Article 000032029 - Implementing CAS with OpenLDAP for SSO use with INB SSB and Banner 9
This FAQ outlines how to install CAS with OpenLDAP on a new LINUX 6 server for SSO use with these products
- SSB 8
- INB 8
- Banner 9
Example server details used below
- malaln57 - LINUX 6 64bit CAS server (contains Tomcat, CAS, OpenLDAP)
- malaln34 - Win2008 64bit WebLogic server (contains Banner 9 apps and BEIS)
- malaln24 - Win2008 32bit WebLogic server (contains SSB 8 and INB 8 apps)
- malaln32 - Win2003 32bit database server with BAN9 instance
=============
Documentation
=============
- CAS Single Sign On Handbook.pdf
- beis80200in.pdf
=====
FAQ's
=====
- 1-1BM9F1F - Banner 9 CAS outline and trouble shooting.
- 000008006 - FAQ 1-1459RA7 How to implement Banner 9 SSO with Luminis/CAS
- 1-7PYUTV - How to install OpenLDAP on Linux
- 1-12Y102E - Install and Configure Tomcat 6 on Linux RedHat 5 64-bit for Banner 9 Student Faculty Grade Entry - FGE
- Article 000032067 - Implementing Seamless Navigation and Application Navigator in Banner 9
====
JAVA
====
Ensure that Java SDK 1.6.x or 1.7.x is installed for use with cas-server-3.4.12
Example install (installed JDK 1.6.0.45)
su - root
mkdir /usr/share/jdk-1.6.0.45
ftp file jdk-6u45-linux-x64-rpm.bin into /usr/share/jdk-1.6.0.45
chmod +x jdk-6u45-linux-x64-rpm.bin
./jdk-6u45-linux-x64-rpm.bin
Everything installed into
/usr/java/jdk1.6.0_45/
You can safely remove the temp folder /usr/share/jdk-1.6.0.45 if no longer needed
rm -r /usr/share/jdk-1.6.0.45
Update the env variables
vi .bash_profile and add these lines as needed
export JAVA_HOME=/usr/java/jdk1.6.0_45
export PATH=$JAVA_HOME/bin:$PATH
Confirm version
/usr/java/jdk1.6.0_45/bin/java -version
/usr/java/jdk1.6.0_45/bin/javac -version
========
OPENLDAP
========
Added details in
- FAQ 1-7PYUTV - How to install OpenLDAP on Linux
Example install
1.
First see what is installed
su - root
yum list *openldap*
Installed Packages
compat-openldap.x86_64 1:2.3.43-2.el6 @anaconda-RedHatEnterpriseLinux-201311111358.x86_64/6.5
openldap.x86_64 2.4.39-8.el6 @rhel-x86_64-server-6
Available Packages
compat-openldap.i686 1:2.3.43-2.el6 rhel-x86_64-server-6
openldap.i686 2.4.39-8.el6 rhel-x86_64-server-6
openldap-clients.x86_64 2.4.39-8.el6 rhel-x86_64-server-6
openldap-devel.i686 2.4.39-8.el6 rhel-x86_64-server-6
openldap-devel.x86_64 2.4.39-8.el6 rhel-x86_64-server-6
openldap-servers.x86_64 2.4.39-8.el6 rhel-x86_64-server-6
2.
Install the openldap software
yum -y install openldap
yum -y install openldap-clients
yum -y install openldap-servers
3.
Now rerun this command to confirm they installed correctly
yum list *openldap*
Installed Packages
compat-openldap.x86_64 1:2.3.43-2.el6 @anaconda-RedHatEnterpriseLinux-201311111358.x86_64/6.5
openldap.x86_64 2.4.39-8.el6 @rhel-x86_64-server-6
openldap-clients.x86_64 2.4.39-8.el6 @rhel-x86_64-server-6
openldap-servers.x86_64 2.4.39-8.el6 @rhel-x86_64-server-6
Available Packages
compat-openldap.i686 1:2.3.43-2.el6 rhel-x86_64-server-6
openldap.i686 2.4.39-8.el6 rhel-x86_64-server-6
openldap-devel.i686 2.4.39-8.el6 rhel-x86_64-server-6
openldap-devel.x86_64 2.4.39-8.el6 rhel-x86_64-server-6
4.
Optional - On this server it needed to open port 389 for use before starting OpenLDAP
vi /etc/sysconfig/iptables
and add this line
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
service iptables restart
5.
Added OpenLDAP configuration details at
- http://www.openldap.org/doc/admin24/quickstart.html
First stop it and remove any old files if they exist
service slapd stop
rm -r /var/lib/ldap/*
rm -r /etc/openldap/slapd.d/*
rm /etc/openldap/slapd.conf
vi /etc/openldap/slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile "\"OpenLDAP Server\""
#TLSCertificateKeyFile /etc/openldap/certs/password
database bdb
suffix "dc=ellucian,dc=com"
rootdn "cn=Manager,dc=ellucian,dc=com"
rootpw u_pick_it
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
service slapd start
slaptest -u -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /var/lib/ldap/*
chown -R ldap:ldap /etc/openldap/slapd.d/*
service slapd restart
vi /etc/openldap/load1.ldif
dn: dc=ellucian,dc=com
objectclass: dcObject
objectclass: organization
o: Ellucian Company
dc: ellucian
vi /etc/openldap/load2.ldif
dn: cn=Manager,dc=ellucian,dc=com
objectclass: organizationalRole
cn: Manager
vi /etc/openldap/load3.ldif
dn: ou=users,dc=ellucian,dc=com
objectclass: organizationalUnit
ou: users
ldapadd -x -D "cn=Manager,dc=ellucian,dc=com" -W -f /etc/openldap/load1.ldif
ldapadd -x -D "cn=Manager,dc=ellucian,dc=com" -W -f /etc/openldap/load2.ldif
ldapadd -x -D "cn=Manager,dc=ellucian,dc=com" -W -f /etc/openldap/load3.ldif
ldapsearch -x -b 'dc=ellucian,dc=com' '(objectclass=*)'
Optionally instead of running load3.ldif above you could have used an LDAP browser to connect to the
LDAP instance and load data
For example
Edit-- Add Entry -- organizationalUnit
dn: ou=users,dc=ellucian,dc=com
objectclass: top
objectclass: organizationalUnit
Now load Banner records as needed via LDAP browser or command line
Some example files are below
vi /etc/openldap/banner1.ldif
DN: cn= 0D9D446868E04E05A430DCEA2FE030D3,ou=users,dc=ellucian,dc=com
objectClass: person
objectClass: uidObject
objectClass: top
cn: 0D9D446868E04E05A430DCEA2FE030D3
sn: testinb8
uid: testinb8
userPassword: u_pick_it
ldapadd -x -D "cn=Manager,dc=ellucian,dc=com" -W -f /etc/openldap/banner1.ldif
vi /etc/openldap/banner2.ldif
DN: cn= casadmin,ou=users,dc=ellucian,dc=com
objectClass: person
objectClass: uidObject
objectClass: top
cn: casadmin
sn: casadmin
uid: casadmin
userPassword: u_pick_it
ldapadd -x -D "cn=Manager,dc=ellucian,dc=com" -W -f /etc/openldap/banner2.ldif
Add or adjust LDAP records as needed.
