WORKERS AHEAD!
You are viewing the development documentation for the Apereo CAS server. The functionality presented here is not officially released yet. This is a work in progress and will be continually updated as development moves forward. You are most encouraged to test the changes presented.
X.509 Authentication - Web Server Configuration
X.509 configuration requires substantial configuration outside the CAS Web application. The configuration of Web server SSL components varies dramatically with software and is outside the scope of this document. We offer some general advice for SSL configuration:
- Configuring SSL components for optional client certificate behavior generally provides better user experience. Requiring client certificates prevents SSL negotiation in cases where the certificate is not present, which prevents user-friendly server-side error messages.
- Accept certificates only from trusted issuers, generally those within your PKI.
- Specify all certificates in the certificate chain(s) of allowed issuers.
Embedded Web Server
While instructions here generally apply to an external server deployment such as Apache Tomcat, that is not a hard requirement. X.509 authentication can be achieved with an embedded Apache Tomcat container that ships with CAS and can be potentially simplify the configuration and automation steps quite a bit, depending on use case and behavior. The configuration of certificate and trust stores as well as behavior and enforcement of client authentication can also be managed directly by CAS.
The following settings and properties are available from the CAS configuration catalog:
server.ssl.bundle=
The name of a configured SSL bundle.
|
server.ssl.certificate=
Path to a PEM-encoded SSL certificate file.
|
server.ssl.certificate-private-key=
Path to a PEM-encoded private key file for the SSL certificate.
|
server.ssl.ciphers=
|
server.ssl.client-auth=
Client authentication mode. Requires a trust store.
|
server.ssl.enabled=true
Whether to enable SSL support.
|
server.ssl.enabled-protocols=
|
server.ssl.key-alias=
Alias that identifies the key in the key store.
|
server.ssl.key-password=
Password used to access the key in the key store.
|
server.ssl.key-store=
Path to the key store that holds the SSL certificate (typically a jks file).
|
server.ssl.key-store-password=
Password used to access the key store.
|
server.ssl.key-store-provider=
Provider for the key store.
|
server.ssl.key-store-type=
|
server.ssl.protocol=TLS
|
server.ssl.server-name-bundles=
Mapping of host names to SSL bundles for SNI configuration.
|
server.ssl.trust-certificate=
Path to a PEM-encoded SSL certificate authority file.
|
server.ssl.trust-certificate-private-key=
Path to a PEM-encoded private key file for the SSL certificate authority.
|
server.ssl.trust-store=
Trust store that holds SSL certificates.
|
server.ssl.trust-store-password=
Password used to access the trust store.
|
server.ssl.trust-store-provider=
Provider for the trust store.
|
server.ssl.trust-store-type=
Type of the trust store.
|
Configuration Metadata
The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.
Be Selective
This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.
YAGNI
Note that for nearly ALL use cases, declaring and configuring properties listed here is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.
Naming Convention
Property names can be specified in very relaxed terms. For instance cas.someProperty, cas.some-property, cas.some_property are all valid names. While all
forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where
this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those
that might be presented to the system via an external library or framework such as Spring Boot, etc.
Note
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions) MUST remain in camelCase mode.
Settings and properties that are controlled by the CAS platform directly always begin with the prefix cas. All other settings are controlled and provided
to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with
the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition
or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the
way you intend.
Validation
Configuration properties are automatically validated on CAS startup to report issues with configuration binding, specially if defined CAS settings cannot be recognized or validated by the configuration schema. Additional validation processes are also handled via Configuration Metadata and property migrations applied automatically on startup by Spring Boot and family.
Indexed Settings
CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value. The index [0] is meant to be
incremented by the adopter to allow for distinct multiple configuration blocks.
Optional (Mixed) Authentication
When using an embedded Apache Tomcat container, it may be required to allow the user to select either X.509 authentication or the usual CAS login flow without first being prompted. In this scenario, the user is allowed the option to select a login flow via X.509 at which time the browser would present a dialog prompt asking for a certificate selection and then passing it onto CAS to proceed.
This behavior is achieved by exposing a dedicated port for the embedded Apache Tomcat container that may forcefully require X.509 authentication for login and access. Doing so should automatically allow for an extra login option in the user interface to trigger the browser for X.509.
The following settings and properties are available from the CAS configuration catalog:
cas.authn.x509.webflow.port=0
Port that is used to enact x509 client authentication as a separate connector. Configuration of a separate server connector and port allows the separation of client-auth functionality from the rest of the server, allowing for opt-in behavior. To activate, a non-zero port must be specified.
|
cas.authn.x509.webflow.client-auth=want
Indicate the strategy that should be used to enforce client x509 authentication. Accepted values are
|
cas.authn.x509.webflow.enabled=true
Whether webflow auto-configuration should be enabled.
|
cas.authn.x509.webflow.order=0
The order in which the webflow is configured.
|
Configuration Metadata
The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.
