CASifying Zimbra 6.0

From Zimbra :: Wiki

Jump to: navigation, search
Admin Article

Article Information

This article applies to the following ZCS versions.
  ZCS 7.0 Article  ZCS 7.0
  ZCS 6.0 Article  ZCS 6.0


Go to https://wiki.jasig.org/pages/viewpage.action?pageId=28213257 to see original article.

Contents

Configure the Zimbra CACerts keystore

Import your CAS Server certificates (cert and chain if you have one) into the Zimbra CACerts Keystore by executing following commands with the Zimbra user :

/opt/zimbra/java/bin/keytool -import -file casserver.cert -alias cascert -trustcacerts -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
/opt/zimbra/java/bin/keytool -import -file casserver.chain -alias caschain -trustcacerts -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit


Import the Java CAS Client library

This library is usable for implementing custom CAS functionality and for simply CASifying web applications by application of a filter.

1. Download it from http://www.ja-sig.org/downloads/cas-clients/. The client version 3.1.x is working fine with Zimbra 6.0.x and CAS Server 3.3.x. 2. Copy the cas-client-core-3.1.x.jar into /opt/zimbra/jetty/common/lib.

Modify web.xml files

Zimbra Webapp

Add following lines to /opt/zimbra/jetty/etc/zimbra.web.xml.in before the first <servlet> section (~line 230) and replace cas.url.com:port and zimbra.url.com:port.

Default ports are 8443 for the CAS Server and 443 for the Zimbra Web Client (or 80 if HTTP is used instead of HTTPS) :

<filter>
	<filter-name>CasSingleSignOutFilter</filter-name>
	<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>

<filter-mapping>
	<filter-name>CasSingleSignOutFilter</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>

<listener>
	<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>

<filter>
	<filter-name>CasAuthenticationFilter</filter-name>
	<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
	<init-param>
		<param-name>casServerLoginUrl</param-name>
		<param-value>https://cas.url.com:port/cas/login</param-value>
	</init-param>
	<init-param>
		<param-name>serverName</param-name>
		<param-value>https://zimbra.url.com:port</param-value>
	</init-param>
</filter>

<filter-mapping>
	<filter-name>CasAuthenticationFilter</filter-name>
	<url-pattern>/public/preauth.jsp</url-pattern>
</filter-mapping>

<filter>
	<filter-name>CasValidationFilter</filter-name>
	<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
	<init-param>
		<param-name>casServerUrlPrefix</param-name>
		<param-value>https://cas.url.com:port/cas</param-value>
	</init-param>
	<init-param>
		<param-name>serverName</param-name>
		<param-value>https://zimbra.url.com:port</param-value>
	</init-param>
	<init-param>
		<param-name>redirectAfterValidation</param-name>
		<param-value>true</param-value>
	</init-param>
</filter>

<filter-mapping>
	<filter-name>CasValidationFilter</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>

<filter>
	<filter-name>CasHttpServletRequestWrapperFilter</filter-name>
	<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>

<filter-mapping>
	<filter-name>CasHttpServletRequestWrapperFilter</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>


If you are using Zimbra Proxy, you may need to modify the redirectAfterValidation param in the CasValidationFilter to prevent Safari and Chrome users from getting the "too many redirects" error. Replace the existing redirectAfterValidation param section with the following.

<init-param>
  <param-name>redirectAfterValidation</param-name>
  <param-value>false</param-value>
 </init-param>

ZimbraAdmin Webapp

Add same lines as before to /opt/zimbra/jetty/etc/zimbraAdmin.web.xml.in before the first <servlet> section (~line 230), and replace cas.url.com:port and zimbra.url.com:port.

Default ports are 8443 for the CAS Server and 7071 for the Zimbra Admin Console.

Create the PreAuth key

Execute the following command with the Zimbra user :

zmprov gdpak yourdomain.com

This will create the PreAuth key "359d722926fc3daebd0fee5d8b9dad9bbe1646e68041afa8ab662c6a9152e6b9".

Create preauth.jsp files

Zimbra Webapp

1. Copy the preauth.jsp-zimbra file (download it from this wiki page attachments) to /opt/zimbra/jetty/webapps/zimbra/public/preauth.jsp.

2. Replace the DOMAIN_KEY with the key you previously generate with zmprov :

public static final String DOMAIN_KEY = "359d722926fc3daebd0fee5d8b9dad9bbe1646e68041afa8ab662c6a9152e6b9";

3. Replace yourdomaine.com with your domain at line 90.

ZimbraAdmin Webapp

1. Copy the preauth.jsp-zimbraadmin file (download it from this wiki page attachments) to /opt/zimbra/jetty/webapps/zimbraAdmin/public/preauth.jsp.

2. Replace the DOMAIN_KEY with the key you previously generate with zmprov :

public static final String DOMAIN_KEY =	"359d722926fc3daebd0fee5d8b9dad9bbe1646e68041afa8ab662c6a9152e6b9";

3. Replace yourdomaine.com with your domain at line 92.

Replace login and logout URLs

Execute following commands with the Zimbra user :

zmprov md yourdomain.com zimbraWebClientLoginURL https://zimbra.url.com:port/zimbra/public/preauth.jsp
zmprov md yourdomain.com zimbraWebClientLogoutURL https://cas.url.com:port/cas/logout
zmprov md yourdomain.com zimbraAdminConsoleLoginURL https://zimbra.url.com:port/zimbraAdmin/public/preauth.jsp
zmprov md yourdomain.com zimbraAdminConsoleLogoutURL https://cas.url.com:port/cas/logout

Replace cas.url.com:port and zimbra.url.com:port.

Default ports are 8443 for the CAS Server, 443 for the Zimbra Web Client (or 80 if HTTP is used instead of HTTPS) and 7071 for the Zimbra Admin Console.

Restart Zimbra

Execute following commands with the Zimbra user:

zmcontrol stop
zmcontrol start


Verified Against: unknown Date Created: 11/29/2009
Article ID: http://wiki.zimbra.com/index.php?title=CASifying_Zimbra_6.0 Date Modified: 07/5/2013
Personal tools