===
ANT
===
Ensure Ant is installed.
Download file
- http://ant.apache.org/bindownload.cgi
Example install
1.
su - root
mkdir /usr/share/ant/
cd /usr/share/ant/
ftp apache-ant-1.9.4-bin.tar.gz to /usr/share/ant/
tar -xf apache-ant-1.9.4-bin.tar.gz
2.
vi .bash_profile
add these lines as needed
export ANT_HOME=/usr/share/ant/apache-ant-1.9.4
export PATH=$ANT_HOME/bin:$PATH
3.
ant -version
Shows
Apache Ant(TM) version 1.9.4 compiled on October 29 2014
=====
MAVEN
=====
Ensure that Apache Maven 3.x is installed for use with cas-server-3.4.12
Download file
- http://maven.apache.org/download.cgi
Install Notes
- http://maven.apache.org/download.cgi#Installation
Example install
1.
su - root
mkdir /usr/share/maven/
cd /usr/share/maven/
ftp apache-maven-3.2.3-bin.tar.gz to /usr/share/maven/
tar -xf apache-maven-3.2.3-bin.tar.gz
2.
vi .bash_profile
add these lines as needed
export M2_HOME=/usr/share/maven/apache-maven-3.2.3
export M2=$M2_HOME/bin
export PATH=$M2:$PATH
export JAVA_HOME=/usr/java/jdk1.6.0_45
export PATH=$JAVA_HOME/bin:$PATH
3.
mvn --version
shows
Apache Maven 3.2.3 (33f8c3e1027c3ddde99d3cdebad2656a31e8fdf4; 2014-08-11T16:58:10-04:00)
Maven home: /usr/share/maven/apache-maven-3.2.3
Java version: 1.8.0_25, vendor: Oracle Corporation
Java home: /usr/java/jdk1.8.0_25/jre
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "2.6.32-431.el6.x86_64", arch: "amd64", family: "unix"
4.
Optional test to confirm "mvn" runs correctly
mkdir /usr/share/maven/test
cd /usr/share/maven/test
mvn archetype:generate -DgroupId=com.mycompany.app -DartifactId=my-app -DarchetypeArtifactId=maven-archetype-quickstart -DinteractiveMode=false -e -X
That should run without issue and download all needed files and end with these details
...
[INFO] project created from Old (1.x) Archetype in dir: /aux/maven/apache-maven-3.2.3/test/my-app
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 06:29 min
[INFO] Finished at: 2014-11-19T01:37:09+05:30
[INFO] Final Memory: 13M/155M
[INFO] ------------------------------------------------------------------------
You should also see these files built
[root@malaln57 test]# pwd
/usr/share/maven/test
[root@malaln57 test]# ls -ltr
total 4
drwxr-xr-x. 3 root root 4096 Dec 2 10:18 my-app
======
TOMCAT
======
Ensure that Tomcat 6 or 7 is installed for use with cas-server-3.4.12
Example install of Tomcat 7
1.
/usr/sbin/groupadd tomcat
/usr/sbin/useradd -c "Tomcat" -m -g tomcat -s /bin/bash -d /aux/tomcat -u 505 tomcat
passwd tomcat (Set the password as needed)
ftp file apache-tomcat-7.0.57.tar.gz to /aux/tomcat
chmod 777 /aux/tomcat/apache-tomcat-7.0.57.tar.gz
su - tomcat
tar zxvf apache-tomcat-7.0.57.tar.gz
2.
vi .bash_profile
add these lines as needed
export CATALINA_HOME=/aux/tomcat/apache-tomcat-7.0.57
export CATALINA_OPTS="-server -Xms2048m -Xmx4g -XX:MaxPermSize=256m"
export JAVA_HOME=/usr/java/jdk1.6.0_45
export PATH=$JAVA_HOME/bin:$CATALINA_HOME/bin:$PATH
3.
Edit $CATALINA_HOME/conf/tomcat-users.xml
remove the comments from bottom section on users and
Change password and roles on this line
Add this line above the you just editted.
4.
Optional - On this server it required the ipatbles to open up pot 8080
vi /etc/sysconfig/iptables
and add this line
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
service iptables restart
5.
Start tomcat
/aux/tomcat/apache-tomcat-7.0.57/bin/startup.sh
Stop tomcat
/aux/tomcat/apache-tomcat-7.0.57/bin/shutdown.sh
Confirm you can connect from browser
http://malaln57.sct.com:8080/
Shows
Apache Tomcat/7.0.57
Manager App
- http://malaln57.sct.com:8080/manager/html (Login with tomcat/manager1)
Implement SSL with Tomcat 7
---------------------------
- http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
1.
su - tomcat
/aux/tomcat/apache-tomcat-7.0.57/bin/shutdown.sh
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -validity 365
Enter keystore password: changeit
Re-enter new password: changeit
What is your first and last name?
[Unknown]: malaln57.sct.com
What is the name of your organizational unit?
[Unknown]: ellucian
What is the name of your organization?
[Unknown]: ellucian
What is the name of your City or Locality?
[Unknown]: Rochester
What is the name of your State or Province?
[Unknown]: NY
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=malaln57.sct.com, OU=ellucian, O=ellucian, L=Rochester, ST=NY, C=US correct?
[no]: yes
Enter key password for changeit
(RETURN if same as keystore password):
Re-enter new password: changeit
2.
Uncomment the "SSL HTTP/1.1 Connector" entry in $CATALINA_BASE/conf/server.xml
vi $CATALINA_HOME/conf/server.xml
Uncomment this code
Change to
Save changes
3.
Optional - On this server it required the ipatbles to open up pot 8443
vi /etc/sysconfig/iptables
and add this line
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
service iptables restart
4.
Now restart tomcat
/aux/tomcat/apache-tomcat-7.0.57/bin/startup.sh
5.
Test SSL access via port 8443
- https://malaln57.sct.com:8443/
===========
Install CAS
===========
Used the CAS SSO Handbook provided by ellucian to install.
Step 1.
-------
= /usr/share/cas/cas-server-3.4.12/
Step 2.
-------
Edited the pom.xml file located in the directory: /usr/share/cas/cas-server-3.4.12/cas-server-webapp/pom.xml
Added these lines
org.jasig.cas
cas-server-support-ldap
${project.version}
jar
commons-dbcp
commons-dbcp
1.4
runtime
org.hibernate
hibernate-core
${hibernate.core.version}
compile
org.hibernate
hibernate-entitymanager
${hibernate.core.version}
runtime
com.oracle
ojdbc6
11.2.0
Step 3.
-------
Installed maven following default instructions.
