SQL Servers uses two different types of authentication

  1. SQL Server Authentication: is using users who are created on the SQL Server
  2. Windows Authentication: is using users from Active Directory

This tutorial utilises JTDS to connect SQL Server which allows Windows Authentication

  • Download JTDS from http://jtds.sourceforge.net and extract
  • Copy jtds-x.x.x.jar to <TOMCAT-INSTALL>/lib
  • Edit <TOMCAT-INSTALL>/conf/server.xml file and add following between Context tags for the web app that needs connection
    To connect using

    • SQL Server Authentication
      	validationQuery="SELECT 1"
    • Windows Authentication
      	validationQuery="SELECT 1"
  • Restart Tomcat

Attach Disk

First of all attach a disk to the Linux Box by following Attach Disk to Live Linux

Create new partition

  • As root user run fdisk on new disk, this tutorial will use /dev/sdd as example. Output will look like
    $ fdisk /dev/sdd
    Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
    Building a new DOS disklabel with disk identifier 0x925579ba.
    Changes will remain in memory only, until you decide to write them.
    After that, of course, the previous content won't be recoverable.
    Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
    WARNING: DOS-compatible mode is deprecated. It's strongly recommended to
             switch off the mode (command 'c') and change display units to
             sectors (command 'u').
    Command (m for help):
  • Create a new partition by typing letter ‘n‘ and hit enter, to create a primary partition type ‘p‘, followed by partition number e.g. ‘1‘ and then accept default cylinder numbers by hitting enter to use the maximum space on the disk,
    Output would like like

    Command (m for help): n
    Command action
       e   extended
       p   primary partition (1-4)
    Partition number (1-4): 1
    First cylinder (1-2088, default 1):
    Using default value 1
    Last cylinder, +cylinders or +size{K,M,G} (1-2088, default 2088):
    Using default value 2088
    Command (m for help):
  • Change the type of the partition to Linux LVM by hitting ‘t’ followed by ‘8e’
    Command (m for help): t
    Selected partition 1
    Hex code (type L to list codes): 8e
    Changed system type of partition 1 to 8e (Linux LVM)
    Command (m for help):
  • to see the result hit ‘p’, please note the device path in the output, in this example “/dev/sdd1”
    Command (m for help): p
    Disk /dev/sdd: 17.2 GB, 17179869184 bytes
    255 heads, 63 sectors/track, 2088 cylinders
    Units = cylinders of 16065 * 512 = 8225280 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes
    Disk identifier: 0x925579ba
       Device Boot      Start         End      Blocks   Id  System
    /dev/sdd1               1        2088    16771828+  8e  Linux LVM
    Command (m for help):
  • to write changes and exit hit ‘w’
    Command (m for help): w
    The partition table has been altered!
    Calling ioctl() to re-read partition table.
    Syncing disks.
  • use pvcreate to setup the newly created partition
    pvcreate /dev/sdd1

Extend existing volume group on to new partition

  • Run vgdisplay to get list of volume groups
    $ vgdisplay
      --- Volume group ---
      VG Name               ubuntu-template
      System ID
      Format                lvm2
      Metadata Areas        1
      Metadata Sequence No  3
      VG Access             read/write
      VG Status             resizable
      MAX LV                0
      Cur LV                2
      Open LV               2
      Max PV                0
      Cur PV                1
      Act PV                1
      VG Size               19.76 GiB
      PE Size               4.00 MiB
      Total PE              5058
      Alloc PE / Size       5054 / 19.74 GiB
      Free  PE / Size       4 / 16.00 MiB
      VG UUID               RIgBdX-r2aN-s0Dn-kkkh-ZkVr-rHDM-AycDtH
      --- Volume group ---
      VG Name               ubuntuserver
      System ID
      Format                lvm2
      Metadata Areas        3
      Metadata Sequence No  6
      VG Access             read/write
      VG Status             resizable
      MAX LV                0
      Cur LV                2
      Open LV               2
      Max PV                0
      Cur PV                3
      Act PV                3
      VG Size               43.82 GiB
      PE Size               4.00 MiB
      Total PE              11218
      Alloc PE / Size       5537 / 21.63 GiB
      Free  PE / Size       5681 / 22.19 GiB
      VG UUID               ZoXbMV-LtZL-TRT1-MIFi-04xr-CFB3-rYTKxs
  • in above output we will be extending “ubuntuserver” volume group by running
    vgextended ubuntuserver /dev/sdd1

