documentum content server central authentication service (cas) sso
Contents
1. lt c forEach gt Service Management While creating proxy tickets and validating proxy tickets CAS server verifies whether target service for which the request is made is registered or not This section shows how to register service for Content Server with CAS server Admin User Create Admin User for Service Management application of CAS Edit userDetailsService bean in WEB INF deployerConfigContext xml and modify user name This user should be valid user and CAS authentication should work for this user lt sec user service id userDetailsService gt lt sec user name admin password notused authorities ROLE ADMIN gt lt sec user service gt Create Services For creating services CAS provides service management webapp To access it first CAS server needs to be deployed 1 Start CAS Server 2 Access lt cas_server_url gt services 3 It will ask for user credentials Login using admin account created 4 Page with list of services added to Service Registry is displayed 5 Click on Add New Service or access lt cas_server_url gt services add html Documentum Content Server Central Authentication Service CAS SSO 17 A Detailed Review 6 Fill the form to create new service and save service Put name in Service URL same as that configured in CAS plugin configuration file as shown in Figure 3 7 Verify that service is created Tip By default there is in memory data2. Service CAS Single sign on SSO Authentication process that allows user to provide his credentials once in order to access multiple applications Service Service is an application that accepts CAS authentication Ticket Granting Ticket TGT Ticket indicating user has successfully logged in to CAS server Service Ticket ST Ticket sent by CAS to a service for identifying that service Proxy Granting Ticket PGT Ticket sent by CAS to service with valid ST for requesting Proxy Tickets Proxy Ticket PT Ticket used by proxy service to access target service for multi tier authentication Certificate Authority CA Certificate Authority is an entity that issues digital certificates Keystore File containing public certificate and private key Trust Store File containing public certificates from trusted servers CAS Architecture CAS protocol involves four parties as shown in Figure 1 client web browser the web application requesting authentication Service Proxy Service back end application Target Service from which web application needs some data and CAS server Here Content Server is the back end service or target service that web application is trying to access by requesting Content Server session Web application is acting as a proxy Documentum Content Server Central Authentication Service CAS SSO 4 A Detailed Review and uses CAS proxy ticket to request Content Server session
3. 3 Trust this certificate no yes Certificate was added to keystore Application Server s SSL Certificate CAS server verifies identity of server requesting proxy granting ticket by verifying its public certificate So application servers SSL certificate must be placed in trust store Import Application server s public certificate to JRE s trust store as shown keytool import trustcacerts alias appserver keystore SJAVA_HOMES jre lib security cacerts file cascrt der Enter keystore password Owner EMATLADDRESS cas dctm com CN cs7163 iigplat com OU IIG O EMC ST Kar C IN Issuer EMAILADDRESS ical dctm com CN ICA1 OU IIG O EMC ST Kar C IN Serial number 10 Valid from Thu Jun 06 04 23 26 PDT 2013 until Fri Jun 06 04 23 26 PDT 2014 Certificate fingerprints MD5 AD 34 2C 25 B8 12 9D A1 DD 18 31 1B D4 42 30 C GI g SHA1 19 C5 AD 77 41 A7 11 71 C8 4A DF 8A 14 B8 17 6E C2 62 74 12 SHA256 BA 47 A6 C1 FA A9 2B C7 58 73 81 F8 0A 3C BB 20 61 DC 0B 04 6B 4C 03 AA 16 37 C6 1F D3 FA AB FC Signature algorithm name SHAlwithRSA Version 3 Documentum Content Server Central Authentication Service CAS SSO 12 A Detailed Review Trust this certificate no yes Certificate was added to keystore LDAP Server s SSL Certificate CAS server needs to trust the LDAP server acting as Identity Provider for secure connection to LDAP Server over SSL Import LDAP SSL
4. C Documentum dba auth allcacrt pem 11 05 13 01 11 10 non_anonymous True LDAP Configuration Configure Content Server to Sync with same LDAP server as used by CAS server User login name should map to user LDAP property samAccountName For more information and detail steps for configuring LDAP server refer to EMC Documentum Administrator User Guide Troubleshooting CAS Plug in Trace To enable authentication plug in trace follow below steps e Open Documentum Server Manager e Stop Repository Service e In Repository tab click on Edit Service e Edit Command and add otrace_authentication option at the end e Start Repository Service Log file dm_cas_ lt docbase gt log will be created in directory DOCUMENTUM dba log CAS Server Logs Location and logging levels for CAS server logs can be defined in below file WEB INF classes log4j xml SSL related Errors Error when trying to access Service Management webapp HTTP Status 500 javax net ssl SSLHandshakeException sun security validator ValidatorException PKIX path building failed sun security provider certpath SunCertPathBuilderException unable to find valid certification path to requested target Reason CAS server public certificate missing from CAS server s trust store Resolution Import CAS server s public certificate to CAS Server s trust store Documentum Content Server Central Authentication Service CAS SSO 22 A Detailed Review
