Hi Carlos,

The document was written to take a "baby steps" approach of getting one
feature/function working at a time to make it easier to understand what's
going on and to diagnose problems. You've jumped ahead several steps, which
you can of course do, but you might want to go back and review earlier
sections to make sure you have performed all the configuration steps that
the later sections assume have been done.

BUT... to try and get what you already have working, I think these steps
should get you most of the way there:

1. Open the server firewall to allow TCP connections on Port 443.

2. If you haven't already done so, create/obtain a TLS/SSL certificate and
install it in Tomcat's keystore.

3. Adjust cas.properties to contain:

cas.server.name = https://scna-cas.cna.org.br:8443
cas.server.prefix = ${cas.server.name}/cas


4. Change the service registry file for the dashboard to contain

"serviceId" : "^
https://scna-cas.cna.org.br:8443/cas/status/dashboard(\\z|/.*)",


5. Change the service registry file for the management webapp to contain

"serviceId" : "^https://scna-cas.cna.org.br:8443/cas-management(\\z|/.*)",


6. Direct your web browser (or curl) to

https://scna-cas.cna.org.br:8443/cas/status
https://scna-cas.cna.org.br:8443/cas/status/dashboard
https://scna-cas.cna.org.br:8443/cas-management



If that still doesn't work, it honestly might be easier to go back and work
step-by-step from the beginning. Instructions (as well as examples you can
copy-and-paste to edit) for creating service registry files without the
webapp, etc. are all provided.

You don't have to set up a load balancer or proxy (although that's the
environment the document assumes); you can configure the firewall to
forward 443 to 8443 instead with something like

firewall-cmd --permanent --add-forward-port=port=443:proto=tcp:toport=8443


or you can configure Tomcat to do it.

--Dave


--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]

On Fri, Feb 2, 2018 at 12:05 PM, Carlos Eduardo Santos <
carlos.santo...@gmail.com> wrote:

> Yes David, I'm following the steps of your documentation and yes, I did
> not do the loadbalance part.
>
> I could not create other services, these two mentioned would be the basic
> for me to try to create others through the web interface.
> David, without the loadbalance you say that the services would have to
> stay this way?
>
> {
>    "@class": "org.apereo.cas.services.RegexRegisteredService",
>    "serviceId": "^ https: //scna-cas.cna.org.br: 8443 / cas-management
> (\\ z | /.*)",
>    "name": "CAS Services Management",
>    "id": 1517578442,
>    "description": "CAS services management webapp",
>    "evaluationOrder": 5500
> }
>
> would have to change in cas.properties the server to
> cas.server.name = scna-cas.cna.org.br: 8443
>
> I tried with the change of service in the way above and it did not work
> too.
>
> below from the netstat command.
>
> Proto Recv-Q Send-Q Local Address           Foreign Address         State
>      PID/Program name
> tcp        0      0 0.0.0.0:22              0.0.0.0:*
>  LISTEN      1193/sshd
> tcp        0      0 127.0.0.1:25            0.0.0.0:*
>  LISTEN      1902/master
> tcp6       0      0 :::22                   :::*
> LISTEN      1193/sshd
> tcp6       0      0 ::1:25                  :::*
> LISTEN      1902/master
> tcp6       0      0 :::8443                 :::*
> LISTEN      19813/jsvc.exec
>
> Em sexta-feira, 2 de fevereiro de 2018 13:22:23 UTC-2, David Curry
> escreveu:
>>
>> Carlos,
>>
>> Can you confirm that your CAS server is otherwise working -- you can use
>> it to authenticate other services besides the dashboard and services
>> management webapp? Or is nothing working?
>>
>> If you are getting ERR_CONN_REFUSED, then your client (browser or
>> whatever) is trying to connect to a host/port where nothing is listening.
>> What do you see if you run
>>
>> sudo netstat -plnt
>>
>>
>> on the CAS server?
>>
>> Based on some of your settings, it looks like perhaps you're following
>> the steps in my "Deploying Apereo CAS" documentation. Is that the case? And
>> if it is, did you follow the document from the beginning, including setting
>> up a load balancer in front of the server?
>>
>> Because by default, Tomcat/CAS listens on port 8443 (not 443). My
>> document installs a load balancer in front of multiple CAS servers; the
>> load balancer listens on port 443 and connects to a CAS server on port
>> 8443. If you skipped over the part about installing a load balancer (or a
>> proxy) to do the 443->8443 translation, then your CAS server URLs should
>> start with
>>
>> https://scna-cas.cna.org.br*:8443*/cas/....
>>
>>
>> (Or you could change the Tomcat configuration to listen on port 443
>> instead of 8443.)
>>
>> --Dave
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>> On Fri, Feb 2, 2018 at 9:56 AM, Carlos Eduardo Santos <
>> carlos....@gmail.com> wrote:
>>
>>> I'm using https on all files, as can be seen below
>>> Do you have any records that I can see if the service registry is
>>> working properly?
>>>
>>>
>>> CASServiceManagement-1517578442.json
>>>
>>> {
>>>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>>>   "serviceId" : "^https://scna-cas.cna.org.br/cas-management(\\z|/.*)",
>>>   "name" : "CAS Services Management",
>>>   "id" : 1517578442,
>>>   "description" : "CAS services management webapp",
>>>   "evaluationOrder" : 5500
>>> }
>>>
>>> CASAdminDashboard-1517507674.json
>>> {
>>>   "@class" : "org.apereo.cas.services.RegexRegisteredService",
>>>   "serviceId" : "^https://scna-cas.cna.org.br/
>>> cas/status/dashboard(\\z|/.*)",
>>>   "name" : "CAS Admin Dashboard",
>>>   "id" : 1517507674,
>>>   "description" : "CAS dashboard and administrative endpoints",
>>>   "evaluationOrder" : 5000
>>> }
>>>
>>> Em sexta-feira, 2 de fevereiro de 2018 12:37:10 UTC-2, David Curry
>>> escreveu:
>>>>
>>>> The dashboard and cas-management are two completely different things; I
>>>> suggest focusing on one at a time.
>>>>
>>>> If you're getting ERR_CONNECTION_REFUSED, that means there is nothing
>>>> listening on the server/port you're trying to connect to.
>>>>
>>>> Are you using HTTPS or HTTP?
>>>>
>>>> The config file you posted before had "http", but your service registry
>>>> has "https". You need to be using the same thing everywhere, and then
>>>> connecting to the right port.
>>>>
>>>> --Dave
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> DAVID A. CURRY, CISSP
>>>> *DIRECTOR OF INFORMATION SECURITY*
>>>> INFORMATION TECHNOLOGY
