Brad, The way that SSL/TLS certificates work, that is more or less true. If you have a wildcard cert for a domain, or a cert with multiple SANs, there might be some way to set a default, but that would be documented in the Tomcat project [1].
Personally, I dislike using Java's keytool, so I tend to let Tomcat or Jetty or whatever run without certificates and front them with a proxy that will do the encryption (e.g. Apache or Nginx). Then I can manage all my certs in PEM format, which I prefer. Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College [1] https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html ----- Original Message ----- From: "Brad" <[email protected]> To: "CAS Community" <[email protected]> Sent: Wednesday, August 17, 2016 12:48:22 PM Subject: [cas-user] Re: Need help with CAS/SSO/LDAP config on Tomcat 8 Given the lack of any coverage on this in the documentation, and void of any reply here, is it a reasonable conclusion that there is no configuration to secure the entire Tomcat 8 container with CAS, and that the only option is securing each individual deployed app WAR via configuration within that WAR? Any confirmation on this would be great. Of course, lack of any doc on configuration or general knowledge about it presents its own pragmatic support barrier to use even if it is possible, but it would be helpful to confirm whether it is possible or not regardless. Thanks in advance for any help. Brad On Monday, August 15, 2016 at 4:19:17 PM UTC-7, Brad wrote: > > As a first exercise, I configured CAS 4.2.1 on Tomcat 8 / Java 8 using the > Maven overlay, configuring the resulting cas.war and the sample Java client > webapp (cas-sample-java-webapp) to authenticate against LDAP. I was able to > get this working successfully. > > Now that I have this initial configuration working -- which essentially > requires every new webapp to be individually configured to use CAS, I would > like to transition to secure the entire Tomcat container to use CAS to > authenticate against LDAP, such that all deployed webapps are secured with > SSO, without requiring any specific configuration in the deployed webapps. > I have seen references to this in older versions of the CAS / client > documentation, but nothing that really shows definitively how to configure > this, or to hit LDAP. I tried throwing a valve in the server's context.xml > file as follows: > > <Valve > className="org.jasig.cas.client.tomcat.v8.Cas20CasAuthenticator" > encoding="UTF-8" > casServerLoginUrl="https://localhost:8443/cas/login"; > casServerUrlPrefix="https://localhost:8443/cas"; > serverName="localhost" > /> > > But this just blows up Tomcat on startup -- every webapp startup fails. So > I have two questions: > > 1. At this point, is it even possible to set up CAS 4.2.1 on Java 8/Tomcat > 8 to authenticate against LDAP using server-wide configuration (i.e. no > deployed web-apps need CAS-specific configuration, in other words, any app > deployed to that Tomcat instance will be secured behind LDAP-authenticated > SSO)? > 2. If the answer to #1 is that yes, it is possible, how is this > accomplished in Tomcat config? > > Thanks in advance for your help. > > Brad > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/68122a6f-b951-45c9-b38c-42c0448bbfdb%40apereo.org. For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/322798494.52663711.1471453680731.JavaMail.zimbra%40lafayette.edu. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