5. Error during CAS server s callback to Application Server ERROR org jasig cas util HttpClient lt sun security validator ValidatorException PKIX path building failed sun security provider certpath SunCertPathBuilderException unable to find valid certification path to requested target gt javax net ssl SSLHandshakeException sun security validator ValidatorException PKIX path building failed sun security provider certpath SunCertPathBuilder Exception unable to find valid certification path to requested target Reason Application server s public certificate missing from CAS server s trust store Resolution Import application server s public certificate to CAS server s trust store Error during login to CAS Server ERROR org jasig cas authentication AuthenticationManagerImpl lt org jasig cas adaptors ldap BindLdapAuthenticationHandler threw error authenticating username admin gt org springframework ldap CommunicationException domainctlr iigplat com 636 nested exception is javax naming CommunicationException domainctlr iigplat com 636 Root exception is javax net ssl SSLHandshakeException sun security validator ValidatorException PKIX path building failed sun security provider certpath SunCertPathBuilderException unable to find valid certification path to requested target Reason LDAP server s public certificate missing from CAS server s trust store Resolution Import LDAP s
6. URL are sent to CAS server Service URL is URL of resource on application that user is trying to access Login request looks like this lt cas_server_url gt login service lt service_url gt 3 CAS Server verifies whether application is allowed to use CAS by checking that service is registered in CAS Service Registry The Service Registry component is responsible for defining the allowed services that may request and validate tickets provided by CAS If matching entry is found in Service Registry CAS Server verifies user credentials against Identity Provider 4 On successful authentication CAS Server returns Service Ticket by redirecting to application service URL with Service Ticket Also CAS server sets TGT cookie on user session to indicate that user has successfully logged in and would not be asked to login for subsequent requests till session expires 5 Application then calls CAS server requesting Proxy Granting Ticket PGT by sending Service Ticket application callback URL pgtUrl amp service URL Service URL should be same as that sent while requesting Service Ticket Callback URL is used by CAS server to verify service application identity and return Proxy Ticket Callback URL must be HTTPS since CAS verifies that both that the SSL certificate is valid and that its name matches that of the service to verify service identity Application makes a request like below lt cas_server_url gt serviceValidate service lt servic
7. store for service registry This should be changed to some persistent store in deployment environment Else services added in above steps will be lost on server restart Tip Service also needs to be registered for Application server to access service management webapp By default service definition exists that allows http s amp imap s protocols In deployment environment this must be modified too Documentum Content Server Central Authentication Service CAS SSO 18 A Detailed Review Services Management Add New Service QE iet iay leg ie E Add New Service ADD NEW SERVICE Please make sure to commit your changes by clicking on the Save Changes button at the bottom of the page Name Service URL Description Theme Name Status M Enabled M Allowedto proxy M SSO Participant 7 Anonymous Access Attributes dmCSLdapUserDN Username x I Ignore Attribute Management via this Tool Order Booo Figure 3 CAS Page to add new Service Documentum Content Server Central Authentication Service CAS SSO 19 A Detailed Review Content Server Configuration This section explains setup required at Content Server side for CAS authentication plug in CAS Plug in Binary CAS plug in needs to be copied to auth directory Plug ins inside auth directory are automatically loaded on server startup 1 Stop all Repository Services 2 Copy CAS Plugin binary dm_cas_auth dll from DM_HOME in
