Configure a CAS server and CAS management webapp with Docker

Posted on by

The task of setting up a CAS server on Docker is not very smooth. The official documentation is not very explicit about it.

We decided to write a post on this subject in order to help others to quickly configure a CAS server with a complete tutorial.

Warning : here we speak about deploying a TESTING CAS server, this configuration is not for production, especially to authorize any application !

First I would like to mention the very good articles on this site that were a very good basis :

https://fawnoos.com/2022/05/31/cas65x-docker-deployment/
https://fawnoos.com/2021/02/04/cas63-management-webapp/

We were previously using the demo CAS server avaible here : https://casserver.herokuapp.com/cas but for some time now, it is not possible anymore to use it with any application. It refuses unauthorized applications. That is why we needed to have our own CAS server.

For our tutorial, we took a vanilla instance into Digital Ocean on Debian 12 with 16 GB RAM.

  • Requirements :
    • Java 11
    • Docker
    • A real certificate name on the server. Indeed without it, we could not have a functional environment (we used LetsEncrypt in this example)
    • jq installed
      See annexes below to have indications to install these dependencies
  1. Installation of the CAS server
  • Create a keystore on the server with the SSL certificate generated

We assume that the certificate and the key were issued by LetsEncrypt and are located into /etc/letsencrypt/live/$DOMAIN_NAME

Replace $DOMAIN_NAME by the name of your domain, in our example it is castest.datafari.com

export DOMAIN_NAME=castest.datafari.com
openssl pkcs12 -export -in /etc/letsencrypt/live/$DOMAIN_NAME/fullchain.pem -inkey /etc/letsencrypt/live/$DOMAIN_NAME/privkey.pem -out letsencrypt.p12

When the script asks you for a password enter ‘changeit’.

With the last command, we created a keystore into p12 format. We need to convert it into JKS format.

keytool -importkeystore -srckeystore letsencrypt.p12 -srcstoretype PKCS12 -destkeystore letsencrypt.jks -deststoretype JKS

When the script asks you for a password : destination and source, always enter ‘changeit’.

We can now run the CAS server with Docker.

Create a directory for CAS : here /var/work/cas

mkdir -p /var/work/cas

Copy the JKS keystore to this folder :

cp /root/letsencrypt.jks /var/work/cas

Rename it to ‘thekeystore’ and change the permission on it (just in case)

mv /var/work/letsencrypt.jks /var/work/thekeystore
chmod 777 /var/work/thekeystore

Before launching the CAS server, we can set some settings. Look at https://fawnoos.com/2022/05/31/cas65x-docker-deployment/#container-configuration to have more information.

“Adjust the CAS root logging level to debug so we can get more details from the running CAS web application.
Rename the CAS SSO cookie to SSO_COOKIE.
Allow the service registry instance to initialize and bootstrap itself from the embedded JSON files that ship with CAS.
Enable the schedule for the service registry loader”

https://fawnoos.com/2022/05/31/cas65x-docker-deployment/#container-configuration

Basically with this configuration, we will have more verbosity on logs and we will authorize all applications with our CAS server.

Enter this command :

properties='{
  "logging": {
    "level": {
      "org.apereo.cas": "debug"
    }
  },
  "cas": {
    "tgc": {
      "name": "SSO_COOKIE"
    },
    "service-registry": {
      "core": {
        "init-from-json": true
      },
      "schedule": {
        "enabled": false
      }
    }
  }
}'
properties=$(echo "$properties" | tr -d '[:space:]')
echo -e "***************************\nCAS properties\n***************************"
echo "${properties}" | jq

We can now use these properties into the SPRING_APPLICATION_JSON property.

We can now launch the CAS server. We add a bind mount with the keystore we just created: 

export CAS_KEYSTORE=/var/work/cas/thekeystore
docker run --rm -d   --mount type=bind,source="${CAS_KEYSTORE}",target=/etc/cas/thekeystore   -e SPRING_APPLICATION_JSON="${properties}"   -p 8444:8443 --name casserver apereo/cas:6.5.

After some time, the CAS server can be found at this url : 

https://$DOMAIN_NAME:8444/cas/login

so in our example it would be:

https://castest.datafari.com:8444/cas/login
CAS login UI

The default credentials are : 

user : casuser
password: Mellon

We can now install the CAS management webapp.

2. Installation of the CAS management webapp

Clone the code from the Github project CAS Management Overlay

Here we clone it into /var/work/cas : 

cd /var/work/cas
git clone https://github.com/apereo/cas-management-overlay.git

We want to checkout the code with the 6.5 version : 

cd cas-management-overylay
git checkout 6.5

Copy the keystore into the project : 

cp /var/work/cas/thekeystore /var/work/cas/cas-management-overlay/etc/cas/thekeystore

Edit the management.properties located into cas/config : 

nano /var/work/cas/cas-management-overlay/etc/cas/config/management.properties
cas.server.name=https://$DOMAIN_NAME:8444
cas.server.prefix=${cas.server.name}/cas

mgmt.server-name=https://$DOMAIN_NAME:8443
mgmt.admin-roles[0]=ROLE_ADMIN
mgmt.user-properties-file=file:/etc/cas/config/users.json

logging.config=file:/etc/cas/config/log4j2-management.xml

Edit the properties cas.server.name and mgmt.server-name by replacing by your domain name. Here it is the file with our domain example : 

cas.server.name=https://castest.datafari.com:8444
cas.server.prefix=${cas.server.name}/cas

mgmt.server-name=https://castest.datafari.com:8443
mgmt.admin-roles[0]=ROLE_ADMIN
mgmt.user-properties-file=file:/etc/cas/config/users.json

logging.config=file:/etc/cas/config/log4j2-management.xml

Build the project with Docker : 

cd /var/work/cas/cas-management
chmod +x *.sh
./docker-build.sh

When it is over, you can launch the container : 

./docker-run.sh

The CAS management page can be found at this URL : 

https://$DOMAIN_NAME:8443/cas-management

In our example the URL is : 

https://castest.datafari.com:8443/cas-management
CAS management UI

With this test configuration our CAS server will authorize all applications.

ANNEXES

  • Java installation
apt-get install -y wget apt-transport-https gnupg
wget -O - https://packages.adoptium.net/artifactory/api/gpg/key/public | apt-key add -
echo "deb https://packages.adoptium.net/artifactory/deb $(awk -F= '/^VERSION_CODENAME/{print$2}' /etc/os-release) main" | tee /etc/apt/sources.list.d/adoptium.list
apt-get update
apt-get install temurin-11-jdk
  • Docker
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh ./get-docker.sh --dry-run
  • jq
apt-get install jq