Extend existing logical volume onto new space

  • Get the file path for the logical volume
    $ ls -la /dev/ubuntuserver
    total 0
    drwxr-xr-x  2 root root   80 2012-10-11 10:57 .
    drwxr-xr-x 15 root root 3940 2012-10-11 13:00 ..
    lrwxrwxrwx  1 root root   27 2012-10-11 10:59 root -> ../mapper/ubuntuserver-root
    lrwxrwxrwx  1 root root   29 2012-10-09 12:51 swap_1 -> ../mapper/ubuntuserver-swap_1
  • use lvextend
    • to use all of the new space
      lvextend /dev/ubuntuserver/root /dev/sdd1
    • to increase by by 20GB, provided that /dev/sdd1 has the free space available
      lvextend -L +20G /dev/ubuntuserver/root /dev/sdd1

Extend Filesystem

The command to use depends on the file system that is currently in use.

  • For ext3/4
    ext2online /dev/ubuntuserver/root


    resize2fs /dev/ubuntuserver/root
  • For reiserfs
    resize_reiserfs /dev/ubuntuserver/root

Finally, check disk space to see the expanded disk space

df -h

Initial Setup

First you have to create a new private key within an existing or new keystore using keytool:

keytool -genkeypair -keyalg rsa -keystore keystorename -storepass keystorepassword -alias my_new_key
  • to protect the new private key by its own keypassword within the keystore you have to add the keypass option
  • if you don’t use the keypass option the keystore password is used to protect the private key
  • accordingly in order to delete a key password (which is not possible with keytool btw), you have to copy the keystore password to the key password
  • if you want to use the key as a client certifcate use RSA as key algorithm, instead of default DSA, because many servers (e.g IBM MQ) only accept RSA client certs

The next task is to generate a CSR, even if you want to create a self signed certifcate:

keytool -certreq -alias my_new_key -keystore keystorename -storepass keystorepassword -file my_new.csr

Now it is time to either send the CSR to the CA of your choice, or to sign it by your own CA using openssl:

openssl x509 -req -in my_new.csr -CA my_ca.crt -CAkey my_ca.key -out my_new.crt -days 365 -CAcreateserial -CAserial my_ca.seq

In case your certificate is not selfsigned, you first have to import the certificate of the CA, and in case all intermediate CAs, that signed your CSR. After that, by importing the certficate the chain of trust will be established.

keytool -import -alias my_ca -file ca.crt -keystore keystorename -storepass keystorepassword

You have to enter either “yes” or use.

Finally the signed certificate has to be imported into the keystore using the same alias as the private key:

keytool -import -alias my_new_key -file my_new.crt -keystore keystorename -storepass keystorepassword

Examing the keystore

To see what’s inside any given keystore:

keytool -list -keystore keystorename

for example:

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

my_key, Sep 26, 2007, keyEntry,
Certificate fingerprint (MD5): BA:22:E1:9E:9D:83:05:5A:99:42:5E:EF:62:77:DE:5A
my_ca, Sep 26, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 4E:B5:B6:7A:02:F8:F8:6E:5E:79:FB:84:65:75:42:68

To get detailed information, like issuer for an alias use “-v”!

Change keystore passpharse

To change to keystore passphrase use the following keytool command:

keytool -storepasswd -keystore keystorename

If you use JDK 1.6 keytool you have to change the keypasswd for all private keys within the keystore as well!

OpenSSL and Keystores

A common task is to exchange keys and certificates between apache webserver, ssl loadbalancer or java application server such as tomcat or BEA Weblogic. This means to convert keys and certificates from PEM,DER or PKCS12 to or from java keystores. The standard keytool is able to import or export certificates, but there is no way to do so with private keys.