8. to file of filetype pem containing CA Certificate chain for CAS Server s public certificate Only needed if non_anonymous is set to true Documentum Content Server Central Authentication Service CAS SSO 20 A Detailed Review E File Edit Format View Help DM_CAS_AUTH_CONF server_host server_port cs7163 iigplat com 8443 url_path cas proxyValidate service_param ContentServer is_ https T non_anonymous T cert_path C Documentum dba auth allcacrt pem Figure 4 Sample CAS Plug in configuration file dm_cas_auth ini Verify Plug in load e Start Docbase e Verify in Docbase logs that CAS plug in is loaded DM_SESSION_I AUTH PLUGIN LOADED info Loaded Authentication Plugin with code dm_cas C Documentum dba auth dm_ cas auth dl1l e Verify in CAS plug in logs that plug in load was successful See in Troubleshooting how to enable plugin trace Documentum Authentication Plugin Trace File c Copyright EMC Corp 2013 All rights reserved 11 05 13 01 11 10 Initializing dm_cas plugin 11 05 13 01 11 10 Following are the auth init params 11 05 13 01 11 10 is https True 11 05 13 01 11 10 server host cs7163 iigplat com 11 05 13 01 11 10 server port 8443 11 05 13 01 11 10 url_ path cas proxyValidate 11 05 13 01 11 10 service param ContentServer Documentum Content Server Central Authentication Service CAS SSO 21 A Detailed Review 11 05 13 01 11 10 cert_ path
9. Certificate to trust store as shown keytool import trustcacerts alias ldap keystore SJAVA_HOMES jre lib security cacerts file domainctlr iigplat com_iigplat DOMAINCTLR CA crt Enter keystore password Owner CN iigplat DOMAINCTLR CA DC iigplat DC com Issuer CN iigplat DOMAINCTLR CA DC iigplat DC com Serial number 7d98e408fdb6b3814570ec0776bdada7 Valid from Mon Jun 17 07 07 34 PDT 2013 until Sun Jun 17 07 17 33 PDT 2018 Certificate fingerprints MD5 E7 53 8B 96 60 A2 8D 89 A1 F2 38 FC 9C A0 6E 82 SHA1 E5 69 CA 5F 81 35 46 76 6C 2F 30 A2 DA DA BD 3F 46 1C 65 9B SHA256 B5209 B7238 62 71 5F 2 DE C2 20 D5 D9 5B 272FD 93 CA C4 65 7B 7H 7F 41 9B FA 3F E5 9D 90 F3 C8 13 Signature algorithm name SHAlwithRSA Version 3 Trust this certificate no yes Certificate was added to keystore Deploy CAS Application While building CAS make sure LDAP module is enabled For creating this setup cas release build was used in which all modules are enabled by default Documentum Content Server release 7 1 supports CAS Server version 3 5 2 e Download CAS server 3 5 2 from http www jasig org cas download e Create a folder cas in Application Server deployment directory webapps e Extract CAS server 3 5 2 archive file cas server 3 5 2 release e Extract the content of cas server 3 5 2 modules cas server uber webapp 3 5 2 war to cas directory Documentum Con
10. ERAKETA eka Uetueeebannetecstuaeencdaanveees PEKEN RAKES 20 CAS Plug in TrUSt StOrE noieeoe noises eres enso SEa EEEE SEESE ESE SEESE ESTEE 20 CAS Plug in Configuration s cssssscocstavecessususceesesveceestateceeateuves cuausceesestedecduateueeaeayeeecdeaueceeststs 20 Veny PIU SHI load aeee a eae eE AE ESIS EEEE E E E 21 LDAP COMP SUPATI OM essccscessectsdeceecessececestesdsccenccteeccadecscecndvteecddevdeeceseuteeedadedseceadeavteadeveneceneee 22 Te A vacoccsise tern iceentseneseamiancesenreeseintcieieaceeensereteieensicamneaeseaanietnenneanl 22 CAS Plug in TAC Or sospeissos rnas onorarea Ekse ETES EE EEEE AESA SESSA EES EENEN EES 22 CAS Server LOgS ciscscconssieeecssadeceobesvedeoasaceveonssedecesdacavwabasyedoesdeceveade ev epesddedaveabssneesddsdayeesseee 22 BSL related Errors ss iesssire renei ope secasectaccoenets tes ueuctuenite a becuauehaccanaduoeeneustaconecuaseuatacdaccssddes 22 Error when trying to access Service Management webapp ssssssssssssssseseesssssesssseesssseeee 22 Error during CAS server s callback to Application Server csssccccssssscceessseeeecesssneeees 23 Error during login to CAS Server sssssseseesesssssseseseessssssesereessssssssereesesssssseseoeesssssseseeeese 23 CAS Server ErrONS ccsacsieeschetsvesdusedevosus teveaduusdecscbetevesduendevstunsevesddendass E EE EERE EREE RR 23 CAS Server responds with Invalid Ticket message csssscccecssstccecssssccecsssscceceeseneeees 23 CAS Plug in EOL sscs
11. For user authentication application redirects the user to CAS server against which user authenticates by providing its credentials After successful authentication application requests for proxy ticket from CAS Server Content server authentication plug in for CAS eliminates the need for user to authenticate again with Content Server by accepting CAS proxy ticket thereby enabling SSO Content Server verifies proxy ticket sent by application with CAS server and returns session on successful authentication CAS server supports multiple Identity Providers like LDAP Active Directory Kerberos RDBMS etc and delegates authentication decisions to these servers CAS Server Identity Provider LDAP Server Application Server B Content Server Figure 1 System Deployment and CAS Authentication Flow Authentication Process The authentication process shown in Figure 1 is as follows 1 User accesses client application deployed on application server and tries to access protected resource for which application needs Content Server session If Documentum Content Server Central Authentication Service CAS SSO A Detailed Review user has already authenticated with CAS server and has Ticket Granting Ticket TGT cookie set then control moves to step 4 2 Application asks user to authenticate with CAS Server and user is redirected to CAS login page login User enters his username and password User credentials along with service
