1. Set Zimbra to use HTTPS

    su - zimbra -c "/opt/zimbra/bin/zmtlsctl redirect"
  2. Configure the Zimbra CACerts keystore

    Import your CAS Server certificates (cert and chain if you have one) into the Zimbra CACerts Keystore by executing following commands with the root user :

    /opt/zimbra/java/bin/keytool -import -file casserver.cert -alias cascert -trustcacerts -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
    /opt/zimbra/java/bin/keytool -import -file casserver.chain -alias caschain -trustcacerts -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
  3. Import the Java CAS Client library

    This library is usable for implementing custom CAS functionality and for simply CASifying web applications by application of a filter.

    1. Download it from http://www.ja-sig.org/downloads/cas-clients/. The client version 3.1.x is working fine with Zimbra 6.0.x and CAS Server 3.3.x.
    2. Copy the cas-client-core-3.1.x.jar into /opt/zimbra/jetty/common/lib.
  4. Modify web.xml files

    1. Zimbra Webapp

      Backup the current zimbra.web.xml.in

      cp /opt/zimbra/jetty/etc/zimbra.web.xml.in /opt/zimbra/jetty/etc/zimbra.web.xml.in.bak

      Add following lines to /opt/zimbra/jetty/etc/zimbra.web.xml.in before the first <servlet> section (~line 230) and replace sso-server.mymydomain.com:8445 and webmail.mymydomain.com
      Default ports are 8443 for the CAS Server and 443 for the Zimbra Web Client (or 80 if HTTP is used instead of HTTPS) :

    2. ZimbraAdmin Webapp

      Backup the current zimbraAdmin.web.xml.in

      cp /opt/zimbra/jetty/etc/zimbraAdmin.web.xml.in /opt/zimbra/jetty/etc/zimbraAdmin.web.xml.in.bak

      Add following lines to /opt/zimbra/jetty/etc/zimbraAdmin.web.xml.in before the first <servlet> section (~line 230), and replace sso-server.mymydomain.com:8445 and webmail.mymydomain.com:7071.
      Default ports are 8443 for the CAS Server and 7071 for the Zimbra Admin Console.

  5. Create the PreAuth key

    Execute the following command with the Zimbra user :

    zmprov gdpak mymydomain.com

    This will create the PreAuth key “359d722926fc3daebd0fee5d8b9dad9bbe1646e68041afa8ab662c6a9152e6b9”.

  6. Create preauth.jsp files

    1. Zimbra Webapp
      1. Copy the preauth.jsp-zimbra file (download it from this wiki page attachments) to /opt/zimbra/jetty/webapps/zimbra/public/preauth.jsp.
      2. Replace the DOMAIN_KEY with the key you previously generate with zmprov:
        public static final String DOMAIN_KEY = "359d722926fc3daebd0fee5d8b9dad9bbe1646e68041afa8ab662c6a9152e6b9";
      3. Replace yourdomaine.com with your domain at line 90.
      4. Execute the following command with the root user :
        chown zimbra:zimbra /opt/zimbra/jetty/webapps/zimbra/public/preauth.jsp
    2. ZimbraAdmin Webapp
      1. Copy the preauth.jsp-zimbraadmin file (download it from this wiki page attachments) to /opt/zimbra/jetty/webapps/zimbraAdmin/public/preauth.jsp.
      2. Replace the DOMAIN_KEY with the key you previously generate with zmprov:
        public static final String DOMAIN_KEY = "359d722926fc3daebd0fee5d8b9dad9bbe1646e68041afa8ab662c6a9152e6b9";
      3. Replace yourdomaine.com with your domain at line 92.
      4. Execute the following command with the root user :
        chown zimbra:zimbra /opt/zimbra/jetty/webapps/zimbraAdmin/public/preauth.jsp
  7. Replace login and logout URLs

    Execute following commands as the Zimbra user :

    zmprov md webmail.mymydomain.com zimbraWebClientLoginURL https://webmail.mymydomain.com/zimbra/public/preauth.jsp
    zmprov md webmail.mymydomain.com zimbraWebClientLogoutURL https://sso-server.mymydomain.com:8445/cas/logout
    zmprov md webmail.mymydomain.com zimbraAdminConsoleLoginURL https://webmail.mymydomain.com:7071/zimbraAdmin/public/preauth.jsp
    zmprov md webmail.mymydomain.com zimbraAdminConsoleLogoutURL https://sso-server.mymydomain.com:8445/cas/logout

    Replace sso-server.mymydomain.com:port and webmail.mymydomain.com:port.

    Default ports are 8443 for the CAS Server, 443 for the Zimbra Web Client (or 80 if HTTP is used instead of HTTPS) and 7071 for the Zimbra Admin Console.

  8. Zimbra Admin logout to remove SSO ticket
    In order to logout from Zimbra Admin and remove SSO ticket, the following compressed Javascript file within Zimbra installation had to be changed:

    mkdir /root/workspace
    cd /root/workspace
    cp /opt/zimbra/jetty/webapps/zimbraAdmin/js/Admin_all.js.zgz /opt/zimbra/jetty/webapps/zimbraAdmin/js/Admin_all.js.zgz.bak
    cp /opt/zimbra/jetty/webapps/zimbraAdmin/js/Admin_all.js.zgz .
    gunzip -S zgz Admin_all.js.zgz

    Above will expand file “Admin_all.js.” Open the file in your prefered text editor and append the following line

    if (location.pathname=="/zimbraAdmin/") { o = https://sso-server.mymydomain.com:8445/cas/logout;}

    after line

    var o=location.protocol+"//"+location.hostname+((location.port=="80")?"":":"+location.port)+location.pathname+location.search;

    in to logoff function so it looks like

    ZaZimbraAdmin.logOff=function(){
    ZmCsfeCommand.clearAuthToken();
    window.onbeforeunload=null;
    var t=DwtShell.getShell(window);
    t.setBusy(true);
    var o=location.protocol+"//"+location.hostname+((location.port=="80")?"":":"+location.port)+location.pathname+location.search;
    if (location.pathname=="/zimbraAdmin/") {
    }
    var e=new AjxTimedAction(null,ZaZimbraAdmin.redir,[o]);
    AjxTimedAction.scheduleAction(e,100)
    };

    Now compress the file back and copy back to original folder, please note the period symbol “.” following filename

    gzip -S zgz Admin_all.js.
    cp Admin_all.js.zgz /opt/zimbra/jetty/webapps/zimbraAdmin/js/Admin_all.js.zgz
  9. Restart Zimbra

    Execute the following command with the Zimbra user :

    zmcontrol restart
Advertisements