IAM appliance - iam-app-cas

RPM package with CAS access manager support.

This package is built "the usual way" using bcv-rpmbuild container.

Service

This RPM adds cas service into the IAM appliance.

Directory structure

  • /data/volumes/cas/cas.properties.d - directory which holds some persistent (keys) and supplementary configuration for CAS

  • /data/volumes/cas/secrets - directory containing passwords and other secrets

  • /data/volumes/cas/spnego - SPNEGO configuration files (keytab, krb5.conf, login.conf) are located here

  • /data/volumes/cas/saml - CAS-writable directory for SAML2 IdP metadata (and possibly all other SAML-related stuff)

  • /data/volumes/cas/msgcat - application localization overrides

  • /data/volumes/cas/debug - directory for debug dumps, mapped to container directory /opt/debug

  • /data/volumes/cas/scripts - directory to place Groovy scripts into, those scripts are meant to be used by CAS; mapped to container directory /opt/scripts

  • /data/volumes-shared/cas-services - CAS registered services' definitions

  • /data/volumes-shared/cacerts - trusted certificates to import into Java truststore upon application start

  • /data/logs/cas - logs

    • This directory has to have correct SElinux labels. RPM package handles that in its %post phase by executing semanage fcontext …​.

  • /data/volumes-shared/web-proxy-static/cas - static files for CAS branding. Those files are put into the web proxy directory …​/web-proxy-static/cas/ by this RPM package. Web proxy service does not care about it.

Configuration files

  • /data/registry/node-active-config/docker-compose-cas.yml - container compose file

  • /etc/rsyslog.d/10_cas.conf - syslog configuration for the container to send logs to dedicated files on the filesystem

  • /etc/logrotate.d/cas - logrotate configuration

  • /data/volumes/cas/spnego/{krb5.conf,login.conf} - prepackaged templates and configurations for SPNEGO; must be edited by-hand by the administrator

  • /data/volumes/cas/cas.properties.d/000_keys.properties - security keys for all the CAS takones there are. The file is generated during %post phase of RPM installation.

  • /data/volumes/cas/msgcat/custom_messages.properties - override file for English language (and also fallback for unspecified message keys). Files for other languages must be created by-hand (for example custom_messages_cs.properties).

Controlling the service

  • systemd unita is located in /usr/lib/systemd/system/iam-cas.service so the command systemctl start/stop/enable/disable works as expected.

  • Start of the service calls docker-compose …​ up, which starts/creates/recreates the container as needed.

Dependencies

  • Service depends on iam-app-directory-server a iam-app-web-proxy.

    • The iam-directory-server.service must already be running.

    • The web-proxy.service is necessary for web access.