12. S Plug in is configured in non anonymous SSL mode if CAS Plug in is not able to verify public certificate sent by CAS Server using CA certificates stored in pem file then CAS plug in rejects the connection and error is displayed Some of the reasons for this are e Complete CA certificate chain not included in trust store pem file e CAS servers public certificate or Issuers certificate expired e CAS servers certificate not yet valid Resolution To check whether proper CA certificates are stored in pem file execute below OpenSSL command where allcacrt pem is the trust store file configured in CAS Plug in configuration and cas pem contains public certificate of CAS server openssl verify CAfile allcacrt pem cascrt pem If this command displays error then proper CA certificates needs to be stored in allcacrt pem Plug in load fails Error in docbase logs DOCUMENTUM dba log lt docbase gt log DM_SESSION E AUTH PLUGIN LOAD INIT ERROR error Failed to load Authentication Plugin C Documentum dba auth dm_ cas auth dll Plugin initialization returned error Error in CAS plug in logs 7DOCUMENTUM dba log dm_cas_ lt docbase gt log Initialization failed Failed to open file C Documentum dba auth dm_ cas auth ini Plugin initialization failed Reason Plugin configuration is missing Resolution Create Plug in configuration file as described Content Server configuration section Documentum Content Server C
13. White Paper DOCUMENTUM CONTENT SERVER CENTRAL AUTHENTICATION SERVICE CAS SSO A Detailed Review Abstract This white paper describes Central Authentication Service CAS based Content Server environment CAS authentication process and explains CAS server and Content Server configuration It includes detailed steps to deploy the system and troubleshoot issues November 2013 Copyright 2013 EMC Corporation All Rights Reserved EMC believes the information in this publication is accurate as of its publication date The information is subject to change without notice The information in this publication is provided as is EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication and specifically disclaims implied warranties of merchantability or fitness for a particular purpose Use copying and distribution of any EMC software described in this publication requires an applicable software license For the most up to date listing of EMC product names see EMC Corporation Trademarks on EMC com Part Number h12009 Documentum Content Server Central Authentication Service CAS SSO A Detailed Review Table of Contents Executive SUMMAI sicciiiciieiinebinahaxetinahicehanaisnaianianabanaianaienannabonaenabinasivaninanivavanineies 4 o EE EE E E E E E 4 TE rIMIMOlOSY ENEE AA E EE E T ET E cavendeasdeneeens 4 CASANN G eeann N 4 Authentication PROCESS v
14. ccscssassescesnsccscssassedeosascesesoassescoeasecsceeassesueeanetacseansescesanecsceeasbescecaaccsceeans 24 Connection to CAS Server fails in non anonymous SSL mode sssssssessesssssssseseessssssesee 24 Plug in load fails weccccsssdecsseusscedsdesasssssaniacestesivveseusctoccdesied sduseducedassocestussiecesandsdesiessecesas 25 CONCUSSIONE E EA E cement 26 Referentes tie Gate ei Gai eae 26 Documentum Content Server Central Authentication Service CAS SSO A Detailed Review Executive Summary Central Authentication Service CAS is an enterprise level open source single sign on SSO solution CAS is http based protocol that requires each of its components to be accessed through specific URIs CAS was originally developed by Yale University for Single Sign on Documentum Content Server is providing support for CAS SSO by introducing authentication plug in for CAS Content Server authentication supports CAS protocol 2 0 This paper explains CAS Architecture CAS Protocol and configuration required at CAS Server and Content Server for enabling CAS SSO Audience This white paper is intended for engineers support professionals and customers It provides detailed understanding for enabling CAS SSO for Documentum applications Terminology Special terms abbreviations and acronyms that may appear in this guide are defined below Term Description Central Authentication Open source single sign on for web and cloud based solutions
