Some Practical CAS Deployment Issues

1
Some Practical CAS DeploymentIssues

• Andrew Newman
• Yale University
• 12-June-2005

2
CAS Deployment Issues

• CAS Runs in a Servlet 2.4/JSP 2.0 container
  behind an SSL-protected HTTP Server
• A single CAS Server should ideally accommodate
  both production and development clients.
• The CAS Server Requires SSL Server-side
  Certificates to function.
• CAS Clients must be able to establish SSL
  connections.

3
Two Plausible Configurations

• Run Servlet Container with supplied HTTP Server
  (e.g. Jakarta-Tomcat)
• Run Servlet container behind industrial strength
  web server (e.g. Apache HTTPD)

4
Run Servlet Container with supplied Web Server

• Pro Simple to Configure
• Pro Pure Java Portable Solution
• Con Possible performance issues with SSL
• Con Generally regarded as somewhat less
  securable than a native-code web server.

5
Run Servlet container behind industrial strength
web server

• Pro Maximum performance and tune-ability
• Pro More flexible. Web server and Servlet
  container dont have to reside on the same host.
• Con More complex. Three components instead of 1
  (web server, servlet container and connector
  software) to configure and coordinate.

6
Configuration Options
7
SSL Roles Scenarios

• CAS Server -
• Must posses a valid SSL X.509 Certificate (and
  private key) trusted by the client population.
• If serving in proxy-mode must be able to
  establish trusted SSL connection to proxying
  server.

8
SSL Roles Scenarios (continued)

• CAS Clients -
• Must be able to initiate an SSL connection to the
  CAS Server and must regard the presented server
  certificate as valid and trusted.
• If client is proxying, must present an HTTPS
  service with a certificate that the CAS server
  trusts.

9
What Are X.509 Certificates All About?

• They associate a public key with a service or
  person.
• They identify the certifying authority
  attesting to the validity of the aforementioned
  binding.
• The owner of a certificate is identified by the
  Subject field. The signer of the certificate by
  the Issuer field. These are represented as
  Distinguished Names (DNs)
• For ExampleCUS,SPConnecticut,LNew
  Haven,OYale University, CNotto.cis.yale.edu,EMa
  ilnewman-andy_at_yale.edu

10
What Do X.509 Certificates Look Like?

• They contain a version and serial
  number Version 3 (0x02) Serial Number
  9800030456 (0x2482098F8)
• They contain a Subject and Issuer as outlined
  above
• They contain a validity range Validity Not
  Before Mar 6 130139 2003 GMT Not After
  Mar 3 130139 2013 GMT
• They contain a public key and a signature

11
What Are the Requirements For Trust?

• The certificate must be parseable
• The claimed Issuer must be known to the party
  performing the trust assessment.
• The Issuers Public Key must validate the
  signature on the certificate.
• The certificate must not have expired.
• The certificates claimed subject must match the
  subject the client expected to be talking to.

12
Where Do Public/Private Key Pairs Come From?
1. Create a key pair and a subjectDN 2. Associate
the subjectDN with the key pair as a PKCS10
certificate request 3. Present the request to the
Certifying Authority
13
Practical Walkthrough with Apache HTTPD

• Create keypair and subjectDN as PKCS10 request
  openssl req -new -out site.req -keyout site.key
  To just produce a self signed certificate,
  instead issue openssl req -new -x509 -out
  site.cert -keyout site.key -days 365
• Process request and create X.509 certificate
  NOTE!!! This might well be an opaque operation
  done by a remote Certifying Authority...or it
  might be openssl x509 -in site.req -out
  site.cert -req -CA myca.cert \ -CAkey myca.key
  -CAserial myca.srl -days 365
• Associate certificate and key with each other and
  the server (In HTTP configuration file ...eg.
  httpd.conf or ssl.conf)SSLCertificateFile
  /path/to/site.certSSLCertificateKeyFile
  /path/to/site.key

14
Practical Walkthrough with Tomcat

• Create keypair and subjectDN as PKCS10 request
  keytool -genkey -alias tomcat -keyalg RSA
  keytool -certreq -alias tomcat -file site.req
• Process request and create X.509 certificate
  NOTE!!! This might well be an opaque operation
  done by a remote Certifying Authority...or it
  might be openssl x509 -in site.req -out
  site.cert -req -CA myca.cert \ -CAkey myca.key
  -CAserial myca.srl -days 365
• Associate certificate and key with each other and
  the server keytool -import -alias tomcat -file
  myca.cert

15
Where Must These Items Reside?

• https connections initiated from within a Java
  program need to trust the CA who signed any
  server certificates it connects to. These server
  certificates should reside in JAVA_HOME/jre/lib
  /security/cacerts
• Jakarta Tomcat based web servers want to find
  their private-key/certificate pairs under the
  alias tomcat within the keystore HOME/.keysto
  re

16
Where Must These Items Reside?

• Apache HTTPD-based web servers store private keys
  in a file referenced by the configuration
  statement SSLCertificateKeyFile
• The matching certificate should be in a file
  referenced by SSLCertificateFile

17
Questions?

• newman-andy_at_yale.edu