Export certifcate:

keytool -export -rfc -alias my_cert -file cert.crt -keystore keystorename -storepass keystorepassword

Import certificate:

keytool -import -alias my_cert -file cert.crt -keystore keystorename -storepass keystorepassword

Import private key:

In order to import an exisiting private key you first have to get and compile the ImportKey.java, see end of the page, tool. I added options to import keys and certs into an existing keystore as well as setting the keystore passphrase via the command line.

Usage: java ImportKey keyfile certfile [alias] [keystore] [keystore_passphrase]

The key has to be in DER format, which can be easily done with openssl:

openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER

In case of a self signed certifcate use:

openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

If the certifcate is signed by a foreign CA or even signed by intermediate CA(s) use:

openssl crl2pkcs7 [-certfile ca_intermediate.pem] -certfile ca.pem -in cert.pem -inform PEM -out cert.der -outform DER -nocrl

This will create a PKCS#7 container using DER format including the correct certificate chain.

Then build a new keystore using both key and certificate:

java ImportKey key.der cert.der my_alias

Export private key:

This is based on information from Mark Foster’s wiki.

In order to export any private key from an existing keystore download and compile ExportPriv.java. After compiling it run:

java ExportPriv &gt; exported.key

The key will be exported into exported.key file in PKCS#8 PEM format. This can be converted into RSA format which is needed by apache with:

openssl pkcs8 -inform PEM -nocrypt -in exported.key -out exported_rsa.key

Various needful commands

Convert PEM to PKCS12

To create a pkcs12 container from a pem private key and cert use:

openssl pkcs12 -export -in cert.pem -inkey key.pem -out cred.p12

Export key and cert from PKCS12 to PEM

If you have a pkcs12 container and its passphrase. use the following command to extract the private key and client certificate only (-clcerts), without encrypting the exported private key again (-nodes):

openssl pkcs12 -in cred.p12 -out certkey.pem -nodes -clcerts

As you will probably notice, both key and certificate are combined into one file. If you need them seperatly you can either split the file using your favorite editor by simply save everything between (and including) each of the —–BEGIN—– and —–END—– lines to separate files or use the following two commands to export them seperatly:

openssl pkcs12 -in cred.p12 -out cert.pem -nodes -clcerts -nokeys
openssl pkcs12 -in cred.p12 -out key.pem -nodes -nocerts

Remove passphrase of private key

It will prompt for current passphrase:

openssl rsa -in oldkey.pem -out newkey.pem

Change passphrase of private key

It will prompt for old passphrase and twice for new one:

openssl rsa [-des3|-aes128] -in oldkey.pem -out newkey.pem

View details of a certificate signing request CSR

openssl req -noout -text -in server.csr


Graphical Keytool Tool

import java.security.*;
import java.io.IOException;
import java.io.InputStream;
import java.io.FileInputStream;
import java.io.DataInputStream;
import java.io.ByteArrayInputStream;
import java.io.FileOutputStream;
import java.security.spec.*;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.util.Collection;
import java.util.Iterator;