Placed ojdbc6.jar into /usr/share/jdbc
chmod 777 /usr/share/jdbc/ojdbc6.jar
ls -ltr
total 2676
-rwxrwxrwx. 1 root root 2739670 Nov 18 13:45 ojdbc6.jar
Now run maven command to register it
mvn install:install-file -Dfile=/usr/share/jdbc/ojdbc6.jar -DgroupId=com.oracle -DartifactId=ojdbc6 -Dversion=11.2.0 -Dpackaging=jar
It should say
[INFO] Installing /usr/share/jdbc/ojdbc6.jar to /root/.m2/repository/com/oracle/ojdbc6/11.2.0/ojdbc6-11.2.0.jar
[INFO] Installing /tmp/mvninstall7791144338087462449.pom to /root/.m2/repository/com/oracle/ojdbc6/11.2.0/ojdbc6-11.2.0.pom
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.288 s
[INFO] Finished at: 2014-11-24T14:42:26-05:00
[INFO] Final Memory: 6M/29M
[INFO] ------------------------------------------------------------------------
Step 4.
-------
= /usr/share/cas/cas-server-3.4.12/cas-server-webapp
= /usr/share/cas/cas-server-3.4.12/cas-server-webapp/src/main/webapp
vi /usr/share/cas/cas-server-3.4.12/cas-server-webapp/src/main/webapp/WEB-INF/cas.properties
Change1
server.prefix=http://localhost:8080/cas
to
server.prefix=https://malaln57.sct.com:8443/cas
Change2
host.name=cas
to
host.name=malaln57.sct.com
Change3 (Optional)
#database.hibernate.dialect=org.hibernate.dialect.OracleDialect
to
database.hibernate.dialect=org.hibernate.dialect.OracleDialect
Change4 (Optional)
add this line to end of the file
ticket.cleaner.database.platform=SQL92
Step 5.
-------
1.
vi /usr/share/cas/cas-server-3.4.12/cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml
2.
Inside the section
Remove these 2 lines
3
And then add these lines
Note: Change this line to match you LDAP server location.
4.
Inside
Remove this line
5.
Add
6.
Change this section
to
7.
Change
to
8.
Add this line after the
ldap://malaln57.sct.com:389
9.1
Change
to
uid
UDC_IDENTIFIER
9.2
Can skip since using 9.1 in-memory data store
10.
Save file
/usr/share/cas/cas-server-3.4.12/cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml
Step 6.
-------
Skip this step since only used with JPA-based session (9.2 above) and we are using in-memory data store (9.1 above)
Step 7.
-------
1.
vi /usr/share/cas/cas-server-3.4.12/cas-server-webapp/src/main/webapp/themes/default/cas.css
2.
Make any style changes as needed
3.
Save File
4.
cd /usr/share/cas/cas-server-3.4.12/cas-server-webapp/src/main/webapp/images
5.
Change images as needed
6.
Skipped - Optional
7.
Skipped - Optional
8.
Skipped - Optional
Step 8.
------
1.
cd /usr/share/cas/cas-server-3.4.12/cas-server-webapp
2.
mvn clean package
it should state
[INFO] Webapp assembled in [1410 msecs]
[INFO] Building war: /usr/share/cas/cas-server-3.4.12/cas-server-webapp/target/cas.war
[INFO] WEB-INF/web.xml already added, skipping
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 22.658 s
[INFO] Finished at: 2014-11-24T15:31:12-05:00
[INFO] Final Memory: 17M/43M
[INFO] ------------------------------------------------------------------------
Step 9.
-------
1.
cd /usr/share/cas/cas-server-3.4.12/cas-server-webapp/target
2.
Locate newly built cas.war
ls -l cas.war
-rw-r--r--. 1 root root 24090118 Nov 24 15:31 cas.war
3.
su - tomcat
/usr/share/tomcat/apache-tomcat-8.0.14/bin/shutdown.sh
cp /usr/share/cas/cas-server-3.4.12/cas-server-webapp/target/cas.war /aux/tomcat/apache-tomcat-7.0.57/webapps/cas.war
/usr/share/tomcat/apache-tomcat-8.0.14/bin/startup.sh
exit
4.
Ensure that SSL is enabled on Tomcat.
See
- http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
Step 10.
-------
1.
Login and confirm it is working
- SSL -- https://malaln57.sct.com:8443/cas/login (casadmin / u_pick_it )
Should display
Log In Successful
You have successfully logged into the Central Authentication Service.
For security reasons, please Log Out and Exit your web browser when you are done accessing services that require authentication!
=================
BEIS - SSOMANAGER
=================
All that is needed is the SSOManager parts
Review
- beis80200in.pdf
Download
- BEIS_8.2.zip
Unzip the file
- SSOManager_8.2.zip
Follow the details in Chapter 6 and 7
- Chapter 6 -- SSO Manager Automated Installation
- Chapter 7 -- SSO Manager Manual Installation
Quick Steps
-----------
cd D:\sghe\ban9\BEIS_8.2\Deployables\SSOManager_8.2\ant-installer
java -jar sso-manager-weblogic-installer.jar
Click Next
Check first 2 boxes
- Configure and Save EAR [x]
- Configure and Save SSO Client [x]
Click Next
SSOManager Server Protocol
[x] http
SSOManager Host = malaln34.sct.com
SSOManager Port = 9908
Click Next
Username = ssomgrAdm
Password = u_pick_it
Click Next
CAS Server Protocol
[x] https
CAS Server Host = malaln57.sct.com
CAS Server Port = 8443
CAS Server Contect = cas
Click Next
Save Deployables to Location = D:\sghe\ban9\BEIS_8.2\Deployables\SSOManager_8.2
Click Next
Click Install
Now Locate the sso-manager.ear in D:\sghe\ban9\BEIS_8.2\Deployables\SSOManager_8.2
and deploy it onto WebLogic server on managed server running on port 9908
Once deployed you should be able to connect to SSOManager with this example URL and configure the CAS parts as needed
- http://malaln34.sct.com:9908/ssomanager (ssomgrAdm/u_pick_it)
=========================
SSB configuration for CAS
=========================
Step 1.
-------
Login to SSB as a Web Tailor admin account
- http://malaln24.sct.com:9020/malaln32_ban9/twbkwbis.P_WWWLogin (111111/111111)
From the Web Tailor Menu, select Web Tailor Parameters.
Change these settings
IDMLOGINURI = https://malaln57.sct.com:8443/cas/login
IDMLOGOUTURI = https://malaln57.sct.com:8443/cas/logout
IDMTIMEOUT = 0
IDMSSO = Y
IDMCOOKIE = IDMSESSID
IDMCOOKIEDOMAIN = sct.com
IDMCOOKIEPATH = /
Step 2.
-------
Login to SSOManager
- http://malaln34.sct.com:9908/ssomanager (ssomgrAdm/u_pick_it)
Choose the default validation service
[x] SAML Validate
Click Save
Click the SSB Configuration Tab
SSB URL = http://malaln24.sct.com:9020/malaln32_ban9/twbkwbis.P_GenMenu?name=bmenu.P_MainMnu
SSB Deep Linking = CHECKED
Base URL = http://malaln24.sct.com:9020/malaln32_ban9/
URL Parameter Name = pkg
Mode = [x] CAS
Cookie Name = IDMSESSID
Cookie Domain Name = .sct.com
Click Save
Step 3.