>>>>
>>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
>>>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>>>
>>>> [image: The New School]
>>>>
>>>> On Fri, Feb 2, 2018 at 9:32 AM, Carlos Eduardo Santos <
>>>> carlos....@gmail.com> wrote:
>>>>
>>>>> Hi David,
>>>>> I can only have the / status /
>>>>> now the dashboard and cas-management are giving error
>>>>> "ERR_CONNECTION_REFUSED" I have the firewalld disabled and SELINUX tbm so 
>>>>> I
>>>>> have no problem with that.
>>>>> I can not identify where the mistake is.
>>>>> - cas-management.log is not registering anything.
>>>>> - The admusers.properties file is with the 2 users below.
>>>>> gnarls = passwordnotused, ROLE_ADMIN
>>>>> carlos.alves = passwordnotused, ROLE_ADMIN
>>>>> - The CASAdminDashboard-1517507674.json service is as described below.
>>>>> "@class": "org.apereo.cas.services.RegexRegisteredService",
>>>>>    "serviceId": "^ https: //scna-cas.cna.org.br/cas/status/dashboard
>>>>> (\\ z | /.*)",
>>>>>    "name": "CAS Admin Dashboard",
>>>>>    "id": 1517507674,
>>>>>    "description": "CAS dashboard and administrative endpoints",
>>>>>    "evaluationOrder": 5000
>>>>>
>>>>>
>>>>>
>>>>> Em sexta-feira, 2 de fevereiro de 2018 11:30:27 UTC-2, David Curry
>>>>> escreveu:
>>>>>
>>>>>> Carlos,
>>>>>>
>>>>>> The only mistake I see here is that on the second line,
>>>>>> cas.server.prefix should be getting set to ${cas.server.name}/cas,
>>>>>> not ${server.name}/cas.
>>>>>>
>>>>>> As for the adminPages configuration, based on what you've provided,
>>>>>> you should be able to access
>>>>>>
>>>>>> http[s]://your.cas.server/cas/status
>>>>>>
>>>>>>
>>>>>> from any IP address in 10.1.3.0/24 or from 10.1.0.10, or from
>>>>>> 10.1.0.20. You should be able to do this using either a web browser or 
>>>>>> even
>>>>>> just curl, without any further authentication required, and get a
>>>>>> small plain-text page back that contains the server status, version, etc.
>>>>>> The result should look something like this:
>>>>>>
>>>>>> % curl https://casdev.newschoool.edu/cas/status
>>>>>>
>>>>>> Health: OK
>>>>>>
>>>>>> 1.SessionMonitor: OK - 1 sessions. 0 service tickets.
>>>>>>
>>>>>> 2.MemoryMonitor: OK - 1452.29MB free (79.77%), 368.32MB used,
>>>>>> 1820.61MB total.
>>>>>>
>>>>>> Host: casdev-srv01
>>>>>> Server: https://casdev.newschool.edu
>>>>>> Version: 5.2.2
>>>>>>
>>>>>>
>>>>>> Does that part work? If so, move on to the next part. If not, set 
>>>>>> <Property
>>>>>> name="cas.log.level" >*debug*</Property> near the top of log4j2.xml,
>>>>>> restart the server, and check cas.log.
>>>>>>
>>>>>> If the above is working, then you should also be able to access
>>>>>>
>>>>>> http[s]://your.cas.server/cas/status/dashboard
>>>>>>
>>>>>>
>>>>>> and have the CAS login page appear. Don't forget that in order for
>>>>>> this to work, you need to create an entry in the service registry for the
>>>>>> dashboard URL:
>>>>>>
>>>>>> "serviceId" : "^https://your.cas.server/cas/status/dashboard(\\z|/.*)
>>>>>> ",
>>>>>>
>>>>>>
>>>>>>
>>>>>> Does that part work? If so, move on to the next part. If not, it's
>>>>>> probably a service registry problem.
>>>>>>
>>>>>> If the above is working, then you should authenticate to the CAS
>>>>>> server as a user you've listed in admusers.properties. This file
>>>>>> should have lines like
>>>>>>
>>>>>> username=passwordnotused,ROLE_ADMIN
>>>>>>
>>>>>>
>>>>>> Where username is the user's LDAP user name (sAMAccountName in your
>>>>>> setup). The user should use his/her LDAP password.
>>>>>>
>>>>>> Does that part work? If not, check the debug logs, or report back
>>>>>> here with the error message(s) you're seeing.
>>>>>>
>>>>>> Good luck,
>>>>>> --Dave
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> DAVID A. CURRY, CISSP
>>>>>> *DIRECTOR OF INFORMATION SECURITY*
>>>>>> INFORMATION TECHNOLOGY
>>>>>>
>>>>>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>>>>>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
>>>>>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>>>>>
>>>>>> [image: The New School]
>>>>>>
>>>>>> On Fri, Feb 2, 2018 at 7:54 AM, Carlos Eduardo Santos <
>>>>>> carlos....@gmail.com> wrote:
>>>>>>
>>>>>>> / status / dashborad - Page not found.
>>>>>>> Hello everyone, I have been trying to configure the CAS server for a
>>>>>>> few days (following all the information from "the new school"). The
>>>>>>> information is very clear, but I could not access anything ahead of /
>>>>>>> status /.
