehy> i think i'm thinking this through wrong
[15:41:03 CDT(-0500)] <foxnesn> whats the issue?
[15:41:16 CDT(-0500)] <kickehy> i requested a server certificate for my cas server from a windows CA and issued it
[15:41:23 CDT(-0500)] <kickehy> then
[15:41:42 CDT(-0500)] <kickehy> i copied the file as a DER cert over to my cas server
[15:42:01 CDT(-0500)] <kickehy> and imported it into the default cacerts file in the java folder
[15:42:25 CDT(-0500)] <kickehy> then in the tomcat server.xml file...
[15:42:56 CDT(-0500)] <kickehy> i uncommented the port 8443 section and then pointed it to my cacerts file
[15:43:08 CDT(-0500)] <kickehy> and then restarted tomcat
[15:43:19 CDT(-0500)] <kickehy> https://wiki.jasig.org/display/CASUM/End-to-end+Windows+Example
[15:43:23 CDT(-0500)] <kickehy> that's the guide i'm following
[15:43:26 CDT(-0500)] <foxnesn> ahh
[15:43:34 CDT(-0500)] <kickehy> and it's not working
[15:43:45 CDT(-0500)] <foxnesn> well first, did you get tomcat running on port 8080 ?
[15:43:50 CDT(-0500)] <kickehy> yes
[15:44:02 CDT(-0500)] <foxnesn> did you use keytool to generate a keystore?
[15:44:30 CDT(-0500)] <kickehy> no, i just used the default one in %JAVA_HOME%\jre\lib\security
[15:44:48 CDT(-0500)] <kickehy> and the copied it over to %tomcat_home%\conf
[15:46:03 CDT(-0500)] <foxnesn> hrm
[15:46:13 CDT(-0500)] <kickehy> now
[15:46:25 CDT(-0500)] <foxnesn> when you go to your https on port 8443 what does it say?
[15:46:31 CDT(-0500)] <kickehy> the DER file doesn't need the private key correct?
[15:47:09 CDT(-0500)] <kickehy> I don't think you can export the private key with a DER cert anyways
[15:47:54 CDT(-0500)] <foxnesn> im using keytool so im not familiar with portecle
[15:48:01 CDT(-0500)] <foxnesn> i would first check your tomcat logs
[15:48:16 CDT(-0500)] <foxnesn> that should at least tell you if it can or cannot find your key
[15:48:28 CDT(-0500)] <kickehy> i just get a "page cannot be displayed" when i go to https://server.com:8443
[15:48:40 CDT(-0500)] <foxnesn> did you restart tomcat?
[15:48:44 CDT(-0500)] <kickehy> yeah
[15:48:49 CDT(-0500)] <kickehy> ah yes the logs
[15:48:58 CDT(-0500)] <kickehy> sometimes i forget the simple things
[15:49:13 CDT(-0500)] <foxnesn> did you double check the server.xml is completely uncommented for 8443 ?
[15:49:32 CDT(-0500)] <foxnesn> the first time i uncommented that i missed a freaking -
[15:49:41 CDT(-0500)] <kickehy> yes, even opened it up in notepad++ just to make sure
[15:50:00 CDT(-0500)] <foxnesn> hrm
[15:50:15 CDT(-0500)] <foxnesn> i wish i could help more but i am not running this on windows
[15:50:26 CDT(-0500)] <foxnesn> you could always wipe it out and start over
[15:50:29 CDT(-0500)] <kickehy> hehe all good
[15:51:08 CDT(-0500)] <kickehy> well...it definately can't find my keystore
[15:52:09 CDT(-0500)] <foxnesn> strange
[15:52:12 CDT(-0500)] <kickehy> would it be better just to creat a blank keystore and import it into there?
[15:53:15 CDT(-0500)] <foxnesn> i couldnt tell ya
[15:54:37 CDT(-0500)] <kickehy> oooo could be trying to use apr(whatever that is) instead of JSSE?