------
Access the CAS server management page
- https://malaln57.sct.com:8443/cas/services/manage.html (casadmin/u_pick_it)
Click Add New Service
Name = sso manager cas client
Service URL = http://malaln34.sct.com:9908/ssomanager/**
Description = Protect sso manager client
Status = [x] Enabled [ ] Allowed to proxy [x] SSO Participant [ ] Anonymous Access
Attributes = UDC_IDENTIFIER
Save changes
Step 4.
-------
Login to SSOManager
- http://malaln34.sct.com:9908/ssomanager (ssomgrAdm/u_pick_it)
Click the "CAS" link in lower right corner to confirm CAS server is accessed correctly.
Login to SSOManager
- http://malaln34.sct.com:9908/ssomanager (ssomgrAdm/u_pick_it)
Click the "Self Service Banner" link in upper right corner
Login to CAS as testinb8/u_pick_it
It should log you into SSB
=========================
INB configuration for CAS
=========================
Step 1.
-------
Locate the file
- ssoclient.jar
that was created correctly during the BEIS - SSOMANAGER install
For example
- D:\sghe\ban9\BEIS_8.2\Deployables\SSOManager_8.2\ssoclient.jar
Step 2.
-------
Copy the file
- ssoclient.jar
into ORACLE_HOME/forms/java on the INB WebLogic/OFM server (malaln24)
Login to EM Console
- http://malaln24.sct.com:7001/em (weblogic/manager1)
Open the Forms Folder and Click on Forms
Click on Environment Configuration"
Locate the active ENV setting
Show = "malaln32_ban9_seam.env"
Change
CLASSPATH = C:\Oracle\Middleware\as_1\forms\j2ee\frmsrv.jar;
C:\Oracle\Middleware\as_1\jlib\ldapjclnt11.jar;
C:\Oracle\Middleware\as_1\jlib\debugger.jar;C:\Oracle\Middleware\as_1\jlib\ewt3.jar;
C:\Oracle\Middleware\as_1\jlib\share.jar;C:\Oracle\Middleware\as_1\jlib\utj.jar;
C:\Oracle\Middleware\as_1\jlib\zrclient.jar;C:\Oracle\Middleware\as_1\reports\jlib\rwrun.jar;
C:\Oracle\Middleware\as_1\forms\java\frmwebutil.jar;C:\Oracle\Middleware\as_1/jlib/start_dejvm.jar;
C:\Oracle\Middleware\as_1\opmn\lib\optic.jar;C:\Oracle\Middleware\as_1\forms\java\auainit-8.5.1.jar;
C:\Oracle\Middleware\as_1\forms\java\finaidutils.jar
To
CLASSPATH = C:\Oracle\Middleware\as_1\forms\j2ee\frmsrv.jar;
C:\Oracle\Middleware\as_1\forms\java\ssoclient.jar;
C:\Oracle\Middleware\as_1\jlib\ldapjclnt11.jar;
C:\Oracle\Middleware\as_1\jlib\debugger.jar;C:\Oracle\Middleware\as_1\jlib\ewt3.jar;
C:\Oracle\Middleware\as_1\jlib\share.jar;C:\Oracle\Middleware\as_1\jlib\utj.jar;
C:\Oracle\Middleware\as_1\jlib\zrclient.jar;C:\Oracle\Middleware\as_1\reports\jlib\rwrun.jar;
C:\Oracle\Middleware\as_1\forms\java\frmwebutil.jar;C:\Oracle\Middleware\as_1/jlib/start_dejvm.jar;
C:\Oracle\Middleware\as_1\opmn\lib\optic.jar;C:\Oracle\Middleware\as_1\forms\java\auainit-8.5.1.jar;
C:\Oracle\Middleware\as_1\forms\java\finaidutils.jar
Click Apply
Click "Forms"
Click "Web Configuration"
Locate the INB Web Configuration for examle "malaln32_ban9_seam"
Show = advanced
Click "Override" tab
Locate parameter
otherparams = obr=%obr% record=%record% tracegroup=%tracegroup% log=%log% term=%term% ssoProxyConnect=%ssoProxyConnect%
Change to
otherparams = obr=%obr% record=%record% tracegroup=%tracegroup% log=%log% term=%term% ssoProxyConnect=%ssoProxyConnect% iamticket=%iamticket%
Click Apply
Step 3.
-------
Login to SSOManager
- http://malaln34.sct.com:9908/ssomanager (ssomgrAdm/u_pick_it)
Choose the default validation service
[x] SAML Validate
Click Save
Click the INB Configuration Tab
INB URL = http://malaln24.sct.com:8888/forms/frmservlet
Forms Environment = malaln32_ban9_seam
Mode = [x] CAS
UDC ID Indicator = COOKIE
UDC ID KEY =
Ticket Parameter Name = IAMTICKET
Password Policy
[x] Prompt
Valid Charaters = AlphaNumeric
Minimum Length = 8
Maximum Length = 30
[x] Store Password
Click Save
Step 4.
-------
Note: this may have already been done as part of SSB setup.
Access the CAS server management page
- https://malaln57.sct.com:8443/cas/services/manage.html (casadmin/u_pick_it)
Click Add New Service
Name = sso manager cas client
Service URL = http://malaln34.sct.com:9908/ssomanager/**
Description = Protect sso manager client
Status = [x] Enabled [ ] Allowed to proxy [x] SSO Participant [ ] Anonymous Access
Attributes = UDC_IDENTIFIER
Save changes
Step 5.
-------
Login to SSOManager
- http://malaln34.sct.com:9908/ssomanager (ssomgrAdm/u_pick_it)
Click the "CAS" link in lower right corner to confirm CAS server is accessed correctly.
Login to SSOManager
- http://malaln34.sct.com:9908/ssomanager (ssomgrAdm/u_pick_it)
Click the "Internet Native Banner" link in upper right corner
Login to CAS as testinb8/u_pick_it
It should direct you to this URL the first time
- http://malaln34.sct.com:9908/ssomanager/c/INB?ticket=ST-16-zSpYqe4QZdbG5ZYWH5bS-malaln57
Oracle Password Prompt
Oracle Password for TESTINB8
u_pick_it
Click Save
It should log you into INB
==============================
Banner 9 configuration for CAS
==============================
The Steps below outline implementing this with the Banner 9 Course Catalog application.
The steps would be similar for other Banner 9 applications.
Step 1.
-------
Edit the file
D:\sghe\ban9\banner_test_homes\Catalog93\current\instance\config\StudentCourseCatalog_configuration.groovy
Locate this
banner {
sso {
authenticationProvider = 'default' // Valid values are: 'default', 'cas'
authenticationAssertionAttribute = 'UDC_IDENTIFIER'
}
}
Change to
banner {
sso {
authenticationProvider = 'cas' // Valid values are: 'default', 'cas'
authenticationAssertionAttribute = 'UDC_IDENTIFIER'
}
}
Step 2.