 * ImportKey.java
 * &lt;p&gt;This class imports a key and a certificate into a keystore
 * (&lt;code&gt;$home/keystore.ImportKey&lt;/code&gt;). If the keystore is
 * already present, it is simply deleted. Both the key and the
 * certificate file must be in &lt;code&gt;DER&lt;/code&gt;-format. The key must be
 * encoded with &lt;code&gt;PKCS#8&lt;/code&gt;-format. The certificate must be
 * encoded in &lt;code&gt;X.509&lt;/code&gt;-format.&lt;/p&gt;
 * &lt;p&gt;Key format:&lt;/p&gt;
 * &lt;p&gt;&lt;code&gt;openssl pkcs8 -topk8 -nocrypt -in YOUR.KEY -out YOUR.KEY.der
 * -outform der&lt;/code&gt;&lt;/p&gt;
 * &lt;p&gt;Format of the certificate:&lt;/p&gt;
 * &lt;p&gt;&lt;code&gt;openssl x509 -in YOUR.CERT -out YOUR.CERT.der -outform
 * der&lt;/code&gt;&lt;/p&gt;
 * &lt;p&gt;Import key and certificate:&lt;/p&gt;
 * &lt;p&gt;&lt;code&gt;java comu.ImportKey YOUR.KEY.der YOUR.CERT.der&lt;/code&gt;&lt;/p&gt;&lt;br /&gt;
 * &lt;p&gt;&lt;em&gt;Caution:&lt;/em&gt; the old &lt;code&gt;keystore.ImportKey&lt;/code&gt;-file is
 * deleted and replaced with a keystore only containing &lt;code&gt;YOUR.KEY&lt;/code&gt;
 * and &lt;code&gt;YOUR.CERT&lt;/code&gt;. The keystore and the key has no password;
 * they can be set by the &lt;code&gt;keytool -keypasswd&lt;/code&gt;-command for setting
 * the key password, and the &lt;code&gt;keytool -storepasswd&lt;/code&gt;-command to set
 * the keystore password.
 * &lt;p&gt;The key and the certificate is stored under the alias
 * &lt;code&gt;importkey&lt;/code&gt;; to change this, use &lt;code&gt;keytool -keyclone&lt;/code&gt;.
 * Created: Fri Apr 13 18:15:07 2001
 * Updated: Fri Apr 19 11:03:00 2002
 * @author Joachim Karrer, Jens Carlberg
 * @version 1.1
public class ImportKey  {

     * &lt;p&gt;Creates an InputStream from a file, and fills it with the complete
     * file. Thus, available() on the returned InputStream will return the
     * full number of bytes the file contains&lt;/p&gt;
     * @param fname The filename
     * @return The filled InputStream
     * @exception IOException, if the Streams couldn't be created.
    private static InputStream fullStream ( String fname ) throws IOException {
        FileInputStream fis = new FileInputStream(fname);
        DataInputStream dis = new DataInputStream(fis);
        byte[] bytes = new byte[dis.available()];
        ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
        return bais;

     * &lt;p&gt;Takes two file names for a key and the certificate for the key,
     * and imports those into a keystore. Optionally it takes an alias
     * for the key.
     * &lt;p&gt;The first argument is the filename for the key. The key should be
     * in PKCS8-format.
     * &lt;p&gt;The second argument is the filename for the certificate for the key.
     * &lt;p&gt;If a third argument is given it is used as the alias. If missing,
     * the key is imported with the alias importkey
     * &lt;p&gt;The name of the keystore file can be controlled by setting
     * the keystore property (java -Dkeystore=mykeystore). If no name
     * is given, the file is named &lt;code&gt;keystore.ImportKey&lt;/code&gt;
     * and placed in your home directory.
     * @param args [0] Name of the key file, [1] Name of the certificate file
     * [2] Alias for the key.
    public static void main ( String args[]) {

        // change this if you want another password by default
        String keypass = &quot;changeit&quot;;

        // change this if you want another alias by default
        String defaultalias = &quot;acpcas&quot;;

        // change this if you want another keystorefile by default
        String keystorename = System.getProperty(&quot;keystore&quot;);

        if (keystorename == null)
            keystorename = &quot;keystore.ImportKey&quot;;

        // parsing command line input
        String keyfile = &quot;&quot;;
        String certfile = &quot;&quot;;
        if (args.length &lt; 2 || args.length&gt;5) {
            System.out.println(&quot;Usage: java comu.ImportKey keyfile certfile [alias] [keystore] [keystore_passphrase] &quot;);
        } else {
            keyfile = args[0];
            certfile = args[1];
            if (args.length&gt;2)
                defaultalias = args[2];
            if (args.length&gt;3)
                keystorename = args[3];
            if (args.length&gt;4)
                keypass = args[4];

        try {
            // initializing and clearing keystore
            KeyStore ks = KeyStore.getInstance(&quot;JKS&quot;, &quot;SUN&quot;);

            try {
		ks.load(new FileInputStream ( keystorename ), keypass.toCharArray());
                System.out.println(&quot;Using keystore-file : &quot;+keystorename);
	    } catch ( IOException e) {
                System.out.println(&quot;Creating keystore : &quot;+keystorename);
                ks.load( null , keypass.toCharArray());
                ks.store(new FileOutputStream ( keystorename  ), keypass.toCharArray());