15. e url gt amp ticket lt servic e ticket gt pgtUrl lt callback_url gt 6 CAS server verifies that Service Ticket is valid and was generated for the same Service URL CAS server then invokes callback URL and sends Proxy Granting Ticket as request parameter PGTID CAS server responds to application with PGTIOU I owe you PGT CAS server invokes callback URL and passes PGTID amp same PGTIOU Application then retrieves PGTID by comparing PGTIOU CAS server response looks like below lt cas serviceResponse xmlns cas http www yale edu tp cas gt lt cas authenticationSuccess gt lt cas user gt username lt cas user gt lt cas proxyGrantingTicket gt PGTIOU 4 YO2XOuDgmMiD3Ewllaew lt cas proxyGrantingTicket gt lt cas authenticationSuccess gt lt cas serviceResponse gt Documentum Content Server Central Authentication Service CAS SSO 6 A Detailed Review CAS server GET request to callback URL looks like below lt callback_url gt pgtCallback pgtIou lt PGTIOU gt amp pgtId lt PGTID gt 7 Application then requests Proxy Ticket from CAS server by sending Proxy Granting Ticket and Target Service Name Target Service Name should be same as that configured for CAS authentication plug in CAS plug in configuration is explained later on page 20 Target Service should be registered in CAS Service Registry Application request looks like below lt cas_server_url gt proxy pgt lt PGT gt amp targetService Conte
16. entral Authentication Service CAS SSO 25 A Detailed Review Conclusion This paper explains CAS architecture protocol and how CAS SSO can be enabled with Documentum applications Only the basic configuration required for making CAS server work with Documentum is shown here For further information on CAS protocol amp configuration Sources provided in next section can be referenced References e CAS project site http www jasig org cas e CAS User Manual Wiki https wiki jasig org display CASUM Home e OpenSSL Documentation http www openssl org docs apps openssl html Documentum Content Server Central Authentication Service CAS SSO 26 A Detailed Review
17. erver s public certificate to CAS Server s trust store CAS Server Errors CAS Server responds with Invalid Ticket message Error in CAS Plug in trace Respose code 200 Respose content lt cas serviceResponse xmlns cas http www yale edu tp cas gt lt cas authenticationFailure code INVALID TICKET gt ticket amp 039 ST 9 xKWPvnCxX9VuUh45J6msn cs7163 iigplat com amp 039 not recognized Documentum Content Server Central Authentication Service CAS SSO 23 A Detailed Review lt cas authenticationFailure gt lt cas serviceResponse gt 4336 11 06 13 16 34 53 Validate Cas user Failed 4336 11 06 13 16 34 53 Error CAS Authentication failed with following Error Code INVALID TICKET Error String ticket amp 039 ST 9 xKWPvnCX9VuUh45J6msn cs7163 iigplat com amp 039 not recognized Reason One of the common reasons for invalid ticket error is ticket expires by the time it reached CAS server To verify that this is the reason for above error check CAS server logs for below message INFO org jasig cas CentralAuthenticationServiceImpl lt ServiceTicket ST 9 xKWPvnCX9VuUh45J6msn cs7163 iigplat com has expired gt Resolution Increase the service ticket timeout by changing value of property st timeToKilllnSeconds in WEB INF cas properties Refer to Ticket Expiration Policy section https wiki jasig org display CASUM Ticket Expiration Policy in CAS user manual for more deta
18. ils CAS Plug in Errors Connection to CAS Server fails in non anonymous SSL mode Error in CAS Plug in trace with errorcode 77 11 07 13 15 07 10 Sending curl request to following url https cs7163 iigplat com 8443 cas proxyValidate service ContentServers amp ticket ST 15 99SqGeyda670rggsyuUe cs7163 iigplat com 11 07 13 15 07 10 Error Failed to perform URL https cs7163 iigplat com 8443 cas proxyValidate service ContentServers amp ticket ST 15 99SqGeyda670rggsyuUe cs7163 iigplat com errorcode 77 Problem with the SSL CA cert path access rights Reason Trust store pem file with CA certificate chain file is missing or incorrect path specified in plug in configuration file Resolution Check whether trust store file exists in location specified in plug in configuration file dm_cas_auth ini Documentum Content Server Central Authentication Service CAS SSO 24 A Detailed Review Error in CAS Plug in trace with errorcode 60 11 07 13 15 10 40 Sending curl request to following url https cs7163 iigplat com 8443 cas proxyValidate service ContentServers amp ticket ST 17 IdGpXxXpj FCrvVYaV6Xsyjs cs7163 iigplat com 11 07 13 15 10 40 Error Failed to perform URL https cs7163 iigplat com 8443 cas proxyValidate service ContentServers amp ticket ST 17 IdGpXpjFCrVYaV6Xsyjs cs7163 iigplat com errorcode 60 Peer certificate cannot be authenticated with given CA certificates Reason When CA