-------
Edit the file
D:\sghe\ban9\banner_test_homes\Catalog93\current\instance\config\StudentCourseCatalog_configuration.groovy
Locate this
grails {
plugins {
springsecurity {
cas {
serverUrlPrefix = 'http://CAS_HOST:PORT/cas'
serviceUrl = 'http://BANNER9_HOST:PORT/APP_NAME/j_spring_cas_security_check'
serverName = 'http://BANNER9_HOST:PORT'
proxyCallbackUrl = 'http://BANNER9_HOST:PORT/APP_NAME/secure/receptor'
loginUri = '/login'
sendRenew = false
proxyReceptorUrl = '/secure/receptor'
useSingleSignout = true
key = 'grails-spring-security-cas'
artifactParameter = 'ticket'
serviceParameter = 'service'
filterProcessesUrl = '/j_spring_cas_security_check'
}
logout {
afterLogoutUrl = 'https://cas-server/logout?url=http://myportal/main_page.html'
}
}
}
}
Change to
grails {
plugins {
springsecurity {
cas {
serverUrlPrefix = 'https://malaln57.sct.com:8443/cas'
serviceUrl = 'http://malaln34.sct.com:8081/StudentCourseCatalog/j_spring_cas_security_check'
serverName = 'http://malaln34.sct.com:8081'
proxyCallbackUrl = 'http://malaln34.sct.com:8081/StudentCourseCatalog/secure/receptor'
loginUri = '/login'
sendRenew = false
proxyReceptorUrl = '/secure/receptor'
useSingleSignout = true
key = 'grails-spring-security-cas'
artifactParameter = 'ticket'
serviceParameter = 'service'
filterProcessesUrl = '/j_spring_cas_security_check'
}
logout {
afterLogoutUrl = 'https://malaln57.sct.com:8443/cas/logout?service=http://malaln31.sct.com/index.html'
}
}
}
}
Note: if you are implementing Seamless Navigation and Application Navigator in Banner 9
then please set this parameter to true also also.
applicationNavigator=true
Step 3.
-------
cd D:\sghe\ban9\banner_test_homes\Catalog93\current\installer
ant
bin\systool war
Step 4.
-------
Skipped -- Optional
Step 5.
-------
Rename file
- D:\sghe\ban9\banner_test_homes\Catalog93\current\dist\StudentCourseCatalog-9.3.war
to
- D:\sghe\ban9\banner_test_homes\Catalog93\current\dist\StudentCourseCatalog.war
and deploy it onto WebLogic Server (malaln34)
Confirm you can access it
- http://malaln34.sct.com:8081/StudentCourseCatalog
Step 6.
-------
Access the CAS server management page
- https://malaln57.sct.com:8443/cas/services/manage.html (casadmin/u_pick_it)
Click Add New Service
Name = XEStudentCourseCatalog
Service URL = http://malaln34.sct.com:8081/StudentCourseCatalog/**
Description = StudentCourseCatalog
Status = [x] Enabled [ ] Allowed to proxy [x] SSO Participant [ ] Anonymous Access
Attributes = UDC_IDENTIFIER
Save changes
Step 7.
-------
Login to the Banner 9 Application
- http://malaln34.sct.com:8081/StudentCourseCatalog
Enter the CAS credentials
- testinb8/u_pick_it
It should log you into the Banner 9 Application using the CAS credentials
Click "Sign Out" and it should log you out of Banner 9 / CAS and redirect the browser to your defined portal URL.
*******************************
ADDED DEBUG/INFORMATION SECTION
*******************************
======================
KEY LOG FILE LOCATIONS - For debugging
======================
CAS - malaln57 - /aux/tomcat/apache-tomcat-7.0.57/cas.log
SSO_MANAGER - malaln34 - \\malaln34\Oracle\Middleware\user_projects\domains\base_domain\servers\SSO_Manager\logs\SSO_Manager.out
OHS1 - malaln24 - \\malaln24\Oracle\Middleware\asinst_1\diagnostics\logs\OHS\ohs1
=======================
Sample Accounts Details (In these examples all passwords are u_pick_it and all pins are 111111)
=======================
CAS Oracle/GOAEACC ID PIDM UDC_ID
--- -------------- -- ---- ------
testinb8/u_pick_it testinb8 111111111 509 0D9D446868E04E05A430DCEA2FE030D3
saisusr/u_pick_it saisusr 222222222 510 7F7ABE51F2644B459E031BF8764627C0
student_user/u_pick_it 333333333 527 69DFE7962D3C44A5A5D183EF987B54E2 (Note: no GOAEACC connection)
111111111/111111 444444444 530 EC2E31867A2F42BEAC744607F990295E (Note: no GOAEACC connection)
These are sample ldif files to load the user data. Adjust as needed.
1.
vi /etc/openldap/banner3.ldif
DN: cn= 7F7ABE51F2644B459E031BF8764627C0,ou=users,dc=ellucian,dc=com
objectClass: person
objectClass: uidObject
objectClass: top
cn: 7F7ABE51F2644B459E031BF8764627C0
sn: saisusr
uid: saisusr
userPassword: u_pick_it
ldapadd -x -D "cn=Manager,dc=ellucian,dc=com" -W -f /etc/openldap/banner3.ldif
2.
vi /etc/openldap/banner4.ldif
DN: cn= 69DFE7962D3C44A5A5D183EF987B54E2,ou=users,dc=ellucian,dc=com
objectClass: person
objectClass: uidObject
objectClass: top
cn: 69DFE7962D3C44A5A5D183EF987B54E2
sn: student_user
uid: student_user
userPassword: u_pick_it
ldapadd -x -D "cn=Manager,dc=ellucian,dc=com" -W -f /etc/openldap/banner4.ldif
3.
vi /etc/openldap/banner5.ldif
DN: cn= EC2E31867A2F42BEAC744607F990295E,ou=users,dc=ellucian,dc=com
objectClass: person
objectClass: uidObject
objectClass: top
cn: EC2E31867A2F42BEAC744607F990295E
sn: 111111111
uid: 111111111
userPassword: 111111
ldapadd -x -D "cn=Manager,dc=ellucian,dc=com" -W -f /etc/openldap/banner5.ldif
These SQL selects can help with setting up and debugging user account mapping issues
1.
select * from GOBUMAP where GOBUMAP_PIDM=509;
Confirm the column GOBUMAP_UDC_ID contains what is in the OpenLDAP server entry
0D9D446868E04E05A430DCEA2FE030D3
Adjust GOBUMAP table or OpenLDAP server as needed to correctly match PIDM and GOBUMAP_UDC_ID
2.
Confirm TESTINB8 userid = PIDM 509
select * from gobeacc where gobeacc_pidm=509;
509 TESTINB8 SAISUSR
CAS ID is testinb8/u_pick_it
Oracle ID is also testinb8/u_pick_it
3.
Confirm a valid SPRIDEN record exists for the PIDM
select * from spriden where spriden_pidm=509 and spriden_change_ind is null;
4.
