Apereo CAS - Deployment Using systemd


Collaborate
This blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.
Contributed Content
Fabio Martelli of Tirasa S.r.l, an active member of the CAS community, was kind enough to share this analysis.

Overview

The following is a short and sweet tutorial on how to deploy Apereo CAS using an embedded servlet container and as systemd service.

Our starting position is based on:

Configuration

To make the instances start automatically, you need to add the following cas.service script to the / etc / systemd / system directory:

[Unit]
Description = making network connection up
After = network.target

[Service]
ExecStart = java -server -noverify -Xmx2048M -XX:+TieredCompilation \
    -XX:TieredStopAtLevel=1 -Dcas.standalone.configurationDirectory=/opt/cas/conf \
    -DKEYSTORE_PASSWORD=... -jar /opt/cas/cas.war

[Install]
WantedBy = multi-user.target

Then run the following commands:

systemctl enable cas.service

Configure the necessary security policies by creating the cas.te file as shown below. This file was obtained by analyzing the audit file with the command:

sudo cat  /var/log/audit/audit.log | audit2allow -m cas

The resulting file was as follows (as mentioned, saved under cas.te):

case module 1.0;

require {
    type user_tmp_t;
    type init_t;
    type http_port_t;
    type root_t;
    type unreserved_port_t;
    type usr_t;
    type default_t;
    class file { append create map open rename unlink write };
    class process execmem;
    class dir create;
    class tcp_socket name_connect;
}

#============= init_t ==============

allow init_t default_t:dir create;
allow init_t default_t:file create;
allow init_t default_t:file { append open };
allow init_t http_port_t:tcp_socket name_connect;
allow init_t root_t:dir create;
allow init_t root_t:file { create append open };
allow init_t self:process execmem;
allow init_t unreserved_port_t:tcp_socket name_connect;
allow init_t user_tmp_t:file { create map write };
allow init_t usr_t:file { append create rename unlink };

Transform the file cas.te into a binary cas.mod:

checkmodule -M -m -o cas.mod cas.te

Create the policy package with the following command:

semodule_package -o cas.pp -m cas.mod

Install the defined security policies:

sudo semodule -i cas.pp

Then run CAS:

systemctl start cas

So…

I hope this review was of some help to you and I am sure that both this post as well as the functionality it attempts to explain can be improved in any number of ways. Please know that all other use cases, scenarios, features, and theories certainly are possible as well. Feel free to engage and contribute as best as you can.

Finally, if you benefit from Apereo CAS as free and open-source software, we invite you to join the Apereo Foundation and financially support the project at a capacity that best suits your deployment. If you consider your CAS deployment to be a critical part of the identity and access management ecosystem and care about its long-term success and sustainability, this is a viable option to consider.

Happy Coding,

Misagh Moayyed

Related Posts

CAS 6.2.0 RC2 Feature Release

...in which I present an overview of CAS 6.2.0 RC2 release.

CAS 6.2.0 RC1 Feature Release

...in which I present an overview of CAS 6.2.0 RC1 release.

Apereo CAS - Python Locust Load Testing

Learn to Performance Test Apereo CAS with Python Locust.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS software.

Apereo CAS - Google reCAPTCHA Integration

Learn to set up an integration between Apereo CAS and Google reCAPTCHA.

Apereo CAS - JMeter Performance Testing

Learn to Performance Test Apereo CAS.

Apereo CAS - OAuth JWT Access Tokens

Learn to customize Apereo CAS to issue OAuth Access Tokens as JWTs.

CAS 6.2.x Deployment - WAR Overlays

Learn how to configure and build your own CAS deployment via the WAR overlay method, get rich quickly, stay healthy indefinitely and respect family and friends in a few very easy steps.

Apereo CAS 6.2.x - Building CAS Feature Modules

An overview of how various CAS features modules today can be changed and tested from the perspective of a CAS contributor working on the codebase itself to handle a feature request, bug fix, etc.

Apereo CAS - Service Redirection Strategies

Learn to customize Apereo CAS to modify the default strategy used for redirecting the authentication flow back to relying parties.