19. isicccessaastnerianecuedstacbuadsexasdasedasoansiad ston spasdbnnghadenansiauetaantawetasasanceeayaunele 5 CAS Server Configuration amp Deployment sssssssssssssssssssssssssssssssssssssssssseess 10 Tomcat Setup for deploying CAS ivcsscsscccedinssecssiesccnadscecuecosthocwssiseceesots lecceddbelusscnledesassaneeseine 10 Install TOMCAT ereere ee Eae EERE E E ENEE TEE EE EEES 10 Enable SSL f r TOMCAl gesccscnsetsncausSassssdnslosesbaloceatasessabhestolessadecshiaasecnednvasereiansoebalsdecestads 10 Store Public Certificates in TUS t SiO Os socossscnesdaececevadesidecd sabusdoncedsceendeelecenddecdeasaebstomnedion 11 Deploy CAS Application eecesssssnsecececeessessssececececsessseaeeecececeesssessaaececeseesenseeeeeees 13 Configure CAS AB PICA Secchi eccaescesescecemscxtecsessabbonhsasvecapsseudeneaisosceutavliccesadesetesasbasestcanxe 14 Modify WEB INF cas properties ass occvsssnetdeaaseusniascesaaensanenetiaseciannaeersonnsaneenennconaning 14 Configure LDAP fOr CAS ccccwvccecesdsccascenucdevedececsvsctvecateadeccaveaavedevedsvecscednvecsdoncs ceaesaaveascocers 14 Customize CAS RESPONSE sscscecetscedescasztensets decescescecsbhececessaeedeas th teezstavedasbedeiedseuaextassedes 15 Service Management s sssesesesssesesesssesesesssesesesesesesesssesssesssesssesssesesessssssssssssssssssssssse 17 Content Server Configuration isin adie ssinndindddnndindshnnshou shennan tian nieu A ARARA 20 CAS Plug in BIN AV esnea reeta ekara neoe ERa
20. n also be imported to trust store of JRE used by CAS Server for same behavior Steps to import public certificates to JRE trust store are explained below CAS Server s SSL Certificate CAS Server s SSL Certificate needs to be in trust store to access Service Manager webapp else SSLHandshakeException is thrown by CAS server Export CAS Server public certificate from CAS server s keystore as shown keytool export keystore caskeystore alias cas file cas cer Enter keystore password Certificate stored in file lt cas cer gt Import server s public certificate amp certificate chain to local keystore trust store of JRE used by application server keytool import trustcacerts alias cas keystore SJAVA_HOMES jre lib security cacerts file cas cer Documentum Content Server Central Authentication Service CAS SSO 11 A Detailed Review Enter keystore password Owner CN cs7179 OU iig O emc L blr ST kn C in Issuer CN cs7179 OU iig O emc L blr ST kn C in Serial number 2af72204 Valid from Thu Jun 13 23 46 16 PDT 2013 until Wed Sep 11 23 46 16 PDT 2013 Certificate fingerprints MD5 25 9B 07 7D AD 7B 8F F6 A8 13 15 F9 7B 9C 0 262 SHAI BB FA 8E 0B B5 96 7C 6B C1 87 7C 55 E0 8F 0D 99 72 10 D7 25 SHA256 9F A0 31 DB BE 00 80 80 47 A1 55 44 73 FC 76 0E AC BF D4 2A FE 01 8B 6A 77 1C F1 A4 6C 3A B1 1D Signature algorithm name SHA256withRSA Version
21. ntServer 8 CAS server verifies that Target Service is registered in service registry CAS server then verifies Proxy Granting Ticket and if Proxy Granting Ticket is still valid returns Proxy Ticket to application CAS server response looks like below lt cas serviceResponse xmlns cas http www yale edu tp cas gt lt cas proxySuccess gt lt cas proxyTicket gt ST 10 d4dYIOtvDzNqzJO9M1 9p lt cas proxyTicket gt lt cas proxySuccess gt lt cas serviceResponse gt 9 Application then uses the same username which was used to authenticate with CAS server and proxy ticket sent by CAS Server to request session from Content Server Password should be in below format Password Format DM PLUGIN dm_cas lt proxy_ ticket gt 10 Session request is redirected to CAS authentication plug in that validates proxy ticket with CAS Server CAS authentication plug in sends Target Service name configured in configuration file along with Proxy Ticket to CAS Server for validating Proxy Ticket Plug in request to CAS server looks like below lt cas_server_url gt proxyValidate service lt service name gt amp ticket lt proxy t icket gt 11 CAS server validates that Proxy Ticket is valid and was generated for the same service and returns user distinguished name an LDAP property of CAS user with authentication success response CAS sever response looks like below lt cas serviceResponse xmlns cas http www yale edu tp cas gt lt cas authe
22. ntication process as it s needed by Content Server for user verification Add CredentialsToPrincipalResolvers bean for LDAP A principal describes an authenticated user Principal contains attributes describing the user CredentialsToPrincipalResolver component helps to map credential attributes onto a Principal Principal is used by view to create response with user attributes defined in AttributeRepository bean Put below bean inside credentials ToPrincipalResolvers property of authenticationManager bean lt bean class org jasig cas authentication principal CredentialsToLDAPAttribute PrincipalResolver gt lt property name credentialsToPrincipalResolver gt lt bean class org jasig cas authentication principal UsernamePasswordCred entialsToPrincipalResolver gt Documentum Content Server Central Authentication Service CAS SSO 15 A Detailed Review lt property gt lt property name filter value sAMAccountName u gt lt property name principalAttributeName value SAMAccountName gt lt property name searchBase value 0U testou DC iigplat DC com gt lt property name contextSource ref contextSource gt lt property name attributeRepository ref attributeRepository gt lt bean gt Replace AttributeRepository Bean Replace AttributeRepository bean stub with AttributeRepository bean defined in below example which defines the attributes that CAS returns to Content Server Att
