Results 1 to 5 of 5

Thread: SSO with CAS and Zimbra

  1. #1
    Join Date
    Nov 2006
    Posts
    3
    Rep Power
    8

    Default SSO with CAS and Zimbra

    Hi,

    I have just started using zimbra (bow down! It's great!) mail and need a solution from you experts. Here is the situation:

    We have a portal where along with other stuffs we provide emails. Users register with the portal and we make the necessary webservice call to create zimbra user.

    We use CAS (Central Authentication Service) for the Single Sign On.

    The Problem:

    Without the CAS SSO a User logs into the server and zimbra mail could open the user inbox (we use PreAuth service for that). But as soon as we turn on the CAS related servlet filter in the zimbra mail website, it fails because the SSO ticket needs to be validated thru a https url.

    I am pretty much sure it's everything to do with the SSL certificate not being available to the zimbra to talk to the CAS service which run on https://myportal.com:8443/cas/service/serviceValidate.

    I need your help in importing the client certificate so that zimbra could talk to my CAS server using SSL.

    Please note that presently both the applications are running in the same server but different ports. We use JBoss for the main portal/CAS (8080/8443) and zimbra email service runs in the default port (80).

    The Server certificate is created using java keytool.

    Here is the exception when zimbra mail tries to access the validation url:

    Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLExceptio n(Alerts.java:150)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(S SLSocketImpl.java:1518)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:174)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Ha ndshaker.java:168)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:848)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.proc essMessage(ClientHandshaker.java:106)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoo p(Handshaker.java:495)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_re cord(Handshaker.java:433)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:818)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1030)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(SSLSocketImpl.java:1057)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(SSLSocketImpl.java:1041)
    at sun.net.http://www.protocol.https.HttpsClien...lient.java:402)
    at sun.net.http://www.protocol.https.AbstractDe...ction.java:170)
    at sun.net.http://www.protocol.http.HttpURLConn...ction.java:917)
    at sun.net.http://www.protocol.https.HttpsURLCo...nImpl.java:234)
    at edu.yale.its.tp.cas.util.SecureURL.retrieve(Secure URL.java:84)
    at edu.yale.its.tp.cas.client.ServiceTicketValidator. validate(ServiceTicketValidator.java:212)
    at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(C ASReceipt.java:50)
    ... 17 more


    Thanks a lot.

    bdutta.

  2. #2
    Join Date
    Oct 2006
    Posts
    12
    Rep Power
    8

    Default

    I am heading down the same road .....

    Can you tell me which one of the web.xml files you modified for the cas redirection and how ?

  3. #3
    Join Date
    Nov 2006
    Posts
    3
    Rep Power
    8

    Default

    You have to modify the following file

    /opt/zimbra/tomcat/conf/zimbra.web.xml.in

    and add the following:

    <filter>
    <filter-name>CAS Filter</filter-name>
    <filter-class>
    edu.yale.its.tp.cas.client.filter.CASFilter
    </filter-class>
    <init-param>
    <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
    <param-value>http://yourserver:8080/cas/login</param-value>
    </init-param>
    <init-param>
    <param-name>edu.yale.its.tp.cas.client.filter.validateUrl </param-name>
    <param-value>https://yourserver:8443/cas/service/serviceValidate</param-value>
    </init-param>
    <init-param>
    <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
    <param-value>zimbraserver:80</param-value>
    </init-param>
    </filter>
    <filter-mapping>
    <filter-name>CAS Filter</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>

    Let me know if it helps and when you find out the way to make Zimbra aware of the ssl certificate please let me know.

    Good luck!

    bdutta.

  4. #4
    Join Date
    Oct 2006
    Posts
    12
    Rep Power
    8

    Default

    Thanks, I modified /opt/zimbra/tomcat/webapps/zimbra/WE-INF/web.xml .....

    I am using Liferay as the portal. If I can't get it to work, IFrame might be the other option

    I'll give it a roll and let you know ......

    Thanks
    Chris

  5. #5
    Join Date
    Nov 2006
    Posts
    1
    Rep Power
    8

    Default New To Zimbra & CAS

    Hey guys,

    I am new to both Zimbra & CAS as far as deployment goes, I am wondering how CAS has to be altered in order to work with zimbra if at all?

    I guess what is to be determined is if the User info is stored in Zimbras LDAP server or somewhere else when using LifeRay.

Similar Threads

  1. Single Sign On with CAS from Yale
    By croffler in forum Installation
    Replies: 3
    Last Post: 08-14-2007, 12:59 PM
  2. Replies: 1
    Last Post: 05-03-2007, 07:50 AM
  3. Cas?
    By goo0h in forum Developers
    Replies: 8
    Last Post: 01-13-2007, 11:29 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •