In VMware Telco Cloud Service Assurance, the authentication is not available for EDAA. Hence, to secure the EDAA, we need to deploy an external CAS Server so that the EDAA gets authenticated using the external CAS Server.
Below are the steps to build the CAS Server and to configure authentication for EDAA using the external CAS Server.
Note:
- The certificate exchange outlined below needs to be done between the CAS server and the EDAA Server (where the Tomcat is running). Once the authentication is configured between the EDAA server and the CAS, the EDAA calls to all the servers attached to the broker to which the EDAA Server is registered must be secured.
- The steps provided have been validated using CAS 6.5 version, Java version 11, and Tomcat 9 version.
- It is recommended to use a different Linux server, that is (other than VMware Telco Cloud Service Assurance and Domain Managers deployed servers) for building and deploying CAS.
- To build CAS:
- Download cas-overloay-template from the GitHub as follows:
wget —no-check-certificate -O cas-overlay-template-6.5.zip https://github.com/apereo/cas-overlay-template/archive/refs/heads/6.5.zip
- Unzip the downloaded cas-overlay-template-6.5.zip under /opt/.
- Download Java 11 JDK and extract under /opt/ (after extracting you can see a directory like /opt/jdk-11.X.Y).
- Navigate /opt/cas-overlay-template-6.5/, edit build.gradle and add the following entries for dependencies/extensions.
Ensure to add these entries after the line:
implementation "org.apereo.cas:cas-server-webapp-init"
.implementation "org.apereo.cas:cas-server-support-duo" implementation "org.apereo.cas:cas-server-support-oidc" implementation "org.apereo.cas:cas-server-support-rest" implementation "org.apereo.cas:cas-server-support-rest-tokens" implementation "org.apereo.cas:cas-server-support-json-service-registry" implementation "org.apereo.cas:cas-server-core-api-configuration-model" implementation "org.tuckey:urlrewritefilter:4.0.4"
Note: The module org.tuckey:urlrewritefilter:4.0.4 is required to enable URL rewriting to redirect login calls from EDAA, that is, from ( /cas/realm-login to /cas/ login). - Configure the following environment variables to execute build. Remember to update JDK version 11.X.Y according to the version you downloaded.
$ export JAVA_HOME=/opt/jdk-11.X.Y $ export PATH=${JAVA_HOME}/bin:$PATH
- Build CAS application and generate Keystore.
Navigate to /opt/cas-overlay-template-6.5/ and run the following command to build CAS:
$ ./gradlew clean build
- Once the build is successful, you can see /opt/cas-overlay-template-6.5/build/libs/cas.war file created.
- Navigate to To generate /opt/cas-overlay-template-6.5/ and run the following command to generate Keystore:
$ ./gradlew createKeystore
This command will create
cas.crt
and the Keystore files under/etc/cas/.
.
- Download cas-overloay-template from the GitHub as follows:
- Procedure to deploy.
- Download Apache Tomcat 9 and extract under /opt/.
$ wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.82/bin/apache-tomcat-9.0.82.tar.gz $ tar xfz apache-tomcat-9.0.82.tar.gz
- Set
JRE_HOME
for Tomcat. Remember to update JDK version 11.X.Y according to the version you downloaded.$ export JRE_HOME=/opt/jdk-11.X.Y
- Copy /opt/cas-overlay-template-6.5 /build/libs/cas.war that was built earlier to /opt/apache-tomcat-9.0.82/webapps/.
- Start Tomcat to deploy CAS webapps from the copied cas.war file.
$ /opt/apache-tomcat-9.0.82/bin/catalina.sh start
- Stop Tomcat.
$ /opt/apache-tomcat-9.0.82/bin/catalina.sh stop
- Enable URL rewriting by updating the mentioned filters in web.xml and also by creatingurlrewrite.xml files.
- Update /opt/apache-tomcat-9.0.82/webapps/cas/WEB-INF/web.xml with the following filters added under
<web-app>
xml element.<filter> <filter-name>UrlRewriteFilter</filter-name> <filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class> </filter> <filter-mapping> <filter-name>UrlRewriteFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> </filter-mapping>
- Create a new file under /opt/apache-tomcat-9.0.82/webapps/cas/WEB-INF/urlrewrite.xml with the following contents.
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 4.0//EN" "http://www.tuckey.org/res/dtds/urlrewrite4.0.dtd"> <urlrewrite> <rule> <from>^/realm-login$</from> <to last="true" type="redirect">%{context-path}/login</to> </rule> </urlrewrite>
- Update /opt/apache-tomcat-9.0.82/webapps/cas/WEB-INF/web.xml with the following filters added under
- Copy the generated Keystore files (that is cas.crt and the Keystore) to /etc/cas/. This step is required if the server used to build CAS is different from where it is deployed.