Confirm a valid GOBTPAC record exists for the PIDM
select * from gobtpac where gobtpac_pidm=509;
==============
Maven - Error1
==============
[root@malaln57 ~]# mvn install:install-file -Dfile=/usr/share/jdbc/ojdbc6.jar -DgroupId=com.oracle -DartifactId=ojdbc6 -Dversion=11.2.0 -Dpackaging=jar
[INFO] Scanning for projects...
Downloading: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-install-plugin/2.4/maven-install-plugin-2.4.pom
Nov 18, 2014 1:56:05 PM org.apache.maven.wagon.providers.http.httpclient.impl.execchain.RetryExec execute
INFO: I/O exception (java.net.SocketException) caught when processing request: Connection reset
Nov 18, 2014 1:56:05 PM org.apache.maven.wagon.providers.http.httpclient.impl.execchain.RetryExec execute
INFO: Retrying request
...
Fix1
----
First confirm the /etc/hosts file is correct
This line was missing
149.24.40.63 malaln57.ellucian.com malaln57.sungardhe.com malaln57.sct.com malaln57
Then removed this file /root/.m2/settings.xml that was defining the proxy settings since it wasn't needed
Create and edit the file /root/.m2/settings.xml
For example initially it looked like this
true
http
www-proxy.sct.com
8080
Removed the whole file since Proxy Settings were not needed on this server
Also editted the
.bash_profile
and commented out these setting since they also were not needed for proxy setup
#export ANT_OPTS="-Dhttp.proxyHost=www-proxy.sct.com -Dhttp.proxyPort=8080"
#export MAVEN_OPTS="-DproxySet=true -DsocksProxyHost=www-proxy.sct.com -DsocksProxyPort=8080"
#export http_proxy=http://www-proxy.sct.com:8080
Adding the mvn flags
-e -X
for full debug details helps also
Then ran this test application build
mkdir test
cd test
mvn install:install-file -Dfile=/usr/share/jdbc/ojdbc6.jar -DgroupId=com.oracle -DartifactId=ojdbc6 -Dversion=11.2.0 -Dpackaging=jar -e -X
it built without issue
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 4.251 s
[INFO] Finished at: 2014-11-18T16:03:52-05:00
[INFO] Final Memory: 8M/29M
[INFO] ------------------------------------------------------------------------
then the command for JDBC built without issue
mvn install:install-file -Dfile=/usr/share/jdbc/ojdbc6.jar -DgroupId=com.oracle -DartifactId=ojdbc6 -Dversion=11.2.0 -Dpackaging=jar
Should say
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.964 s
[INFO] Finished at: 2014-11-18T16:09:28-05:00
[INFO] Final Memory: 6M/29M
[INFO] -----------------------------------------------------------------------
===============
Maven - Error 2
===============
Running cas.war file build with command
mvn clean package
results in
[ERROR] Failed to execute goal on project cas-server-webapp: Could not resolve dependencies for project
org.jasig.cas:cas-server-webapp:war:3.4.12: Could not find artifact com.oracle:ojdbc6:jar:11.2.0.
in jasig-repository (http://developer.ja-sig.org/maven2) -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionException
Fix2
----
in STEP 2 - Edit pom.xml file located in the directory: /usr/share/cas/cas-server-3.4.12/cas-server-webapp/pom.xml
and make sure it has this info
com.oracle
ojdbc6
11.2.0
for example the above error was caused when this line had extra "."
11.2.0.
Also make sure the ojdbc6.jar file loaded correctly in STEP 3
mvn install:install-file -Dfile=/usr/share/jdbc/ojdbc6.jar -DgroupId=com.oracle -DartifactId=ojdbc6 -Dversion=11.2.0 -Dpackaging=jar
===============
Maven - Error 3
===============
Running cas.war file build with command
mvn clean package
results in
[ERROR] Failed to execute goal org.codehaus.mojo:aspectj-maven-plugin:1.3.1:compile (default) on project cas-server-webapp:
Compiler errors:
[ERROR] error at (no source information available)
[ERROR] /usr/share/cas/cas-server-3.4.12/cas-server-webapp/src/main/java/org/jasig/cas/web/flow/GatewayServicesManagementCheck.java:0::0 Internal compiler error
[ERROR] org.aspectj.apache.bcel.classfile.ClassFormatException: File: 'java/lang/reflect/AnnotatedElement.class':
Invalid byte tag in constant pool: 15
[ERROR] at org.aspectj.apache.bcel.classfile.ClassParser.readConstantPool(ClassParser.java:192)
...
Fix3
----
JDK 1.8.0.25 was being used with Maven and CAS and that resulted in the above error.
Installed JDK 1.6.0.45 and reran then install command
mvn clean package
and it installed without issues.
================
Tomcat - Error 4
================
Tomcat 8 can not use Java 1.6.0.45
So if you run Tomcat 8 with Java 1.8.0.25 and deploy cas.war and try to start cas.war
you get the error in /root/cas.log
2014-11-24 15:57:31,236 ERROR [org.jasig.cas.web.init.SafeContextLoaderListener]
- SafeContextLoaderListener:
The Spring ContextLoaderListener we wrap threw on contextInitialized.
But for our having caught this error, the web application context would not have
initialized.
org.springframework.beans.factory.BeanCreationException: Error creating bean wit
h name 'org.springframework.security.filterChainProxy': Cannot create inner bean
'(inner bean)' of type [org.springframework.security.config.http.HttpConfigurat
ionBuilder] while setting bean property 'filterChainMap'; nested exception is or
g.springframework.beans.factory.BeanCreationException: Error creating bean with
name '(inner bean)#10': Initialization of bean failed; nested exception is org.a
spectj.apache.bcel.classfile.ClassFormatException: File: 'java.lang.CharSequence
': Invalid byte tag in constant pool: 15
at org.springframework.beans.factory.support.BeanDefinitionValueResolver
.resolveInnerBean(BeanDefinitionValueResolver.java:281)
Fix4
----
Install Tomcat 7 with Java 1.6.0.45
================
Tomcat - Error 5
================
Deploying cas.war got error
INFO: Deploying web application archive /aux/tomcat/apache-tomcat-7.0.57/webapps/cas.war
2014-11-24 16:34:54,134 ERROR [org.springframework.web.context.ContextLoader] -
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'cleanerLock': Injection of persistence dependencies failed;
nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No unique bean of type [javax.persistence.EntityManagerFactory]
is defined: expected single bean but found 0
at org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProc
Fix5
----
Step 6 of the install is to edit ticketRegistry.xml but only if using JPA-based session
Don't do this step if using in-memory data store
So removed step and rebuilt cas.war using maven command
=============
CAS - Error 6
=============
Attempting to login to CAS resulted in
- http://malaln57.sct.com:8080/cas/login (casadmin / u_pick_it )
CAS is Unavailable
There was an error trying to complete your request. Please notify your support desk or try again.
