Hi BARBOSA, To use digital certificates for mutual authentication (SSL) is necessary to keep in mind four components:
- The server's certificate (keystoreFile = "/ etc / tomcat /
tomcat.keystore)
- The client certificate (usually have the extension. p12 and are
distributed to each individual client)
- The list of certificates of trusted CA's (truststoreFile = "/ path / to /
myTrustStore.jks)
- A certificate revocation list (usually have the extension. crl and are
available via a URL in the certificates of trusted CA's)
Questions:
1. From CAS Server:
1.1. Can I reused that keystore or should I regenerate a new one?
> You can reuse, but the host defined in the CN (Common Name) of the
certificate must be the same as what is being accessed.
1.2. Where does that truststoreFile should come from? Is it generated on the
server or it’s generated on the client computer?
> This file is the one who holds a certificate list of trusted CA's (ie.
Verisign, Certisign, Thawte...). This keystore must be stored on the server.
2. On the Client or User End
2.1. What are the things that needs to be run?
> Only the personal digital certificate (ie. yuri.p12) configured in the
browser.
2.2. Should I copy the .crt file from CAS Server and put it on my local
machine? Please tell me how.
>No. The server certificate is sent by SSL protocol. You must set up a
Certification Authority the browser.
2.3. What should be done in client ends.
> First, you must configure the certificate authority server
certificate(.{crt,cer,der}) on the client browser.
> Second, you must configure the keystore(.p12) of the client browser.
To view and manipulate keystores i recommend the Portecle (
http://portecle.sourceforge.net/).
"Portecle is a user friendly GUI application for creating, managing and
examining keystores, keys, certificates, certificate requests, certificate
revocation lists and more."
Cheers,
Yuri Feitosa Negócio
On Thu, Feb 3, 2011 at 5:35 AM, BARBOSA Bernard <
[email protected]> wrote:
> Dear All,
>
>
>
> May I please ask for your help regarding the configuration of X.509
> Certificate Authentication to CAS.
>
> We are using the following:
>
> - CAS 3.4.2 with Debian Lenny OS
>
> - Java 6
>
>
>
> We are currently using a public SSL Certificate for our SingleSignOn which
> came from Comodo PositiveSSL. We would like to have our authentication
> become seamless. We tried to used CAS-SPNEGO but it has some issues with IE
> i.e Poping up for basic authentication. And it has been recommended by some
> good people here to use X.509 Certificate Authentication.
>
> On the procedures here
> https://wiki.jasig.org/display/CASUM/X.509+Certificates. For the
> configurations of CAS I believed I’ve already put them in placed however
> there is two parts that I am very confused:
>
> 1. On CAS Server end what should I do to make the certificate be
> acceptable to client (users)
> 2. On Client or User end what should I do to make the certificate
> acceptable to CAS Server
>
>
>
> Please correct me if I am wrong, these are the things that I did:
>
> 1. *From CAS Server:*
> 1. We already have the keystore which we are using until now in
> Production so I didn’t generate for a new one since we already have a
> keystore.
> 2. Please see the tomcat server.xml config:
>
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>
> maxThreads="150" scheme="https" secure="true"
>
> clientAuth="false" sslProtocol="TLS"
>
> keystoreFile="/etc/tomcat/tomcat.keystore"
> keypass="secret" />
>
> *Questions:*
>
> - Can I reused that keystore or should I regenerate a new one?
>
> - From the document it has mentioned this config lines:
>
> <!-- Define a SSL HTTP/1.1 Connector on port 443 -->
>
> <Connector port="443" maxHttpHeaderSize="8192"
>
> maxThreads="150" minSpareThreads="25"
> maxSpareThreads="75"
>
> enableLookups="false" disableUploadTimeout="true"
>
> acceptCount="100" scheme="https" secure="true"
>
> clientAuth="want" sslProtocol="TLS"
>
> keystoreFile="/path/to/keystore.jks"
> keystorePass="secret"
>
> truststoreFile="/path/to/myTrustStore.jks"
> truststorePass="secret" />
>
> <!-- if you do not specify a truststoreFile, then the default
> java "cacerts" truststore will be used-->
>
>
>
> - Where does that truststoreFile should come from? Is it generated
> on the server or it’s generated on the client computer?
>
>
>
>
>
> 1. *On the Client or User End*
> 1. What are the things that needs to be run?
> 2. Should I copy the .crt file from CAS Server and put it on my
> local machine? Please tell me how.
> 3. What should be done in client ends.
>
>
>
> I hope you guys can help me with this. I have been working for this in 3
> days now im so delayed with my targets.
>
>
>
> Thank you so much..
>
>
>
>
>
> Kind Regards,
>
>
>
> BARBOSA Bernard
>
> Senior Administrator, System/Network
>
> MUSIC Group Macao Commercial Offshore Limited (Philippines) ROHQ
>
> IP Phone: 60651 ext 1245
>
> Tel: +63 2 9028200 ext 1245
>
> Email: [email protected]
>
> Web: www.music-group.com | www.behringer.com | www.bugera-amps.com
>
>
>
> youtube.com/behringer <http://www.youtube.com/behringer>
> twitter.com/behringer <http://www.twitter.com/behringer>
> facebook.com/behringer <http://www.facebook.com/behringer>
> myspace.com/behringer <http://www.myspace.com/behringer>
> flickr.com/behringerrocks <http://www.flickr.com/behringerrocks>
>
>
> J Build Teamwork J Take Ownership J Don’t Waste Resources J Clean
> Workplace = Clean Mind J Respect Guidelines and Policies J Improve
> Yourself and Help Others J Don’t Forget to Smile and Say Thank You
>
> This email is intended exclusively for the addressee(s) named above and may
> contain privileged and confidential information. If you are not (among) the
> intended recipient(s), you may not copy, utilize or distribute any of the
> information contained herein. If you have received this email in error,
> please notify us immediately via return email and delete the original from
> your mailbox. Thank you.
>
>
>
> --
> You are currently subscribed to [email protected] as: [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user<<image004.jpg>>
<<image005.jpg>>
<<image002.jpg>>
<<image001.jpg>>
<<image003.jpg>>
