Göteborgs universitet - Pablo Millet
Doc. Version: 0.1 : 17/7 - 2006 (first release)
CAS 2 - Oracle SSO/Oracle Portal Installation
The documentation shows how to CASify the SSO part of the OCS.
Guthenburg university uses the whole OCS (Oracle Collaboration Suite)
-- Midtier ( Portal, Mail, Calendar)
-- Infra (OID, SSO)
-- DB (database, mail)
CAS use OID for looking up and validating accounts.
Oracle Portal uses the same OID.
CASifying the Oracle SSO part means that ALL Oracle SSO enabled applications and tools (eg, Oracle Portal, Mail, Calendar) will appear as if they where CAS clients.
Behind the curtains its only the SSO part of the OCS that works with CAS.
A user logged on to CAS should not have to login again when accessing Oracle SSO enabled applications.
This is generally done in three steps;
First we need to install and configure a CAS-server.
Second, we need to "rebuild" the Oracle SSO application so that it becomes a CAS-client. This means all users requesting an Oracle SSO enabled application (Portal, OCS, Portlets etc) will have to pass trough here which results in users being redirected to the CAS-server for authentication.
Third, we need to configure and replace the standard Oracle SSO plugin with our own CASAuthenticator. CASAuthenticator takes care of users coming from the CAS-server and validates its service-tickets. After the validation procedure is done, it passes the user to standard Oracle SSO procedures and hands over responsibility.
1. Purpose of this document
This document describes how to use CAS with Oracle Portal and SSO. This document does not instruct in detail how to install CAS or Oracle Portal/SSO. It is assumed you have basic knowledge about Tomcat, CAS and Oracle products. At the end of this document you'll find some useful links. Otherwise you'll find plenty of howtos out there.
Other versions of Oracle products and CAS have not been tested.
The following is required to be installed and running:
- SSL enabled Tomcat version 4 or later.
- CAS version 2.1.1
- Oracle Portal version 10.1.2
- Oracle SSO version 10.1.2
2. Install CAS version 2.1.1 (Server1)
Setting up the CAS software is straightforward.
First, download the CAS server and client libraries from: http://www.ja-sig.org/products/cas/
CAS uses HTTPS, so you must enable this in Tomcat. This can be a bit tricky, but if you follow the links below and the instructions it should work fine. In Apache Tomcat's website you'll find plenty of information and howtos for SSL enabling Tomcat.
2.1 Configure CAS-server (Server1)
See CAS documentation
3. Rebuild Oracle SSO to become a CAS-client (Server2)
This step assumes that you have a CAS server up and running.
We are now going to configure Oracle SSO to use CAS.
3.1 Import CAS-server certificate
You need to import your CAS-servers SSL Certificate into the keystore(s) used by your system.
Example on three different keystores. :
./keytool -alias my-cas-server.net -import -file /tmp/certs/my-cas-server.net.crt -keystore %ORACLE_HOME/jre/1.4.2/lib/security/cacerts
./keytool -alias my-cas-server.net -import -file /tmp/certs/my-cas-server.net.crt -keystore %ORACLE_HOME/javavm/lib/security/cacerts
./keytool -alias my-cas-server.net -import -file /tmp/certs/my-cas-server.net.crt -keystore %ORACLE_HOME/jdk/jre/lib/security/cacerts
If you are not familiar with javas keytool consider using Portecle (http://portecle.sourceforge.net/).
Portecle is a great tool for managing keystores, certificates import/export, etc.
3.2 Apply the CAS-filter to Oracle SSO application
This step assumes you have done step 3.1.
1. Copy cas-client-java-2.1.1.jar and commons-logging-api.jar to:
2. Copy gu-localplugins.jar to:
3. Edit the Portal SSO applications web.xml to include the CASSimpleFilter servlet filter.
The configuration example below uses my-cas-server.net and port 8443 for HTTPS. You should change this to suit your own configuration.
Open and edit:
Place the following filter between <web-app> and </web-app> in web.xml.
What se.gu.cas.filter.CASSimpleFilter does (very simple):
1. If no CAS ServiceTicket (ST) is found in the request it redirects the client to CAS
2. If a ST is found it continues processing the request... meaning that the client will end up on se.gu.cas.oracle.plugin.CASAuthenticator
From now on requests to any Oracle SSO enabled application (Portal, OCS, Portlets) will be redirected to the CAS-server. (https://my-cas-server.net:8443).
4. Install and configure the SSO-plugin - CASAuthenticator
Now we need to replace the standard Oracle SSO plugin with our own CASAuthenticator plugin.
This plugin is the key workhorse in CAS-Oracle SSO. Its main purpose is to validate tickets (ST-ServiceTickets) on our CAS-server and enable a valid Oracle SSO-session upon validation for the requesting client/browser.
What se.gu.cas.oracle.plugin.CASAuthenticator does (very simple):
1. Validates the given CAS ServiceTicket (ST).
2. If validation of ST returns success it starts a Oracle SSO session and then hands over the responsibility to standard Oracle SSO.
4.1. Replace default Oracle SSO with CASAuthenticator
- cas.properties and gu-localplugins.jar to %ORACLE_HOME/sso/plugin/
(see "Configure CASAuthenticator - cas.properties" for configuration instructions)
- cas-client-java-2.1.1.jar to %ORACLE_HOME/sso/lib/
2. Edit: %ORACLE_HOME/sso/conf/policy.properties
Look for "MediumSecurity_AuthPlugin".
Comment out the default AuthPlugin, like this
#MediumSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOServerAuth
and use CASAuthenticator as plugin instead,
MediumSecurity_AuthPlugin = se.gu.cas.oracle.plugin.CASAuthenticator
Save the file and exit... done!
4.2 Configure CASAuthenticator - cas.properties
%ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Note; The following logfiles are interesting:
5. Additional information
- If you need to change CASAuthenticator you'll need Oracles ipastoolkit.jar andcas-client-java-2.1.1.jar library to compile!
- Tomcat SSL:http://tomcat.apache.org/tomcat-4.1-doc/ssl-howto.html
- Portecle (great tool for managing keystores, certificatesimport-export, etc.)
- The following logfiles are interesting in your Oracle system: