SSO实施说明

环境准备

Linux服务器：Red Hat Enterprise Linux Server (64)

JDK：jdk-6u4-linux-i586.bin

Http Server：httpd-2.2.8.tar.gz

Web Server：apache-tomcat-5.5.28.zip、tomcat-connectors-1.2.28-src.tar.gz

CAS Server：cas.war

1. 搭建Web服务器
   1. 安装JDK

      [@PTL_AS4U8_mwb01 data]# mkdir /opt/java
      [@PTL_AS4U8_mwb01 data]# mv jdk-6u35-linux-i586.bin /opt/java/jdk-6u35-linux-i586.bin 
      [@PTL_AS4U8_mwb01 data]# cd /opt/java/
      [@PTL_AS4U8_mwb01 java]# chmod +x jdk-6u35-linux-i586.bin 
      [@PTL_AS4U8_mwb01 java]# ./jdk-6u35-linux-i586.bin

   2. 设置环境变量

      [@PTL_AS4U8_mwb01 java]# vi /etc/profile
      [@PTL_AS4U8_mwb01 java]# source /etc/profile
          export JAVA_HOME=/opt/java/jdk1.6.0_35
          export CLASSPATH=.:$JAVA_HOME/lib/tools.jar
          export PATH=$JAVA_HOME/bin:$PATH
          export JRE_HOME=$JAVA_HOME/jre
          export CATALINA_HOME=/opt/services/apache-tomcat-5.5.23
      [@PTL_AS4U8_mwb01 java]# source /etc/profile

   3. 安装TOMCAT

      [@PTL_AS4U8_mwb01 data]# mv apache-tomcat-5.5.23.tar.gz /opt/services/apache-tomcat-5.5.23.tar.gz
      [@PTL_AS4U8_mwb01 data]# cd /opt/services/
      [@PTL_AS4U8_mwb01 java]# tar -zxvf apache-tomcat-5.5.23.tar.gz

   4. 设置环境变量

      [@PTL_AS4U8_mwb01 java]# vi /etc/profile
      [@PTL_AS4U8_mwb01 java]# source /etc/profile
          export JAVA_HOME=/opt/java/jdk1.6.0_35
          export CLASSPATH=.:$JAVA_HOME/lib/tools.jar
          export PATH=$JAVA_HOME/bin:$PATH
          export JRE_HOME=$JAVA_HOME/jre
          export CATALINA_HOME=/opt/services/apache-tomcat-5.5.23
      [@PTL_AS4U8_mwb01 java]# source /etc/profile

   5. 安装APACHE(linux需要gcc支持)

      [@PTL_AS4U8_mwb02 data]# mv httpd-2.2.8.tar.gz /opt/httpd-2.2.8.tar.gz
      [@PTL_AS4U8_mwb02 data]# cd ../ 
      [@PTL_AS4U8_mwb02 opt]# tar -zxvf httpd-2.2.8.tar.gz
      [@PTL_AS4U8_mwb02 opt]# cd httpd-2.2.8
      [@PTL_AS4U8_mwb02 httpd-2.2.8]# rm -rf configure
      [@PTL_AS4U8_mwb02 httpd-2.2.8]# rm -rf srclib/apr-util/configure
      [@PTL_AS4U8_mwb02 httpd-2.2.8]# ./buildconf
      [@PTL_AS4U8_mwb02 httpd-2.2.8]# ./configure --enable-lib64 --libdir=/usr/lib64 --enable-ssl --with-ssl=/usr/local/ssl --enable-module=so --prefix=/usr/local/httpd
      [@PTL_AS4U8_mwb02 httpd-2.2.8]# make
      [@PTL_AS4U8_mwb02 httpd-2.2.8]# make install
      [@PTL_AS4U8_mwb02 httpd-2.2.8]# ln -s /opt/httpd-2.2.8 /usr/local/httpd 
      [@PTL_AS4U8_mwb02 httpd-2.2.8]# /usr/local/httpd/bin/apachectl start

