證書的配置

主要分為兩大步：服務(wù)端生成配置證書陨倡，應(yīng)用端導(dǎo)入證書。

SSO服務(wù)端

1. 生成keystore, 此文件用于tomcat/conf/server.xml中配置及導(dǎo)出證書寸爆；

keytool -genkey -keyalg RSA -alias mlongbosso -dname "cn=passport.mlongbo.com" 
-keystore /home/ndoc/test/cas/mlongbosso.keystore -storepass 123654

說明：指定使用RSA算法，生成別名為mlongbosso的證書盐欺，口令為123654赁豆，證書的DN為"cn=passport.mlongbo.com" ，這個DN必須同當(dāng)前主機完整名稱一致!!)

2. 導(dǎo)出mlongbosso.crt證書

keytool -export -alias mlongbosso -file /home/ndoc/test/cas/mlongbosso.crt 
-keystore /home/ndoc/test/cas/mlongbosso.keystore -storepass 123654

(注釋：從mlongbosso.keystore中導(dǎo)出別名為mlongbosso的證書找田，生成文件mlongbosso.crt)

3. 配置Tomcat的HTTPS服務(wù)
   keystoreFile屬性值為mlongbosso.keystore文件路徑, keystorePass屬性值為證書存貯口令

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                   maxThreads="150" scheme="https" secure="true"
                   clientAuth="false" sslProtocol="TLS"
                    keystoreFile="/home/ndoc/test/cas/mlongbosso.keystore" 
                    keystorePass="123654"
                     />
   

應(yīng)用端

應(yīng)用端即SSO客戶端.

注釋： Windows下為%JAVA_HOME% , Linux下為$JAVA_HOME

1. 將mlongbosso.crt導(dǎo)入到應(yīng)用服務(wù)器所使用的jre的可信任證書倉庫中

keytool -import -alias mlongbosso -file /home/ndoc/test/cas/mlongbosso.crt 
-keystore $JAVA_HOME/jre/lib/security/cacerts -storepass 123654

2. 列出jre可信任證書倉庫中證書名單歌憨，驗證導(dǎo)入是否成功，如果導(dǎo)入成功墩衙，應(yīng)該在列表中能找到mlongbosso這個別名

keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass 123654

注意：如果此處導(dǎo)入失敗务嫡，或者要重新導(dǎo)入甲抖，需要先刪除%JAVA_HOME%/jre/lib/security/cacerts文件(刪除前請備份)

為應(yīng)用服務(wù)器開啟CAS

應(yīng)用服務(wù)器即SSO客戶端。修改web.xml文件心铃，增加如下filter(需要添加在其他filter之前准谚，如struts2)：

<!-- cas 客戶端登錄驗證 -->
<filter>
    <filter-name>CAS Authentication Filter</filter-name>
    <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
    <init-param>
        <param-name>casServerLoginUrl</param-name>
        <param-value>https://passport.mlongbo.com:8443/login</param-value>
    </init-param>
    <init-param>
        <param-name>serverName</param-name>
        <param-value>http://cas.mlongbo.com:8080/</param-value>
    </init-param>

</filter>

<filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/account/*</url-pattern>
</filter-mapping>

<!-- cas 憑證認(rèn)證 -->
<filter>
    <filter-name>CAS Validation Filter</filter-name>
    <filter-class>org.jasig.cas.client.validation.Cas10TicketValidationFilter</filter-class>
    <init-param>
        <param-name>casServerUrlPrefix</param-name>
        <param-value>https://passport.mlongbo.com:8443/</param-value>
    </init-param>
    <init-param>
        <param-name>serverName</param-name>
        <param-value>http://cas.mlongbo.com:8080/</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>/account/*</url-pattern>
</filter-mapping>

<!-- HttpServletRequet的包裹類
讓他支持getUserPrincipal，getRemoteUser方法來取得用戶信息-->

<filter>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <url-pattern>/account/*</url-pattern>
</filter-mapping>

<!-- Assertion信息放在ThreadLocal變量中 -->
<filter>
    <filter-name>CAS Assertion Thread Local Filter</filter-name>
    <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>CAS Assertion Thread Local Filter</filter-name>
    <url-pattern>/account/*</url-pattern>
</filter-mapping>

幾個配置項說明：

• serverName指當(dāng)前應(yīng)用的域名地址和端口(80端口可不寫)
• casServerLoginUrl配置sso登錄地址
• casServerUrlPrefix設(shè)置sso應(yīng)用地址
• url-pattern配置需要sso保護的資源地址

測試客戶端配置

測試客戶端即測試人員所使用的瀏覽器端去扣。

1. 在測試瀏覽器中(受信任的根證書頒發(fā)機構(gòu)項)導(dǎo)入mlongbosso.crt證書
2. 訪問任意一個需要sso驗證的地址
3. 跳轉(zhuǎn)到sso登錄界面后柱衔，輸入正確的用戶名和密碼
4. 正常返回到原頁面
5. 成功!!!!!!!

*附：命令記錄

證書生成, 導(dǎo)出, 和導(dǎo)入