            // loading Key
            InputStream fl = fullStream (keyfile);
            byte[] key = new byte[fl.available()];
            KeyFactory kf = KeyFactory.getInstance(&quot;RSA&quot;);
            fl.read ( key, 0, fl.available() );
            PKCS8EncodedKeySpec keysp = new PKCS8EncodedKeySpec ( key );
            PrivateKey ff = kf.generatePrivate (keysp);

            // loading CertificateChain
            CertificateFactory cf = CertificateFactory.getInstance(&quot;X.509&quot;);
            InputStream certstream = fullStream (certfile);

            Collection c = cf.generateCertificates(certstream) ;
            Certificate[] certs = new Certificate[c.toArray().length];

            if (c.size() == 1) {
                certstream = fullStream (certfile);
                System.out.println(&quot;One certificate, no chain.&quot;);
                Certificate cert = cf.generateCertificate(certstream) ;
                certs[0] = cert;
            } else {
                System.out.println(&quot;Certificate chain length: &quot;+c.size());
                certs = (Certificate[])c.toArray();

            // storing keystore
            ks.setKeyEntry(defaultalias, ff,
                           certs );
            System.out.println (&quot;Key and certificate stored.&quot;);
            System.out.println (&quot;Alias:&quot;+defaultalias+&quot;  Password:&quot;+keypass);
            ks.store(new FileOutputStream ( keystorename ),
        } catch (Exception ex) {

}// KeyStore

How do I configure the Internet Protocol version 4 (IPv4) properties of a network connection with a static IP address for servers running Linux operating systems? How do I configure static IP address under Debian Linux or Redhat / RHEL / Fedora / Redhat Enterprise Linux server?
You need to update and/or edit the network configuration files. This tutorial provides procedures to configure a static IP address on a computer running the following operating systems:

  • RHEL / Red hat / Fedora / CentOS Linux eth0 config file – /etc/sysconfig/network-scripts/ifcfg-eth0
  • RHEL / Red hat / Fedora / CentOS Linux eth1 config file – /etc/sysconfig/network-scripts/ifcfg-eth1
  • Debian / Ubuntu Linux – /etc/network/interfaces

Sample Setup: Linux Static TCP/IP Settings
In this example you will use the following Internet Protocol Version 4 (TCP/IPv4) Properties including IP, default gateway, and preferred DNS servers:

  • IP address:
  • Netmask:
  • Hostname: server1.domain.com
  • Domain: domain.com
  • Gateway IP:
  • DNS Server IP # 1:
  • DNS Server IP # 2:

Update following common files

Entries in /etc/hosts must be in the following format:
IPv4_address hostname alias alias …
IPv4_address must be in the first position
hostname is a fully-qualified domain name and must be in the second position.
aliases are optional and follow the address and hostname entries

$ cat /etc/hosts       localhost       server1.domain.com  server1.domain.com  server1
# The following lines are desirable for IPv6 capable hosts
::1     server1.domain.com server1.domain.com server1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
$ cat /etc/hostname

and run

cat -F /etc/hostname

RHEL / Red hat / Fedora / CentOS Linux Static IP Configuration
For static IP configuration you need to edit the following files using a text editor such as vi. Edit /etc/sysconfig/network as follows, enter:

$ cat /etc/sysconfig/network

Edit /etc/sysconfig/network-scripts/ifcfg-eth0, enter:

$ cat /etc/sysconfig/network-scripts/ifcfg-eth0

Edit /etc/resolv.conf and setup DNS servers, enter

$ cat /etc/resolv.conf
#Sample static IP configurations:
search domain.com

Finally, you need to restart the networking service, enter:

$ /etc/init.d/network restart
$ ifconfig eth0
$ route -n
$ ping
$ ping google.com

Debian / Ubuntu Linux Static IP Configuration
Edit /etc/hostname, enter:

$ cat /etc/hostname

Edit /etc/resolv.conf and setup DNS servers, enter:

  1. When resolvconf is installed
    $ cat /etc/network/interfaces
    iface eth0 inet static
         dns-search domain.com
         # To add routing uncomment following line
         #up route add -net netmask gw
  2. When resolvconf is not installed
    $ cat /etc/network/interfaces
    iface eth0 inet static
         # To add routing uncomment following line
         #up route add -net netmask gw
    $ cat /etc/resolv.conf
    search domain.com

Finally, you need to restart the networking service under Debian / Ubuntu Linux, enter:

$ /etc/init.d/networking restart

Type the following commands to verify your new setup, enter:

$ ifconfig eth0
$ route -n
$ ping
$ ping google.com

After attaching the disk run

echo "- - -" > /sys/class/scsi_host/host#/scan
fdisk -l
tail -f /var/log/message

Replace host# with actual value such as host0. You can find scsi_host value using the following command:

ls /sys/class/scsi_host

How Do I Delete a Single Device Called /dev/sdc?
In addition to re-scanning the entire bus, a specific device can be added or existing device deleted using the following command:

# echo 1 > /sys/block/devName/device/delete
# echo 1 > /sys/block/sdc/device/delete

How Do I Add a Single Device Called /dev/sdc?
To add a single device explicitly, use the following syntax:

# echo "scsi add-single-device  <strong>  " > /proc/scsi/scsi


  • <H> : Host
  • <B> : Bus (Channel)
  • <T> : Target (Id)
  • <L> : LUN numbers

For e.g. add /dev/sdc with host # 0, bus # 0, target # 2, and LUN # 0, enter:

# echo "scsi add-single-device 0 0 2 0">/proc/scsi/scsi
# fdisk -l
# cat /proc/scsi/scsi

Un-comment the SSL Connector entry in the $CATALINA_BASE/conf/server.xml as follows;

Without Native Library

Tomcat uses JSSE SSL Connector by default, the connector entry would be as follows;

<Connector port="8445" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    keyAlias="casalias" keystoreFile="/etc/tomcat6/keystore" keystorePass="changeit"
    clientAuth="false" sslProtocol="TLS" />

Get the certificate from Certificate Authority, then import the certificate on sso-server as follows:

/usr/lib/jvm/java # keytool -import -keystore /etc/tomcat6/keystore -alias casalias -file /home/user/sso.crt
Enter keystore password: ********
Owner: CN=server, DC=domain, DC=com
Issuer: CN=server, DC=domain, DC=com
Serial number: 69fb9d59dca5d781442ced0844ea3d2f
Valid from: Tue Sep 14 15:10:35 BST 2010 until: Mon Sep 14 15:18:38 BST 2015
Certificate fingerprints:
         MD5:  78:A4:5C:22:0E:11:8D:FB:90:0F:1E:4A:ED:88:3E:11
         SHA1: 8C:C9:4E:05:F0:54:13:B3:C7:10:DD:4E:0B:5C:77:31:48:5A:6D:13
Trust this certificate? [no]:  yes
Certificate was added to keystore
With Native Library

To improve the performance of the Apache Tomcat Server you could use the Apache Tomcat Native library.
To install the library just execute:

aptitude install libtcnative-1

and add the following line to the file $CATALINA_HOME/bin/setenv.sh (create the file if it does not exist):

cat /usr/share/tomcat6/skel/bin/setenv.sh

To verify the library is running you will find the following message in $CATALINA_HOME/logs/catalina.out:

INFO: Loaded APR based Apache Tomcat Native library 1.1.19.