- Create file /etc/cas/config/cas.properties with the following contents:
cas.server.name=http://localhost:8080 cas.server.prefix=${cas.server.name}/cas cas.serviceregistry.json.location=file:/etc/cas/services cas.authn.accept.users=admin::changeme cas.authn.attribute-repository.stub.id=SAMPROF cas.authn.attribute-repository.stub.attributes.SAM_PROFILE=admin-profile
- Create a service registry /etc/cas/services/smarts-edaa-1001.json with the following contents:
{ "@class" : "org.apereo.cas.services.RegexRegisteredService", "serviceId" : "^(http|https)://.*", "name" : "HTTP/HTTPS wildcard", "id" : 1001, "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy", "principalAttributesRepository" : { "@class" : "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository", "attributeRepositoryIds": ["java.util.HashSet", [ "myjson" ]] } } }
- Start CAS Tomcat.
$ /opt/apache-tomcat-9.0.82/bin/catalina.sh start
- Update the runcmd_env.sh file in the SAM Server (where the EDAA Server is running) with the CAS Server and port details.
Note: In the following example, port 8080 is used for CAS Tomcat and SAM Tomcat Server. By default, the Tomcat http server is configured to run on port 8080 in server.xml file.
SM_TOMCAT_SERVER=http://<sam-tomcat-server>:8080 SM_CAS_SERVER=http://<cas-tomcat-server>:8080
- Restart the SAM EDAA Tomcat and the Presentation SAM Server on SAM Server.
- Download Apache Tomcat 9 and extract under /opt/.
Additional Steps to Configure EDAA in HTTPS Mode
- To enable HTTPS (SSL) communication between the CAS Server and the SAM, you must perform the following procedure:
Note:
- When generating the certificate, perform the following procedure. The FQDN used must be resolved to IP address across VMware Telco Cloud Service Assurance Servers (including Domain Managers and pods) and CAS Servers.
- When asked for your first and last name, enter the fully qualified name of the machine, for example, vmwbgb111.oc.vmware.com.
- Answer other questions and type yes when asked for confirmation.
- When prompted, enter the Keystore password. For example, password changeit is used in the following example.
- Commands to generate the certificate and export the certificate in SAM Server.
/opt/InCharge/SAM/smarts/jre/bin/keytool -storetype JKS -genkey -alias tomcat -keyalg RSA -keystore /opt/InCharge/SAM/smarts/.keystore /opt/InCharge/SAM/smarts/jre/bin/keytool -storetype JKS -export -keystore /opt/InCharge/SAM/smarts/.keystore -alias tomcat -rfc > samtomcat.cert
Note: Once the certificate is generated, copy the certificate file samtomcat.cert to the server where CAS Server is running. - Commands to generate the certificate and export the certificate in CAS Server.
/opt/jdk-11.0.17/bin/keytool -storetype JKS -genkey -alias tomcat -keyalg RSA -keystore /opt/.keystore /opt/jdk-11.0.17/bin/keytool -storetype JKS -export -keystore /opt/.keystore -alias tomcat -rfc > castomcat.cert
Note:- Once the certificate is generated, copy the certificate file castomcat.cert to the server where SAM Server is running.
- /opt/jdk-11.0.17 is the installed location of Java 11.
- Import the certificates from SAM Server to CAS Server Keystore.
/opt/jdk-11.0.17/bin/keytool -storetype JKS -import -file samtomcat.cert -alias samtomcat -keystore /opt/.keystore cp /opt/.keystore /opt/jdk-11.0.17/lib/security/cacerts
Note:- When asked to trust the certificate while importing the .cert file type, yes.
- Before copying the new
.keystore
file to the Jave security directory, take a backup of the existing cacerts file under /opt/jdk-11.0.17/lib/security/cacerts.
- Import certificates from CAS Server to SAM Server Keystore.
/opt/InCharge/SAM/smarts/jre/bin/keytool -storetype JKS -import -file castomcat.cert -alias castomcat -keystore /opt/InCharge/SAM/smarts/.keystore cp /opt/InCharge/SAM/smarts/.keystore /opt/InCharge/SAM/smarts/jre/lib/security/cacerts
Note:- When asked to trust the certificate, type yes.
- Before copying the new
.keystore
file to the Jave security directory, take a backup of the existing cacerts file under /opt/InCharge/SAM/smarts/jre/lib/security/cacerts.
- Add the following Connector port in the
/opt/apache-tomcat-9.0.82/conf/server.xml
file of CAS Server.Note: In the following example, port 8443 is used for CAS Tomcat Server.<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/opt/.keystore" keystorePass="changeit" clientAuth="false" sslEnabledProtocols="TLSv1.2" />
- Add the following Connector port in the /opt/InCharge/SAM/smarts/tomcat/conf/server.xml file of SAM server.
Note: In the following example, port 8443 is used for SAM Tomcat Server.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/opt/InCharge/SAM/smarts/.keystore" keystorePass="changeit" clientAuth="false" sslEnabledProtocols="TLSv1.2" />
- Update the runcmd_env.sh file in SAM Server (where the EDAA Server is running) with the CAS Server and port details.
SM_CAS_SERVER=https://<cas-tomcat-server-FQDN>:<port> SM_TOMCAT_SERVER=https://<sam-tomcat-server-FQDN>:<port>
- Restart the CAS Tomcat using the following commands.
/opt/apache-tomcat-9.0.82/bin/catalina.sh stop /opt/apache-tomcat-9.0.82/bin/catalina.sh start
- Restart EDAA Tomcat Instance and the Presentation SAM Services on SAM Install.