Add CAS SSL Certificate to Java’s keystore

Make sure that the $JAVA_HOME points to the correct JRE version that the Confluence is using.

# openssl s_client -showcerts -connect sso-server.mydomain.com:8445 2>/dev/null </dev/null | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' | keytool -import -alias casalias -storepass changeit -keystore $JAVA_HOME/jre/lib/security/cacerts

Note: This is not to be confused with Confluences SSL certificate, this purely to get JAVA to recognise CAS servers SSL certificate.

Confluence SSL Certificate

To install a SSL Certificate follow Tomcat SSL Certificates

Install CAS Client libraries:

  1. Download latest Cas client from http://www.jasig.org/cas/download and transfer the file to CONFLUENCE_HOST
  2. Open SSH client and connect to CONFLUENCE_HOST.
  3. Username: root / ….
  4. Open a console and change directory (cd) to the directory that you have transferd the ‘*.tar.gz’ file
  5. Set confluence variables
    export CONFLUENCE_INSTALL=/opt/atlassian/confluence
    export CONFLUENCE_HOME=/var/atlassian/application-data/confluence
  6. Expand files
    tar -xzvf cas-client-X.Y.tar.gz
  7. Copy cas client files to confluence
    cp cas-client-X.Y/modules/cas-client-core-X.Y.jar $CONFLUENCE_INSTALL/confluence/WEB-INF/lib/
    			cp cas-client-X.Y/modules/cas-client-integration-atlassian-X.Y.jar $CONFLUENCE_INSTALL/confluence/WEB-INF/lib/

Modify the web.xml

Add the CAS Filters to the end of the filter list.
$CONFLUENCE_INSTALL/confluence/WEB-INF/web.xml

<!-- CAS:START - Java Client Filters -->
<filter>
   <filter-name>CasSingleSignOutFilter</filter-name>
   <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter>
  <filter-name>CasAuthenticationFilter</filter-name>
  <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
  <init-param>
    <param-name>casServerLoginUrl</param-name>
    <param-value>https://sso-server.mydomain.com:8445/cas/login</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
    <param-value>https://wiki.mydomain.com:8090</param-value>
  </init-param>
</filter>
<filter>
    <filter-name>CasValidationFilter</filter-name>
    <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
    <init-param>
        <param-name>casServerUrlPrefix</param-name>
        <param-value>https://sso-server.mydomain.com:8445/cas</param-value>
    </init-param>
    <init-param>
        <param-name>serverName</param-name>
        <param-value>https://wiki.mydomain.com:8090</param-value>
    </init-param>
    <init-param>
        <param-name>redirectAfterValidation</param-name>
        <param-value>false</param-value>
    </init-param>
</filter>
<!--- CAS:END -->

Before the login filter-mapping add:

$CONFLUENCE_INSTALL/confluence/WEB-INF/web.xml

<!-- CAS:START - Java Client Filter Mappings -->
<filter-mapping>
   <filter-name>CasSingleSignOutFilter</filter-name>
   <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>CasAuthenticationFilter</filter-name>
    <url-pattern>/login.action</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>CasValidationFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<!-- CAS:END -->

Add the Single Sign Out listener to the list of listener list too
$CONFLUENCE_INSTALL/confluence/WEB-INF/web.xml

<!-- CAS:START - Java Client Single Sign Out Listener -->
<listener>
    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- CAS:END -->

Modify the seraph-config.xml

CAS Login links

$CONFLUENCE_INSTALL/confluence/WEB-INF/classes/seraph-config.xml

<init-param>
    <param-name>login.url</param-name>
    <!--<param-value>/login.action?os_destination=${originalurl}</param-value>-->
    <param-value>https://sso-server.mydomain.com:8445/cas/login?service=${originalurl}</param-value>
</init-param>
<init-param>
    <param-name>link.login.url</param-name>
    <!--<param-value>/login.action</param-value>-->
    <param-value>https://sso-server.mydomain.com:8445/cas/login?service=${originalurl}</param-value>
</init-param>

CAS Authenticator

Comment out the DefaultAuthenticator and add in the JASIG CAS Confluence Authenticator
$CONFLUENCE_INSTALL/confluence/WEB-INF/classes/seraph-config.xml

<!-- CAS:START - Java Client Confluence Authenticator -->
<authenticator class="org.jasig.cas.client.integration.atlassian.ConfluenceCasAuthenticator"/>
<!-- CAS:END -->

CAS Logout instead of Confluence logout

Atlassian doesn’t support a config option yet (like Jira), please vote up the feature request here: http://jira.atlassian.com/browse/CONF-4931
To rely on the Single Sign Out functionality to sign off of Confluence we need to modify the logout link

  1. Copy $CONFLUENCE_INSTALL/confluence/WEB-INF/lib/confluence-x.x.x.jar to a temporary directory
    mkdir /tmp/confluence-jar && cp WEB-INF/lib/confluence-3.0.1.jar /tmp/confluence-jar
  2. Unpack the jar
    cd /tmp/confluence-jar && jar xvf confluence-3.0.1.jar
  3. Copy xwork.xml to $CONFLUENCE_INSTALL/WEB-INF/classes
    cp xwork.xml $CONFLUENCE_INSTALL/WEB-INF/classes/ && cd $CONFLUENCE_INSTALL/WEB-INF/classes/
  4. Edit $CONFLUENCE_INSTALL/WEB-INF/classes/xwork.xml, find the logout action and comment out the success result and replace it with this one
    $CONFLUENCE_INSTALL/confluence/WEB-INF/classes/xwork.xml
    <!--            <result name="success" type="velocity">/logout.vm</result> -->
    <!-- CAS:START - CAS Logout Redirect -->
    <result name="success" type="redirect">https://sso-server.mydomain.com:8445/cas/logout</result>
    <!-- CAS:END -->
Advertisements