23. nticationSuccess gt lt cas user gt user lt cas user gt Documentum Content Server Central Authentication Service CAS SSO A Detailed Review lt cas attribute name dmCSLdapUserDN value CN user OU testou DC iigplat DC com gt lt cas proxies gt lt cas proxy gt callback_url lt cas proxy gt lt cas proxies gt lt cas authenticationSuccess gt lt cas serviceResponse gt 12 CAS Plug in compares user distinguished name DN with user DN stored in Docbase for that user If match is successful then Content Server session is returned to the application In typical deployment scenario Content Server uses the same Identity Provider e g LDAP to sync its user as that used by CAS Server so user DN will be same as that that sent by CAS Server Below flow chart explains the CAS protocol Steps in blue box are activities performed by CAS whereas steps in green box are user application triggers Documentum Content Server Central Authentication Service CAS SSO 8 A Detailed Review TGT Cookie exists TGT Cookie expired Is Service registered n Generate Service Ticket ST Add ST to ticket registry Call Service Identifier with ST as parameter Is ST valid for enice Identifier Is Service Identity valid n Return Internal error y Generate PGTID amp PGTIOU Invoke callback URL and pass PGTID amp PGTIOU as params Return PGTIOU as re
24. our organizational unit Unknown iig What is the name of your organization Unknown emc What is the name of your City or Locality Unknown blr What is the name of your State or Province Unknown kn What is the two letter country code for this unit Unknown in Is CN casserver OU iig O emc L blr ST kn C in correct no yes Enter key password for lt cas gt RETURN if same as keystore password Documentum Content Server Central Authentication Service CAS SSO 10 A Detailed Review It is important to set the value of the first and last name field above to fully qualified domain name of the machine Enable SSL port Edit server xml inside configuration directory and uncomment SSL Connector Add location to keystore created in previous step and keystore password lt Connector port 8443 protocol HTTP 1 1 SSLEnabled true maxThreads 150 scheme https secure true clientAuth false sslProtocol TLS keystoreFile C ks caskeystore keystorePass changeit gt When using JSSE configuration APR library loader needs to be commented lt Listener className org apache catalina core AprLifecycleListener SSLEngine on gt Store Public Certificates in Trust Store CAS Server Application server amp LDAP server s public certificates need to be imported to CAS Server s trust store These certificates ca
25. rDn value CN Administrator CN Users DC iigplat DC com gt lt property name password value password gt lt property name baseEnvironmentProperties gt lt map gt lt entry key com sun jndi ldap connect timeout value 3000 gt lt entry key com sun jndi ldap read timeout value 3000 gt lt entry key java naming security authentication Documentum Content Server Central Authentication Service CAS SSO 14 A Detailed Review value simple gt lt map gt lt property gt lt bean gt Add authentication handler for LDAP Authentication handler needs to be defined for every Identity Provider Authentication handler for LDAP Microsoft Active Directory is defined as below Put this bean inside authenticationHandlers property of authenticationManager bean lt bean class org jasig cas adaptors ldap BindLdapAuthenticationHandler p filter sAMAccountName Su searchBase 0U testou DC iigplat DC com P p contextSource ref contextSource p ignorePartialResultException true gt For more details on LDAP configuration refer LDAP section in CAS user manual https wiki jasig org display CASUM LDAP Customize CAS Response By default on successful authentication for proxy ticket validation request CAS server responds with just user name in the response message CAS response needs to be customized such that it includes full user DN as shown in step 11 of authe
