Initial CAS configuration

The CAS access manager is a part of the IAM appliance installation which provides authentication for other services in the appliance. As such, it is a mandatory component of the appliance.

Steps to configure CAS

  1. Install CAS

  2. Add trusted certificates

  3. CAS configuration

  4. Start CAS

  5. Configure CzechIdM to authenticate with CAS

Install CAS

CAS is installed automatically during the IAM appliance update to version 0.6. You can find the configuration in this update guide.

If you successfully finished the upgrade to IAM appliance 0.6, you already have CAS configured and do not need to follow this guide.

Add trusted certificates

Certificates are loaded from the /data/volumes-shared/cacerts directory. Each trusted certificate must be located in a separate file in the PEM format. The file names cannot contain spaces, characters with diacritics, or special characters.

CAS configuration

Using nano or vim, edit the CAS configuration file located in /data/registry/node-active-config/docker-compose-cas.yml. The only obligatory change is specifying the hostname on which the appliance is available.

Edit the CAS configuration
- CAS_SERVER_NAME=https://my-appliance.bcv

In case you find some problems and need more information in the log, you can change the CAS logging level to DEBUG. In the file /data/registry/node-active-config/docker-compose-cas.yml, edit the line

- CAS_LOGGING_LEVEL=INFO

to

- CAS_LOGGING_LEVEL=DEBUG

After you’ve finished solving the issue, change the level back to INFO. Otherwise, the log will fill with useless data and take up a lot of space.

Start CAS

CAS is managed in the same way as other IAM appliance service using the command systemctl start/stop/restart iam-cas.service.

Enable the automatic CAS start by using the command systemctl enable iam-cas.service.

Configure CzechIdM to authenticate with CAS

In the appliance since 0.6, CAS authentication is the only supported way for users to authenticate to CzechIdM. In the CzechIdM configuration file, you need to configure several items for the application to properly talk to CAS. Using nano or vim, edit the CAS configuration file located in /data/registry/node-active-config/docker-compose-czechidm.yml.

Find the properties:

- CZECHIDM_CAS_URL=http://localhost/cas/
- CZECHIDM_CAS_IDM_URL=http://localhost/idm/
- CZECHIDM_CAS_HEADER_PREFIX=http://localhost/idm/?ticket=

In the properties, change localhost to the appliance hostname, and http to https, e. g.:

- CZECHIDM_CAS_URL=https://my-appliance.bcv/cas/
- CZECHIDM_CAS_IDM_URL=https://my-appliance.bcv/idm/
- CZECHIDM_CAS_HEADER_PREFIX=https://my-appliance.bcv/idm/?ticket=

After that, restart CzechIdM using the command systemctl restart iam-czechidm.service.