Without the Apache Tomcat Native library you will find a message like:

INFO: The APR based Apache Tomcat Native library which allows optimal performance in production

When Apache Tomcat Library is in use Tomcat uses APR SSL Connector and would need a certificate and private key files

cat $CATALINA_BASE/conf/server.xml
<Connector port="8445" protocol="HTTP/1.1" maxHttpHeaderSize="8192"
    enableLookups="false" disableUploadTimeout="true"
    acceptCount="100" scheme="https" secure="true"
    SSLCertificateKeyFile="/etc/tomcat6/ssl/server.key" />

Add CAS SSL Certificate to Java’s keystore

Make sure that the $JAVA_HOME points to the correct JRE version that the Confluence is using.

# openssl s_client -showcerts -connect sso-server.mydomain.com:8445 2>/dev/null </dev/null | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' | keytool -import -alias casalias -storepass changeit -keystore $JAVA_HOME/jre/lib/security/cacerts

Note: This is not to be confused with Confluences SSL certificate, this purely to get JAVA to recognise CAS servers SSL certificate.

Confluence SSL Certificate

To install a SSL Certificate follow Tomcat SSL Certificates

Install CAS Client libraries:

  1. Download latest Cas client from http://www.jasig.org/cas/download and transfer the file to CONFLUENCE_HOST
  2. Open SSH client and connect to CONFLUENCE_HOST.
  3. Username: root / ….
  4. Open a console and change directory (cd) to the directory that you have transferd the ‘*.tar.gz’ file
  5. Set confluence variables
    export CONFLUENCE_INSTALL=/opt/atlassian/confluence
    export CONFLUENCE_HOME=/var/atlassian/application-data/confluence
  6. Expand files
    tar -xzvf cas-client-X.Y.tar.gz
  7. Copy cas client files to confluence
    cp cas-client-X.Y/modules/cas-client-core-X.Y.jar $CONFLUENCE_INSTALL/confluence/WEB-INF/lib/
    			cp cas-client-X.Y/modules/cas-client-integration-atlassian-X.Y.jar $CONFLUENCE_INSTALL/confluence/WEB-INF/lib/

Modify the web.xml

Add the CAS Filters to the end of the filter list.

<!-- CAS:START - Java Client Filters -->
<!--- CAS:END -->

Before the login filter-mapping add:


<!-- CAS:START - Java Client Filter Mappings -->
<!-- CAS:END -->

Add the Single Sign Out listener to the list of listener list too

<!-- CAS:START - Java Client Single Sign Out Listener -->
<!-- CAS:END -->

Modify the seraph-config.xml

CAS Login links



CAS Authenticator

Comment out the DefaultAuthenticator and add in the JASIG CAS Confluence Authenticator

<!-- CAS:START - Java Client Confluence Authenticator -->
<authenticator class="org.jasig.cas.client.integration.atlassian.ConfluenceCasAuthenticator"/>
<!-- CAS:END -->

CAS Logout instead of Confluence logout

Atlassian doesn’t support a config option yet (like Jira), please vote up the feature request here: http://jira.atlassian.com/browse/CONF-4931
To rely on the Single Sign Out functionality to sign off of Confluence we need to modify the logout link

  1. Copy $CONFLUENCE_INSTALL/confluence/WEB-INF/lib/confluence-x.x.x.jar to a temporary directory
    mkdir /tmp/confluence-jar && cp WEB-INF/lib/confluence-3.0.1.jar /tmp/confluence-jar
  2. Unpack the jar
    cd /tmp/confluence-jar && jar xvf confluence-3.0.1.jar
  3. Copy xwork.xml to $CONFLUENCE_INSTALL/WEB-INF/classes
    cp xwork.xml $CONFLUENCE_INSTALL/WEB-INF/classes/ && cd $CONFLUENCE_INSTALL/WEB-INF/classes/
  4. Edit $CONFLUENCE_INSTALL/WEB-INF/classes/xwork.xml, find the logout action and comment out the success result and replace it with this one
    <!--            <result name="success" type="velocity">/logout.vm</result> -->
    <!-- CAS:START - CAS Logout Redirect -->
    <result name="success" type="redirect">https://sso-server.mydomain.com:8445/cas/logout</result>
    <!-- CAS:END -->