Be Selective
This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.
YAGNI
Note that for nearly ALL use cases, declaring and configuring properties listed here is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.
Naming Convention
Property names can be specified in very relaxed terms. For instance cas.someProperty, cas.some-property, cas.some_property are all valid names. While all
forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where
this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those
that might be presented to the system via an external library or framework such as Spring Boot, etc.
Note
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions) MUST remain in camelCase mode.
Settings and properties that are controlled by the CAS platform directly always begin with the prefix cas. All other settings are controlled and provided
to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with
the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition
or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the
way you intend.
Validation
Configuration properties are automatically validated on CAS startup to report issues with configuration binding, specially if defined CAS settings cannot be recognized or validated by the configuration schema. Additional validation processes are also handled via Configuration Metadata and property migrations applied automatically on startup by Spring Boot and family.
Indexed Settings
CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value. The index [0] is meant to be
incremented by the adopter to allow for distinct multiple configuration blocks.
External Apache Tomcat
Anything said here extends the Apache Tomcat reference for SSL.
The Tomcat server is configured in $CATALINA_HOME/conf/server.xml with one or more <Connector> elements. Each of these elements
defines one port number on which Tomcat will listen for requests. Connectors that support SSL are configured with one or two files
that represent a collection of X.509 certificates.
-
The
keystoreFileis a collection of X.509 certificates one of which Tomcat will use to identify itself to browsers. This certificate contains the DNS name of the server on which Tomcat is running which the HTTP client will have used as the server name part of the URL. It is possible to use a file that contains multiple certificates (in which case Tomcat will use the certificate stored under the alias “Tomcat” or, if that is not found, will use the first certificate it finds that also has an associated private key). However, to assure that no mistakes are made it is sensible practice to use a file that has only the one host certificate, plus of course its private key and chain of parent Certificate Authorities. -
The
truststoreFileis a collection of X.509 certificates representing Certificate Authorities from which Tomcat is willing to accept user certificates. Since thekeystoreFilecontains the CA that issued the certificate identifying the server, thetruststoreFileandkeystoreFilecould be the same in a CAS configuration where the URL (actually the port) that uses X.509 authentication is not the well know widely recognized URL for interactive (userid/password form) login, and therefore the only CA that it trusts is the institutional internal CA.
One strategy if you are planning to support both X.509 and userid/password validation through the same port is to put a
public (VeriSign, Thawte) certificate for this server in the keystoreFile, but then put only the institutional
internal CA certificate in the truststoreFile. Logically and in all the documentation,
the Certificate Authority that issues the certificate to the
server which the browser trusts is completely and logically independent of the Certificate Authority that issues the
certificate to the user which the server then trusts. Java keeps them separate, Tomcat keeps them separate, and browsers
should not be confused if, during SSL negotiation, the server requests a user certificate from a CA other than the
one that issued the server’s own identifying certificate. In this configuration, the Server issues a public certificate
every browser will accept and the browser is strongly urged to send only a private institutional
certificate that can be mapped to a Principal name.
Almost ThereIf you previously configured CAS without
X.509 authentication, then you probably have the keystoreFile already configured and
loaded with a certificate identifying this server. All you need to add is the truststoreFile part.
The configured connector will look something like:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<!-- Define a SSL HTTP/1.1 Connector on port 443 -->
<!-- if you do not specify a truststoreFile, then the default java "cacerts" truststore will be used-->
<Connector port="443"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
clientAuth="want"
sslProtocol="TLS"
keystoreFile="/path/to/keystore.jks"
keystorePass="secret"
truststoreFile="/path/to/myTrustStore.jks"
truststorePass="secret" />
The clientAuth="want" tells Tomcat to request that the browser provide a user certificate if one is available. If
you want to force the use of user certificates, replace "want" with "true".
If you specify "want" and the browser does not have a certificate, then CAS may forward the request to the login form.
The keystore can be in JKS or PKCS12 format when using Tomcat. When using both PKCS12 and JKS keystore types
then you should specify the type of each keystore by using the keystoreType and truststoreType attributes.
You may import the certificate of the institutional Certificate Authority (the one that issues User certificates) using the command:
1
2
3
4
5
# Create a blank keystore to start from scratch if needed
# keytool -genkey -keyalg RSA -alias "selfsigned" -keystore myTrustStore.jks -storepass "secret" -validity 360
# keytool -delete -alias "selfsigned" -keystore myTrustStore.jks
keytool -import -alias myAlias -keystore /path/to/myTrustStore.jks -file certificateForInstitutionalCA.crt