The task of setting up a CAS server on Docker is not very smooth. The official documentation is not very explicit about it.
We decided to write a post on this subject in order to help others to quickly configure a CAS server with a complete tutorial.
Warning : here we speak about deploying a TESTING CAS server, this configuration is not for production, especially to authorize any application !
First I would like to mention the very good articles on this site that were a very good basis :
https://fawnoos.com/2022/05/31/cas65x-docker-deployment/
https://fawnoos.com/2021/02/04/cas63-management-webapp/
We were previously using the demo CAS server avaible here : https://casserver.herokuapp.com/cas but for some time now, it is not possible anymore to use it with any application. It refuses unauthorized applications. That is why we needed to have our own CAS server.
For our tutorial, we took a vanilla instance into Digital Ocean on Debian 12 with 16 GB RAM.
- Requirements :
- Java 11
- Docker
- A real certificate name on the server. Indeed without it, we could not have a functional environment (we used LetsEncrypt in this example)
- jq installed
See annexes below to have indications to install these dependencies
- Installation of the CAS server
- Create a keystore on the server with the SSL certificate generated
We assume that the certificate and the key were issued by LetsEncrypt and are located into /etc/letsencrypt/live/$DOMAIN_NAME
Replace $DOMAIN_NAME by the name of your domain, in our example it is castest.datafari.com
export DOMAIN_NAME=castest.datafari.com
openssl pkcs12 -export -in /etc/letsencrypt/live/$DOMAIN_NAME/fullchain.pem -inkey /etc/letsencrypt/live/$DOMAIN_NAME/privkey.pem -out letsencrypt.p12
When the script asks you for a password enter ‘changeit’.
With the last command, we created a keystore into p12 format. We need to convert it into JKS format.
keytool -importkeystore -srckeystore letsencrypt.p12 -srcstoretype PKCS12 -destkeystore letsencrypt.jks -deststoretype JKS
When the script asks you for a password : destination and source, always enter ‘changeit’.
We can now run the CAS server with Docker.
Create a directory for CAS : here /var/work/cas
mkdir -p /var/work/cas
Copy the JKS keystore to this folder :
cp /root/letsencrypt.jks /var/work/cas
Rename it to ‘thekeystore’ and change the permission on it (just in case)
mv /var/work/letsencrypt.jks /var/work/thekeystore
chmod 777 /var/work/thekeystore
Before launching the CAS server, we can set some settings. Look at https://fawnoos.com/2022/05/31/cas65x-docker-deployment/#container-configuration to have more information.
“Adjust the CAS root logging level to debug so we can get more details from the running CAS web application.
https://fawnoos.com/2022/05/31/cas65x-docker-deployment/#container-configuration
Rename the CAS SSO cookie to SSO_COOKIE.
Allow the service registry instance to initialize and bootstrap itself from the embedded JSON files that ship with CAS.
Enable the schedule for the service registry loader”
Basically with this configuration, we will have more verbosity on logs and we will authorize all applications with our CAS server.
Enter this command :
properties='{
"logging": {
"level": {
"org.apereo.cas": "debug"
}
},
"cas": {
"tgc": {
"name": "SSO_COOKIE"
},
"service-registry": {
"core": {
"init-from-json": true
},
"schedule": {
"enabled": false
}
}
}
}'
properties=$(echo "$properties" | tr -d '[:space:]')
echo -e "***************************\nCAS properties\n***************************"
echo "${properties}" | jq
We can now use these properties into the SPRING_APPLICATION_JSON property.
We can now launch the CAS server. We add a bind mount with the keystore we just created:
export CAS_KEYSTORE=/var/work/cas/thekeystore
docker run --rm -d --mount type=bind,source="${CAS_KEYSTORE}",target=/etc/cas/thekeystore -e SPRING_APPLICATION_JSON="${properties}" -p 8444:8443 --name casserver apereo/cas:6.5.
After some time, the CAS server can be found at this url :
https://$DOMAIN_NAME:8444/cas/login
so in our example it would be:
https://castest.datafari.com:8444/cas/login
The default credentials are :
user : casuser
password: Mellon
We can now install the CAS management webapp.
2. Installation of the CAS management webapp
Clone the code from the Github project CAS Management Overlay
Here we clone it into /var/work/cas :
cd /var/work/cas
git clone https://github.com/apereo/cas-management-overlay.git
We want to checkout the code with the 6.5 version :
cd cas-management-overylay
git checkout 6.5
Copy the keystore into the project :
cp /var/work/cas/thekeystore /var/work/cas/cas-management-overlay/etc/cas/thekeystore
Edit the management.properties located into cas/config :
nano /var/work/cas/cas-management-overlay/etc/cas/config/management.properties
cas.server.name=https://$DOMAIN_NAME:8444
cas.server.prefix=${cas.server.name}/cas
mgmt.server-name=https://$DOMAIN_NAME:8443
mgmt.admin-roles[0]=ROLE_ADMIN
mgmt.user-properties-file=file:/etc/cas/config/users.json
logging.config=file:/etc/cas/config/log4j2-management.xml
Edit the properties cas.server.name and mgmt.server-name by replacing by your domain name. Here it is the file with our domain example :
cas.server.name=https://castest.datafari.com:8444
cas.server.prefix=${cas.server.name}/cas
mgmt.server-name=https://castest.datafari.com:8443
mgmt.admin-roles[0]=ROLE_ADMIN
mgmt.user-properties-file=file:/etc/cas/config/users.json
logging.config=file:/etc/cas/config/log4j2-management.xml
Build the project with Docker :
cd /var/work/cas/cas-management
chmod +x *.sh
./docker-build.sh
When it is over, you can launch the container :
./docker-run.sh
The CAS management page can be found at this URL :
https://$DOMAIN_NAME:8443/cas-management
In our example the URL is :
https://castest.datafari.com:8443/cas-management
With this test configuration our CAS server will authorize all applications.
ANNEXES
- Java installation
apt-get install -y wget apt-transport-https gnupg
wget -O - https://packages.adoptium.net/artifactory/api/gpg/key/public | apt-key add -
echo "deb https://packages.adoptium.net/artifactory/deb $(awk -F= '/^VERSION_CODENAME/{print$2}' /etc/os-release) main" | tee /etc/apt/sources.list.d/adoptium.list
apt-get update
apt-get install temurin-11-jdk
- Docker
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh ./get-docker.sh --dry-run
- jq
apt-get install jq