[15:55:16 CDT(-0500)] <foxnesn> does portecle default to something in particular?
[15:55:34 CDT(-0500)] <kickehy> well i'm not using portecle, forgot to tell you that (tongue)
[15:55:49 CDT(-0500)] <kickehy> we have our CA on a windows box on campus
[15:55:49 CDT(-0500)] <foxnesn> you using keytool then?
[15:55:56 CDT(-0500)] <foxnesn> i see
[15:56:10 CDT(-0500)] <kickehy> so i made the request/issue on that
[15:56:21 CDT(-0500)] <foxnesn> so you are following those directions but instead of creating the key in portecle you are just using your own from the CA
[15:56:28 CDT(-0500)] <kickehy> yes
[15:58:25 CDT(-0500)] <kickehy> Failed to load keystore type JKS with path conf/cacerts due to C:\Program Files (x86)\Apache Software Foundation\Tomcat 6.0\conf\cacerts (The system cannot find the file specified) <---that's the error i get, i think i may try and create my own keystore since 'cacerts' doesn't even have a jks extension
[15:58:45 CDT(-0500)] <foxnesn> yes
[15:59:10 CDT(-0500)] <foxnesn> it is looking specifically for the .jks file with the alias of tomcat or something you set it up as
[15:59:39 CDT(-0500)] <foxnesn> in linux it is as simple as going to the home dir of the tomcat user and running the keytool
[15:59:44 CDT(-0500)] <foxnesn> and uncommenting 8443
[15:59:49 CDT(-0500)] <foxnesn> and restarting tomcat
[16:00:01 CDT(-0500)] <foxnesn> it automatically knows to look for the jks in that home dir
[16:00:15 CDT(-0500)] <foxnesn> so i think you are on the right track
[16:00:44 CDT(-0500)] <kickehy> i hate windows, but i don't know enough about linux to be doing this on it (tongue)
[16:04:57 CDT(-0500)] <kickehy> does the keystore alias matter?
[16:19:48 CDT(-0500)] <kickehy> foxnesn: holy crap that was it, thanks for talking with me on it
[18:41:11 CDT(-0500)] <ries> foxnesn: I don't use Spring configuration for the web applications, I just added the needed items in my web.xml. Like I said, everything we done are simple JSP pages with a flex backend. Only Jahia needs to be done with Spring.
[20:36:47 CDT(-0500)] <foxnesn> hrm, i will have to read more on that
[20:37:06 CDT(-0500)] <foxnesn> im looking forward to my entire wednesday reading about cas and how to get it to work within our environment
[20:47:07 CDT(-0500)] <ries> foxnesn: Hopefully tomorrow I get a go on full implementation..
[20:48:50 CDT(-0500)] <foxnesn> good luck!
[20:49:02 CDT(-0500)] <ries> I will hangout here (wink)
[20:49:10 CDT(-0500)] <foxnesn> cool so will i
[20:49:20 CDT(-0500)] <foxnesn> im sure ill be raging about something haha
[20:49:35 CDT(-0500)] <ries> I might be full of questions… hehehe
[20:49:46 CDT(-0500)] <foxnesn> cool
[20:49:48 CDT(-0500)] <ries> I have a good idea what they want, and what I think what0s good for them though
[20:49:59 CDT(-0500)] <foxnesn> we run AD not openldap and im not familiar with AD
[20:50:13 CDT(-0500)] <ries> we don't run any… just a PostgreSQL database
[20:51:10 CDT(-0500)] <foxnesn> oh that should be simple enough then
[20:56:06 CDT(-0500)] <ries> Yeaa I think so… our system is very straight forward
[20:56:23 CDT(-0500)] <ries> We just have a lot of people depending on it and as such it needs to be very reliable
[22:01:20 CDT(-0500)] <foxnesn> isnt the ssh2 package just ssh ?
[22:01:25 CDT(-0500)] <foxnesn> woops wrong window lol