The cas.log on the tomcat server had these details
=============================================================
WHO: [username: casadmin]
WHAT: LDAP_HOST:389; nested exception is javax.naming.CommunicationException: LDAP_HOST:389 [Root exception is java.net.UnknownHostException: LDAP_HOST]
ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Mon Nov 24 17:04:07 EST 2014
CLIENT IP ADDRESS: 149.24.52.55
SERVER IP ADDRESS: 149.24.40.63
=============================================================
Fix6
----
In Step 5 when you edit
/usr/share/cas/cas-server-3.4.12/cas-server-webapp/src/main/webapp/WEB-INF/deployerConfigContext.xml
in number 8 you need to make sure this line was update with your LDAP_HOST
Change line
LDAP_HOST
ldap://LDAP_HOST:389
to
ldap://malaln57.sct.com:389
Now save changes and rebuild cas.war using mvn command and redeploy cas.war on tomcat and retest.
=============
CAS - Error 7
=============
Login to SSOManager
- http://malaln34.sct.com:9908/ssomanager (ssomgrAdm/u_pick_it)
Click the "Self Service Banner" link in upper right corner
Login to CAS as testinb8/u_pick_it
results in error
http://malaln34.sct.com:9908/ssomanager/c/SSB?ticket=ST-7-Fe6ZXvzYQ0OxcqOaQbOV-malaln57
Error 500--Internal Server Error
java.lang.RuntimeException: javax.net.ssl.SSLKeyException: [Security:090477]Certificate chain received from malaln57 - 149.24.40.63 was not trusted causing SSL handshake failure.
at org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:203)
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:178)
at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132)
....
Fix7
----
Install the CAS server certificate (MALALN57) into the WebLogic server (MALALN34)
Copy the certificate from CAS Server (MALALN57) to the WebLogic server (MALALN34)
cd C:\TEMP
dir
12/01/2014 10:03 AM 585 malaln57.der.cer
cd C:\Program Files\Java\jdk1.7.0_71\jre
keytool -import -alias malaln57_cas -file C:\temp\malaln57.der.cer -keystore ..\jre\lib\security\cacerts -storepass changeit -noprompt
Certificate was added to keystore
Restart WebLogic Managed Server "SSO_Manager"
Retest the above link
=============
CAS - Error 8
=============
Login to SSOManager
- http://malaln34.sct.com:9908/ssomanager (ssomgrAdm/u_pick_it)
Click the "Internet Native Banner" link in upper right corner
Login to CAS as testinb8/u_pick_it
Oracle forms begin to open and you get this error
Forms
com.sun.xml.internal.ws.wsdl.parser.
InaccessibleWSDLException: 2counts of
InaccessibleWSDLException. java.io.IOException:
Server returned HTTP response code: 500 for URL: http:
//malaln34.sct.com:9908/ssomanager/ws/credential-service.wsdl
java.io.IOException: Se
The SSO_Manager weblogic log file shows
2014-12-01 11:58:11,897 INFO [com.ellucian.sso.handler.impl.InbHandler.] - Sending Redirect to Internet Native Banner
- http://malaln24.sct.com:8888/forms/frmservlet?config=malaln32_ban9_seam&otherParams=IAMTICKET=09F37D491774167DB16E9AB96D119D26
2014-12-01 11:58:21,895 ERROR [com.ellucian.sso.inb.ws.security.AuthenticationFilter.]
- No Configuration was registered that can handle the configuration named myrealm
java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named myrealm
at com.bea.common.security.jdkutils.JAASConfiguration.getAppConfigurationEntry(JAASConfiguration.java:130)
at javax.security.auth.login.LoginContext.init(LoginContext.java:259)
Fix 8
-----
Review the BEIS install Guide
- beis80200in.pdf
For example make sure the managed server SSO_Manager has the correct "Server Start"parameters of
Arguments
-Djava.security.auth.login.config=D:\Oracle\Middleware\user_projects\domains\base_domain\config\security\jaas.config
Also make sure the file exists D:\Oracle\Middleware\user_projects\domains\base_domain\config\security\jaas.config
with correct content of
myrealm {
weblogic.security.auth.login.UsernamePasswordLoginModule
REQUIRED;
};
=============
CAS - Error 9
=============
Login to SSOManager
- http://malaln34.sct.com:9908/ssomanager (ssomgrAdm/u_pick_it)
Click the "Internet Native Banner" link in upper right corner
Login to CAS as testinb8/u_pick_it
Oracle forms begin to open and you get this error at the bottom of the GUAGMNU menu form
FRM-40735: LEAVE_INITI trigger raised unhandled exception ORA-20104
Fix 9
-----
See
- FAQ 1-1DF524J - GUAINIT error when logging into Banner FRM-40735 LEAVE_INIT_TRIGGER raised unhandled exception ORA-20104
In GSASECR assign form
GSQTOFU - BAN_DEFAULT_M
==============
CAS - Error 10
==============
When you "Sign Out" of Banner 9 application it does not redirect to the proper defined logout URL portal.
Instead it stays on the default CAS logout page.
Central Authentication Service (CAS)
Logout successful
You have successfully logged out of the Central Authentication Service.
For security reasons, exit your web browser.
Fix 10
------
Part 1
Change the logout URL in the Banner 9 application .groovy file
from
afterLogoutUrl = 'https://malaln57.sct.com:8443/cas/logout?url=http://malaln31.sct.com/index.html'
to
afterLogoutUrl = 'https://malaln57.sct.com:8443/cas/logout?service=http://malaln31.sct.com/index.html'
Notice "?url" changed to "?service"
Rebuild and redeploy the WAR file.
Part2 edit the file
/usr/share/cas/cas-server-3.4.12/cas-server-webapp/target/cas-server-webapp-3.4.12/WEB-INF/cas-servlet.xml
Locate this
Change to
This requires a rebuild and redeployment of cas.war
==============
CAS - Error 11
==============
Login to SSOManager
- http://malaln34.sct.com:9908/ssomanager (ssomgrAdm/u_pick_it)
Click the "Self Service Banner" link in upper right corner
Login to CAS as testinb8/u_pick_it
results in no errors but you are then prompted to login to SSB against with a ID/PIN which is not correct.
Fix 11
------
When deploying BEIS sso-manager.ear make sure that the CAS server hostname (malaln57.sct.com) is specified
with its fully qualified doamin name throughout instead of as the hostname alone (malaln57).
This will addressed the cookie issue preventing the proper SSB login.
For example this part of BEIS sso-manager.ear build needed the ".sct.com" added to it
Click Next
CAS Server Protocol
[x] https
CAS Server Host = malaln57.sct.com
CAS Server Port = 8443
CAS Server Contect = cas
Click Next
Save Deployables to Location = D:\sghe\ban9\BEIS_8.2\Deployables\SSOManager_8.2
Click Next
Click Install
==============
CAS - Error 12
==============
Attempting to access the CAS server management page
- https://malaln57.sct.com:8443/cas/services/manage.html (casadmin/u_pick_it)
Results in browser error - HTTP Status 404
If you access the NON-SSL cas login page
- http://malaln57.sct.com:8080/cas/login
it displays fine
Fix 12
------
CAS with INB/SSB SSO requires SSL implentation.