>>>>>>> To the status page I can visualize the dashboard, for example,
>>>>>>> nothing.
>>>>>>> Below the configuration of cas.properties
>>>>>>>
>>>>>>> cas.server.name = http: // xxxxxxxxxxxxxx
>>>>>>> cas.server.prefix = $ {server.name} / cas
>>>>>>> cas.tgc.secure = true
>>>>>>> cas.tgc.encryptionKey = DCETkZ33-A7TETvjgZ24J_o2xQkyQxc0FCFa725ubnY
>>>>>>> cas.tgc.signingKey = 8y-RtN0Ny3VF9DAkNQPvIeXXkHtTet
>>>>>>> Fu9bEcG5G7F95ckmSdvE9ZdMSbVCRvBEmwJv_Bbr7wBIfsCrXdo-IytQ
>>>>>>> cas.webflow.crypto.signing.key = J4qjH74TlZY5Ic6GTnblZbwKN4Ye1m
>>>>>>> BuMEr-a3_DNpakNbmkX0LUmXGQ30oetbf8N_dNXsG_rdjWyXUOen1mEA
>>>>>>> cas.webflow.crypto.encryption.key = dE1URfP5K6nvFtnUgBppQw ==
>>>>>>> cas.authn.accept.users =
>>>>>>> logging.config = file: /etc/cas/config/log4j2.xml
>>>>>>> cas.serviceRegistry.config.location = file: / etc / cas / services
>>>>>>> cas.authn.accept.users =
>>>>>>> cas.authn.ldap [0] .order = 0
>>>>>>> cas.authn.ldap [0] .name = Active Directory
>>>>>>> cas.authn.ldap [0] .type = AUTHENTICATED
>>>>>>> cas.authn.ldap [0] .ldapUrl = ldap: //10.1.0.48:389
>>>>>>> cas.authn.ldap [0] .userFilter = sAMAccountName = {user}
>>>>>>> cas.authn.ldap [0] .useSsl = false
>>>>>>> cas.authn.ldap [0] .baseDn = OU = CNANET, DC = cna, DC = org, DC = br
>>>>>>> cas.authn.ldap [0] .dnFormat = uid =% s, ou = people, dc = example,
>>>>>>> dc = org
>>>>>>> cas.authn.ldap [0] .subtreeSearch = true
>>>>>>> cas.authn.ldap [0] .bindDn = cn = xxxxx, cn = Users, dc = xxx, dc =
>>>>>>> org, dc = br
>>>>>>> cas.authn.ldap [0] .bindCredential = xxxxxxx
>>>>>>> cas.adminPagesSecurity.actuatorEndpointsEnabled = true
>>>>>>> cas.monitor.endpoints.enabled = true
>>>>>>> endpoints.enabled = true
>>>>>>> cas.adminPagesSecurity.ip = ^ 10 \\. 1 \\. (3 \\. [0-9] {1,3} | 0
>>>>>>> \\. [12] 0) $
>>>>>>> cas.monitor.endpoints.sensitive = false
>>>>>>> endpoints.sensitive = false
>>>>>>> cas.adminPagesSecurity.loginUrl = $ {cas.server.prefix} / login
>>>>>>> cas.adminPagesSecurity.service = $ {cas.server.prefix} / status /
>>>>>>> dashboard
>>>>>>> cas.adminPagesSecurity.users = file: /etc/cas/config/admusers.prope
>>>>>>> rties
>>>>>>> cas.adminPagesSecurity.adminRoles [0] = ROLE_ADMIN
>>>>>>> ##############
>>>>>>> I'm trying to free cas.adminPagesSecurity.ip for the 10.1.3.0/24
>>>>>>> network. but I do not know if that's the right way.
>>>>>>> I've tried to follow another topic that talks about it but without
>>>>>>> success.
>>>>>>> Please, can someone help me !!!
>>>>>>> Thank you.
>>>>>>>
>>>>>>> --
>>>>>>> - Website: https://apereo.github.io/cas
>>>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>>>>> - Contributions: https://goo.gl/mh7qDG
>>>>>>> ---
>>>>>>> You received this message because you are subscribed to the Google
>>>>>>> Groups "CAS Community" group.
>>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>>> send an email to cas-user+u...@apereo.org.
>>>>>>> To view this discussion on the web visit
>>>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/aeed
>>>>>>> 34f4-003b-45ed-9221-264c6f45ea04%40apereo.org
>>>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/aeed34f4-003b-45ed-9221-264c6f45ea04%40apereo.org?utm_medium=email&utm_source=footer>
>>>>>>> .
>>>>>>>
>>>>>>
>>>>>> --
>>>>> - Website: https://apereo.github.io/cas
>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>>> - Contributions: https://goo.gl/mh7qDG
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "CAS Community" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to cas-user+u...@apereo.org.
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a015
>>>>> 990e-68d9-4477-992b-fc2d2c19040d%40apereo.org
>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/a015990e-68d9-4477-992b-fc2d2c19040d%40apereo.org?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>>
>>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org.
>>> To view this discussion on the web visit https://groups.google.com/a/ap
>>> ereo.org/d/msgid/cas-user/67740b15-321a-4baf-b2ad-1f981c399c
>>> 0d%40apereo.org
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/67740b15-321a-4baf-b2ad-1f981c399c0d%40apereo.org?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/6a2e1a7a-3d75-481e-9e24-
> 487d7aea8a5e%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a2e1a7a-3d75-481e-9e24-487d7aea8a5e%40apereo.org?utm_medium=email&utm_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPrH6UbR%3DoZ8k4NsuxCzdjSm4nWas8af6g1zLRDpT-0gA%40mail.gmail.com.

Reply via email to