SourceForge.net Logo

JCas - SSL Setup
 
Home | Documentation | Support | Download | Get Involved | Related Sites

JCas User Guide

        Introduction
        Setup
        First CAS server
        Access Control
        JDBC Database Authorization
        JAAS User Authorization
        SSL Setup
        JSP Taglib
        JCas Client
        JLL - JAAS Login Library

Reference

        Release Notes
        JCas Configuration
        FAQ
        Help Forum

JCas Developers

        API Javadocs
        CAS Specification

Overview

CAS recommends SSL encryption for data communications. JCas uses the methods delivered with J2SE 1.4 to implement this feature.

To enable encryption, you will need a server certtificate and its corresponding private key. Both must be made available to JCas.

There are two ways to import a certificate and its key to the Java KeyStore:

  • Standard way by using keytool
  • Specifying certificate and key in JCas configuration
This document will focus on the second way. For information about keytool have a look at Sun's Security Tutorial on Tools.

Generating certificate and key

Tutorials how to create certificates are available at IPSec.org (using OpenSSL) and Java Security Guide (using keytool). You can ignore this section if you take the latter way using keytool.

In case you created the files using the PEM format (most OpenSSL tutorials describe creating certificates and keys using this format) you will need to convert the files for use with JCas.

Converting SSL certificate to DER

If you have a PEM encoded format, issue the following OpenSSL command to convert it to DER: 
    openssl x509 -in YOUR.CERT -out YOUR.CERT.der -outform der

Converting private key to PKCS#8

If you have a PEM-formatted or non-PKCS#8 private key file, issue the following OpenSSL command to convert it to DER-formatted PKCS#8: 
    openssl pkcs8 -topk8 -nocrypt -in YOUR.KEY -out YOUR.KEY.der -outform der
Now all files are ready for use with JCas.

Configuring JCas

If you imported your certificate and key into Java's keystore then you are already done, but ensure that SSL has been enabled in your configuration: 
    ...
<Bind>
    ...
    <SSL>true</SSL>
    ...
</Bind>
...
(Or you omit the tag completely, SSL is enabled by default).

Next, you will need to define the certificate and key file and its password in JCas' configuration: 

    ...
<Server>
    ...
    <SSLCertificateFile>/path/to/certificate/file</SSLCertificateFile>
    <SSLKeyFile>/path/to/private/key/file</SSLKeyFile>
    <SSLKeyPassword>pass:password</SSLKeyPassword>
    ...
</Server>
...
JCas must decode the private key to access it. Therefore it needs the password. There are three ways to pass it to JCas:

1. Execute a program

JCas will interpret the first line of a program's output as the private key's password:
    <SSLKeyPassword>exec:/path/to/program</SSLKeyPassword>
Make sure, the program is accessable and executable by JCas. A simple script can fulfill the requirements. Here's an example of such a script: 
    #!/bin/ksh

echo MY_PASSWORD

2. Reading a file

This will tell JCas to read the password from a plain text file:
    <SSLKeyPassword>file:/path/to/textfile</SSLKeyPassword>
The first line of the file must contain the password.

3. Defining password directly

This way you directly give the password in the configuration file:
    <SSLKeyPassword>pass:MY_PASSWORD</SSLKeyPassword>
That's it. JCas is ready to encrypt communication with SSL.