Confirm SSL has been implemented correctly in Tomcat for example edit
- $CATALINA_HOME/conf/server.xml
to look like this
which enables the full set of SSL protocols needed for CAS.
Also make sure when creating the SSL certificate for tomcat make sure you used the server name here
What is your first and last name?
[Unknown]: malaln57
==============
CAS - Error 13
==============
After restarting the CAS server on tomcat the CAS server management page no longer displays the services you added.
For example
Access the CAS server management page
- https://malaln57.sct.com:8443/cas/services/manage.html (casadmin/u_pick_it)
You no longer see the service for
"sso manager cas client"
Fix 13
------
This is the result of implementing CAS with "in-memory data store" instead of "JPA-based session Persistence"
You can manually rebuild the missing service again and it will continue to work until the CAS server is restarted again
or you can implement CAS Persistence as outlined in the documentation
- CAS Single Sign On Handbook.pdf (Starting on Page 22 see notes for steps with JPA-based session)
Once you implement CAS with "JPA-based session Persistence" the data is then stored in Oracle tables on the database
typically in the SSOMGR schema instead of in runtime memory.
The CAS tables are typically these objects listed below.
select object_name,created from dba_objects
where owner='SSOMGR' and object_type='TABLE'
order by CREATED;
CAS tables created under SSOMGR schema are typically
- TICKETGRANTINGTICKET
- RS_ATTRIBUTES
- REGISTEREDSERVICEIMPL
- LOCKS
- SERVICETICKET
Note the other tables listed were created as part of the SSOManager install for example
SSOManager tables created under SSOMGR schema are typically
- APP_CONFIG
- UDC_CREDENTIAL_SERVICES
- UDC_TICKET_SERVICES
- UDC_CREDENTIAL_INFO
==============
CAS - Error 14
==============
Logging into Banner 9 Application
- http://malaln34.sct.com:8081/StudentOverall (testinb8/u_pick_it)
with valid CAS credentials results in the Banner 9 Login screen displaying the the error
invalid username/password; logon denied
And in the WebLogic Application Server log it shows
<[ServletContext@104570679[app:StudentOverall module:StudentOverall.war path:/StudentOverall spec-version:2.5]] Servlet failed with Exception
java.lang.RuntimeException: javax.net.ssl.SSLKeyException: [Security:090504]Certificate chain received from malaln57.sct.com - 149.24.40.63 failed hostname verification check.
Certificate contained malaln57 but check expected malaln57.sct.com
at org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:203)
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:178)
at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:106)
Truncated. see log file for complete stacktrace
Caused By: javax.net.ssl.SSLKeyException: [Security:090504]Certificate chain received from malaln57.sct.com - 149.24.40.63 failed hostname verification check.
Certificate contained malaln57 but check expected malaln57.sct.com
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
Truncated. see log file for complete stacktrace
>
Fix 14
------
This error is the result of the CAS Server SSL certificate (malaln57) imported into the WebLogic server (malaln34) keystore.
The CAS Server SSL certificate was built without the fully qualified domain for example malaln57 instead of malaln57.sct.com.
Ideally you would want to create and import a fully qualified domain certificate to avoid this error
but Ii webLogic you can skip the hostname verification check be following these steps below
In the WebLogic Server Administration Console:
- http://malaln34.sct.com:7001/console
If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit
In the left pane of the Console, expand Environment and select Servers
Click the name of the server for which you want to disable host name verification. "Banner9"
Select Configuration > SSL , and click Advanced at the bottom of the page.
Set the Hostname Verification field to "None". (The default is "BEA Hostname Verifier"
Save and Activate change and Restart Banner9 server.
Now retest the URL
==============
CAS - Error 15
==============
Logging into Banner 9 Application
- http://malaln34.sct.com:8081/StudentCourseCatalog (testinb8/u_pick_it)
with valid CAS credentials results in CAS error
Application Not Authorized to Use CAS
The application you attempted to authenticate to is not authorized to use CAS.
Fix 15
------
Make sure this Application URL is defined correctly to CAS Server.
The fully qualified domains also have to match.
Access the CAS server management page
- https://malaln57.sct.com:8443/cas/services/manage.html (casadmin/u_pick_it)
Click Add New Service
Name = XEStudentCourseCatalog
Service URL = http://malaln34.sct.com:8081/StudentCourseCatalog/**
Description = StudentCourseCatalog
Status = [x] Enabled [ ] Allowed to proxy [x] SSO Participant [ ] Anonymous Access
Attributes = UDC_IDENTIFIER
Save changes
==============
CAS - Error 16
==============
Logging into Banner 9 Application
- http://malaln34.sct.com:8081/StudentCourseCatalog (testinb8/u_pick_it)
with valid CAS credentials results in CAS error
Servlet failed with Exception
java.lang.RuntimeException: javax.net.ssl.SSLKeyException: [Security:090479]Certificate chain received from malaln57.sct.com - 149.24.40.63 failed date validity checks.
at org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:203)
Fix 16
-------
Confirm the CAS server and Banner 9 server have system clock that are in sync.
Also confirm certificate use to implement CAS SSL has not expired.
If it has expired you will need to recreate it with a valid date range and confirm tomcat is using it
and also confirm the JDK running Banner 9 application is using the new certificate.
See "Fix 7" above for added details
==============
CAS - Error 17
==============
Logging into CAS Services Managment console
- https://malaln57.sct.com:8443/cas/services/manage.html (casadmin/u_pick_it)
with valid CAS credentials results in CAS error
(CAS)
CAS is Unavailable
There was an error trying to complete your request. Please notify your support desk or try again.
Checking the catalina.log shows these error details
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
Fix 17
------
In this CAS implementation 3 main setting needed to be updated due to a change
in the SSL certificate to a fully qualified domain .sct.com
a.
Update the CAS Services URL
sqlplus system/manager
update ssomgr.REGISTEREDSERVICEIMPL set SERVICEID='https://malaln57.sct.com:8443/cas/services/**'
where SERVICEID='https://malaln57:8443/cas/services/**';
commit;
b.
su - tomcat
Update the file /aux/tomcat/apache-tomcat-7.0.57/webapps/cas/WEB-INF/cas.properties
Change this
server.prefix=https://malaln57:8443/cas
to
server.prefix=https://malaln57.sct.com:8443/cas
c.
su - root
cd /usr/java/jdk1.6.0_45/jre/lib/security
keytool -delete -alias malaln57_cas -keystore cacerts -storepass changeit
keytool -delete -alias malaln57_cas1 -keystore cacerts -storepass changeit
keytool -import -alias malaln57_cas -file /aux/tomcat/malaln57.crt -keystore cacerts -storepass changeit -noprompt
keytool -list -keystore cacerts -storepass changeit
Once all 3 changes were made then stop and restart tomcat
su - tomcat
/aux/tomcat/apache-tomcat-7.0.57/bin/shutdown.sh
/aux/tomcat/apache-tomcat-7.0.57/bin/startup.sh
and retest CAS Services URL and it worked without any further errors.
===================
mtytler 27-APR-2016