26. ribute dmCSLdapUserDN needs to be added in resultAttributeMapping property whose value will be set to user distinguished name and is matched against user dn value stored in docbase lt bean id attributeRepository class org jasig services persondir support ldap LdapPersonAttributeDao gt lt property name contextSource ref contextSource gt lt property name baseDN value 0U testou DC iigplat DC com gt lt property name requireAllQueryAttributes value true gt lt property name queryAttributeMapping gt lt map gt lt entry key username value sSAMAccountName gt lt map gt lt property gt lt property name resultAttributeMapping gt lt map gt lt entry value dmCSLdapUserDN key distinguishedName gt lt map gt lt property gt lt bean gt Update View View needs to be updated such that it includes user distinguished name in the response sent to Content Server for proxy ticket validation request Documentum Content Server Central Authentication Service CAS SSO 16 A Detailed Review Add below lines after lt cas user lt cas user in file WEB INF view jsp protocol 2 0 casServiceValidationSuccess jsp lt c forEach var auth items S assertion chainedAuthentications gt lt c forEach var attr items auth principal attributes gt lt cas attribute name fn escapeXml attr key value fn escapeXml attr value gt lt c forEach gt
27. sponse to seviceValidate Application calls s Target Service Return Invalid Q Ticket PGT registered Service error Generate Proxy Ticket PT Is PGT Return Bad valid PGT error n Send PT as response to proxy lt Conten e Is PT valid for Return Invalid Ticket Y ii Target Serice Invalid Service error n Respond with user name y amp User LDAP DN Figure 2 CAS Protocol 2 0 Flow Chart Documentum Content Server Central Authentication Service CAS SSO 9 A Detailed Review CAS Server Configuration amp Deployment This section describes steps to setup configure and deploy CAS Server CAS is available as web application that needs to be deployed on Application Server This paper explains CAS deployment steps using Apache Tomcat as Application Server This paper shows the minimal configuration required for CAS Server to work as authentication service for Content Server Tomcat Setup for deploying CAS Install Tomcat Download and install Apache Tomcat Server Select proper location for Java CAS 3 5 requires JDK version 1 6 or higher Enable SSL for Tomcat Create SSL certificate for CAS Server For purpose of this paper below steps show how to create self signed SSL certificate keytool genkey alias cas keyalg RSA keystore c ks caskeystore Enter keystore password Re enter new password What is your first and last name Unknown casserver What is the name of y
28. stall external_apps authplugins CentralAuthenticationService to DOCUMENTUM dba auth directory CAS Plug in Trust Store CAS Plug in provides option for anonymous and non anonymous SSL communication between CAS Plug in and CAS Server For non anonymous SSL Certificate Authority s CA certificate which was used to issue CAS Servers public certificate needs to be stored in a file of filetype pem Full CA Certificate chain of Issuer should be stored else authentication will fail To enable this option non_anonymous property should be set to true and cert_path property should point to valid pem file with CA certificate chain in CAS configuration file as described in next section CAS Plug in Configuration Create CAS Plugin configuration file dm_cas_auth ini inside DOCUMENTUM dba auth directory and put below properties server_host Server host is the CAS server host name server_port HTTP S Server port number for CAS server url_path url path used in http request sent to CAS server to validate proxy ticket lt cas_application_name gt proxyValidate service_param Service name for which the proxy ticket was generated E g ContentServer is_https Specify whether CAS Plug in will communicate with CAS Server over https or http protocol non_anonymous Specify whether non anonymous or anonymous SSL is used for communication between CAS Plug in and CAS Server Only needed when s_hAttpsis set to true cert_path Path
29. tent Server Central Authentication Service CAS SSO 15 A Detailed Review Configure CAS Application This section defines the minimum configuration required for CAS to work as authentication provider for Content Server with LDAP as Identity Provider Modify WEB INF cas properties Update below properties server name URL that is used to access CAS Server It is recommended to use https in deployment environments e g https cs7163 iigplat com 8443 host name Full hostname of CAS Server host e g cs7163 iigplat com server prefix server name lt application_name gt Replace lt application_name gt with CAS application name e g server name cas Configure LDAP for CAS All LDAP related configuration needs to be done in WEB INF deployerConfigContext xml Define ContextSource bean for LDAP This bean is used for connecting to LDAP for performing authentication operations LDAP Server url username and password needs to be configured for CAS Server connections to LDAP as given in below example If LDAP is configured over SSL then LDAP url starts with daps e g Idaps lt hostname gt 636 else LDAP url starts with dap e g dap lt hostname gt 389 lt bean id contextSource class org springframework ldap core support LdapContextSource gt lt property name pooled value false gt lt property name url value ldaps domainctlr iigplat com 636 gt lt property name use
Download Pdf Manuals
Related Search