   6. 配置APACHE与TOMCAT集成

      [@PTL_AS4U8_mwb02 data]# mv tomcat-connectors-1.2.31-src.tar.gz /opt/java/tomcat-connectors-1.2.31-src.tar.gz 
      [@PTL_AS4U8_mwb01 data]# cd /opt/java/
      [@PTL_AS4U8_mwb02 java]# tar -zxvf tomcat-connectors-1.2.31-src.tar.gz
      [@PTL_AS4U8_mwb02 java]# cd tomcat-connectors-1.2.31-src/native/
      [@PTL_AS4U8_mwb02 native]# ./configure --with-apxs=/usr/local/httpd/bin/apxs
      [@PTL_AS4U8_mwb02 native]# make
      [@PTL_AS4U8_mwb02 native]# cp apache-2.0/mod_jk.so /usr/local/httpd/modules/
      [@PTL_AS4U8_mwb02 native]# cd /usr/local/httpd/conf/
      [@PTL_AS4U8_mwb02 conf]# vi mod_jk.conf
          #添加以下内容
          JkWorkersFile /usr/local/httpd/conf/workers.properties
          # Where to put jk logs
          JkLogFile /usr/local/httpd/logs/mod_jk.log
          # Set the jk log level [debug/error/info]
          JkLogLevel info
          # Select the log format
          JkLogStampFormat "[%a %b %d %H:%M:%S %Y]"
          # JkOptions indicate to send SSL KEY SIZE,
          JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
          # JkRequestLogFormat set the request format
          JkRequestLogFormat "%w %V %T"
      [@PTL_AS4U8_mwb02 conf]# vi workers.properties
          #添加以下内容,worker1在Tomcat的server.xml中配置AJP时使用，端口对应Tomcat的AJP端口
          worker.list=worker1
          # Set properties for worker1
          worker.worker1.type=ajp13
          worker.worker1.host=localhost
          worker.worker1.port=8009
          worker.worker1.lbfactor=50
      [@PTL_AS4U8_mwb02 conf]# vi httpd.conf 
          #添加以下内容
          LoadModule jk_module modules/mod_jk.so
          Include conf/mod_jk.conf
          #设置访问权限，注释Deny from all
          
              Options FollowSymLinks
              AllowOverride None
              Order deny,allow
              #Deny from all
          

   7. 配置APACHE SSL

      [@PTL_AS4U8_mwb02 conf]# vi httpd.conf
          #注释HTTP默认协议端口80
          #Listen 80
          #去掉加载httpd-ssl.conf命令前的注释
          Include conf/extra/httpd-ssl.conf
      [@PTL_AS4U8_mwb02 conf]# cd extra
      [@PTL_AS4U8_mwb02 extra]# vi httpd-ssl.conf
          
              #   General setup for the virtual host
              DocumentRoot "/opt/services/apache-tomcat-5.5.23/webapps/cas"
              ServerName sso.domain.com:443
              #ServerAdmin you@example.com
      	ErrorLog "/usr/local/httpd/logs/error_log"
      	TransferLog "/usr/local/httpd/logs/access_log"
      	JkMount /* worker1
      		
              #下面两个在httpd-ssl.conf是存在的，单独去修改证书的地址
      	SSLCertificateFile "/opt/data/domain.com.crt"
      	SSLCertificateKeyFile "/opt/data/domain.com.key"
          

2. 安装CAS服务端程序
   1. 部署CAS应用

      [@PTL_AS4U8_mwb02 data]# mv cas.war /opt/services/apache-tomcat-5.5.23/webapps
      [@PTL_AS4U8_mwb02 data]#/opt/services/apache-tomcat-5.5.23/bin/startup.sh

      测试cas服务，在浏览器输入：http://server:8080，进入cas登陆页面，默认为简单用户验证，用户名和密码一样即可通过验证
   2. 修改server.xml
      1. 注释Connector on port 8080相关配置

         <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 
         <Connector port="8080" maxHttpHeaderSize="8192"
             URIEncoding="utf-8"
             maxThreads="150"
             minSpareThreads="25"
             maxSpareThreads="75"
             enableLookups="false"
             redirectPort="8443" acceptCount="100"
             connectionTimeout="20000" disableUploadTimeout="true" />
         -->

      2. AJP 1.3 Connector on port 8009添加字符编码为UTF-8

         <!-- Define an AJP 1.3 Connector on port 8009 -->
         <Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" URIEncoding="utf-8" />

      3. 开启AJP配置

         <!-- You should set jvmRoute to support load-balancing via AJP ie : -->
         <Engine name="Catalina" defaultHost="localhost" jvmRoute="worker1" />

      4. 注释Realm配置

         <!--
         <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
         -->

      5. 修改Context信息，检查Host配置

         <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlvalidation="false" xmlnamespaceAware="false">
             <!—- Context要自己手动配置 -->
             <Context path="" docBase="/opt/services/apache-tomcat-5.5.23/webapps/cas" reloadable="true" crossContext="true"/>

      6. 开启AccessLogValve

         <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="cas_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>
         

   3. 配置CAS与AD集成

      修改cas.war/WEB-INF/deployerConfigContext.xml配置

      <!-— 注释简单模式认证 -->
      <!--
          <bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
      -->
      <!-- 增加ldap认证处理程序 -->
      <bean class="org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler">
          <property name="filter" value="%u" />
          <property name="contextSource" ref="contextSource" />
      </bean>
      <!-- 增加ldap的contextsource -->
      <bean id="contextSource" 
          class="org.springframework.ldap.core.support.LdapContextSource">
          <property name="pooled" value="true"/>
          <property name="urls">
              <list><value>ldap://XXXX</value></list>
          </property>
          <property name="userDn" value="{XXXX}"/>
          <property name="password" value="{XXXX}"/>
          <property name="baseEnvironmentProperties">
              <map>
                  <entry key="java.naming.security.authentication" value="simple" />
              </map>
          </property>
      </bean>