CAS and LAM configuration with Openbravo's users

Introduction

This document explains the necessary steps to configure in Openbravo ERP a LAM Server and a CAS server to be able to log in in Openbravo ERP with its users using the CAS Server through the LAM server.

The goal is to have a CAS server configured to authenticate using the users defined in the database of Openbravo ERP, to have a LAM configured to authenticate using the CAS server and to have Openbravo ERP configured to authenticate using the LAM server.

Configure Tomcat

Tomcat has to be configured to enable SSL connections. It is also necessary that the tomcat's URL has a complete name: your.host.com

On Windows, you will have to check your host file (C:\WINDOWS\system32\drivers\etc\hosts) to ensure it is correctly setup. For example:

127.0.0.1    por0750.openbravo.com

You will find a good documentation of how to configurate SSL with Tomcat 5.5 here:

• SSL How To
• Tomcat and SSL

We met many issues trying to configure SSL, you will find bellow a complete procedure that worked correctly for us.

Example of SSL configuration for Windows

Configuring the CAS server

As defined in its website: The Central Authentication Service (CAS) is an authentication system originally created by Yale University to provide a trusted way for an application to authenticate a user. In this section are defined the steps to compile and configure the CAS server to authenticate with the users of Openbravo ERP, for further explanations please refer to the CAS server wiki, the user manual and the INSTALL.txt file packaged with the sources.

It's possible to use the precompiled cas.war located in Openbravo's repositories or compile and build it manually from sources. To perform this second option it's necessary to have Maven installed. Using the war file you will have a login window with Openbravo's user interface.

Using the cas.war

Download the cas.war and uncompress it in a folder.

Open the WEB-INF/deployerConfigContext.xml file and modify the datasource bean with your own database configuration. The default configuration is:

 <bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
   <property name="driverClassName">
     <value>oracle.jdbc.driver.OracleDriver</value>
   </property>
   <property name="url">
     <value>jdbc:oracle:thin:@localhost:1521:orcl</value>
   </property>
   <property name="username">
     <value>TAD</value>
   </property>
   <property name="password">
     <value>TAD</value>
   </property>
 </bean>

Building from sources

In Openbravo ERP the passwords are encrypted using SHA1 and base64 encoding, this case is not supported by default in CAS so it is necessary to create a new handler. Create the java file of the new handler in the cas-server-support-jdbc/src/main/java/org/jasig/cas/adaptors/jdbc folder using the QueryDatabaseAuthenticationHandler.java as template and using Openbravo's src-core/src/org/openbravo/utils/CryptoSHA1BASE64.java as example.

Import three extra java libraries:

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.io.UnsupportedEncodingException;

In the authenticateUsernamePasswordInternal method change the method to get the encrypted password:

//  final String encryptedPassword = this.getPasswordEncoder().encode(
//      password);
final String encryptedPassword = hash(password); 

Create the hash() method:

 public static String hash(String plaintext) {
   MessageDigest md = null;

   try {
     md = MessageDigest.getInstance("SHA"); // SHA-1 generator instance
   } catch(NoSuchAlgorithmException e) {
     return "";
   }

   try {
     md.update(plaintext.getBytes("UTF-8")); // Message summary generation
   } catch(UnsupportedEncodingException e) {
     return "";
   }

   byte raw[] = md.digest(); // Message summary reception
   try{
     String hash = new String(org.apache.commons.codec.binary.Base64.encodeBase64(raw),"UTF-8");
     return hash;
   }
   catch (UnsupportedEncodingException use){
     return "";
   }
 }

Configuration needed in the cas-server-webapp folder:

• src/main/webapp/WEB-INF/cas.properties file:
  • Change the cas.securityContext properties with your host of the CAS server.
• src/main/webapp/WEB-INF/deployerConfigContext.xml file:
  • In the property authenticationHandlers, modify the bean of the handler to use the previously created one. This bean needs two properties, dataSource with a reference to the bean that has defined the datasource of our Openbravo's database and sql with query to get the encrypted password.

<bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationSHA1Base64">
  <property name="dataSource" ref="dataSource" />
  <property name="sql" value="select password from ad_user where username = ?" />
</bean>

• • Inside the beans tag create a new bean for the datasource, its id has to be the same than the defined in the dataSource of the handler. This is an example for a Oracle installation, for PostgreSQL database is analogue:

 <bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
   <property name="driverClassName">
     <value>oracle.jdbc.driver.OracleDriver</value>
   </property>
   <property name="url">
     <value>jdbc:oracle:thin:@localhost:1521:orcl</value>
   </property>
   <property name="username">
     <value>TAD</value>
   </property>
   <property name="password">
     <value>TAD</value>
   </property>
 </bean>

• Modify the pom.xml file to include new dependencies:
  • cas-server-support-jdbc to be able to use our handler
  • the commons-dbcp library
  • the ojdbc connector to be able to connect to OB's oracle DB

<dependency>
  <groupId>${project.groupId}</groupId>
  <artifactId>cas-server-support-jdbc</artifactId>
  <version>${project.version}</version>
</dependency>
<dependency>
  <groupId>commons-dbcp</groupId>
  <artifactId>commons-dbcp</artifactId>
  <version>1.2.1</version>
  <scope>runtime</scope>
</dependency>
<dependency>
  <groupId>ojdbc</groupId>
  <artifactId>ojdbc</artifactId>
  <version>14</version>
</dependency>

In the pom.xml file of the cas-server-3.2.1 folder include a dependency for the commons-codec library.

<dependency>
  <groupId>commons-codec</groupId>
  <artifactId>commons-codec</artifactId>
  <version>1.3</version>
</dependency>

Finally compile and build the cas.war to deploy it in your tomcat.

Configure the LAM server

To configure the LAM server you can follow the README.txt file found in the downloaded package.

These are the properties that need to be set in the core/src/config.properties file:

• domain: your complete domain (.domain.com)
• cashost: including the domain where is deployed the cas server (mymachine.domain.com)
• casurl: the CAS URL should be accessible by SSL (https://mymachine.domain.com:8443/cas)
• file_location: path to the storage_file, your tomcat user must have write access (/tmp/storage_file)

It is recommended to configure properly the log4j.properties file in the same folder.

After these modifications are done it's necessary to generate the war file using the 'ant war' command and deploy it in the desired tomcat server.

Configure Openbravo ERP

Configure the authentication.class in Openbravo.properties to use the LAM authentication manager (org.openbravo.authentication.lam.LamAuthenticationManager). And add to tomcat's session variables the lam.binding.hostname with the host of the LAM server.

See more specific instructions on the sign-on document.