Pentaho’s secrets:Enabling Single Sign On with CAS and JBoss Portal (first step)

Overview (taken from Pentaho WIKI)

Single sign-on (SSO) allows a user to authenticate then request secured resources from members of the SSO system without subsequent re-authenticating. SSO is made possible with CAS.

Central Authentication Service

CAS is a single sign-on service. When users explicitly attempt to login (also known as authenticate) or when users request a resource which requires authentication, they are redirected to the CAS application. It alone handles the username and password submitted by the user. Upon successful login, CAS returns the user to the resource originally requested. It is up to the application containing the requested resource to grant or deny access based on authorization rules inside that application. Note that CAS provides only the name of the authenticated user to each application; it is up to each application to fetch the roles belonging to the authenticated user. Once it has fetched the roles belonging to an authenticated user, it can make authorization decisions based on those roles.

CAS at a Glance

In the above diagram, a “service app” refers to a “client” of the Central Authentication Service; it relies on CAS to authenticate users for it. Also note that the backing database used by CAS to check usernames and passwords is not necessarily the same backing database used by client applications to fetch roles, although in the above diagram they are the same.

Enabling Single Sign-On

Enabling SSO requires the installation of a brand new web application (i.e. CAS) along with modifications to both JBoss Portal and the Pentaho web application to consume CAS services. And CAS requires service apps to connect via SSL so an SSL certificate will be required. If you’ve decided that SSO is right for you, follow the steps described on the pages below.

First step: How to enable SSL (HTTPS) on JBoss

Follow this guide, until “Enable SSL on JBoss“:
– don’t read about Tomcat…
– don’t follow the instructions in step 1 but replace them with the following:

• generate the key and a custom keystore with Keytool provided with Java jdk in that folder you are in:
  keytool -genkey -alias serverkeys -keyalg RSA -keystore mykeystore.keystore -storepass mypass -keypass mypass -dname “CN=my.real.hostname, OU=MYOU, O=MYORG, L=MYCITY, ST=MYSTATE, C=MY”
• create the server certificate
  keytool -export -alias serverkeys -keystore mykeystore.keystore -storepass mypass -file server.cer
• import the server certificate into JVM certificates
  keytool -import -alias serverkeys -file server.cer -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit

Continue with step 2, 3, 4, 5 and you have finished.
Close that guide. Now your JBoss instance is ready to use Https and SSL certificate.

Second step is available here

Pubblicità