Migration to CAS Server 5.0.4

Background

We are upgrading the Apereo CAS servers at UC Berkeley from version 4.1.x to 5.0.4 with some additional features deployed with the help of Unicon, one of the major contributors to the CAS project.

Note: If your CAS client application caches IP addresses beyond the normal DNS TTL, or your firewall rules restrict access to the CAS server's IP address, or your application's TLS/SSL truststore includes only the CAS server certificate, the following may apply:

To ensure a smooth transition to the new IP address and server certificate for the DNS name auth.berkeley.edu after the DNS changes on the morning of 5/15, you may need to restart your application and/or adjust your firewall rules and/or update the entries in your application's TLS/SSL truststore. See below for more details.

New and improved features for the 5.0.4 release

• support for CalNet 2-Step Verification to replace the CalNetKey second-level CAS system
• improved UI engine supporting various mobile devices with the migrated CalNet UI skinning (please test this!)
• improved UI for SPA selection and general Help
• delegated authentication (MAP/Slate login)
• attribute release to CAS client applications
• support for surrogate authentication using SPAs
• support for coarse-grained authorization enforcement via affiliations and groups

Progress

The QA tier was updated on April 7 to allow for testing. The QA testing environment consists of pointing your QA CAS client application at the auth-test.berkeley.edu DNS name. The previous QA nodes (cas-t1/t2) will remain available for a transition period as individual nodes.

The production environment will consist of three nodes serviced by the VIP for the auth.calnet.berkeley.edu DNS name (note that this new VIP has an IP address, 169.229.218.90, which differs from the current VIP used by auth.b.e) and will be running in parallel to the existing auth.berkeley.edu cluster (see the Timeline below) until the DNS cutover for the latter.

Note that if your CAS client application caches IP address information beyond the normal DNS TTL value, you may need to restart your application after the DNS change has occurred early on the morning of 5/15 to ensure smooth operation with visiting browsers.

SSL/TLS certificate

For the new SSL/TLS certificates, see the CAS SSL certificates page.

CAS URLs for UC Berkeley

For UC Berkeley-affiliated web sites, during CAS authentication, you may see in your browser auth.berkeley.edu as part of the authentic and trusted web address (URL). For your safety, please trust no other unverified URLs with your CalNet credentials! In addition, look for the EV certificate as further evidence that this is not a spoofed web site.

Timeline

Known Issues and workarounds

• New IP address for the auth VIP
  The auth.b.e DNS name will use the VIP 169.229.218.90 following the DNS update for the CNAME alias.
• Updated CAS client app security software and configuration may be needed
  Generally this involves a couple of things: (1) updating your OS security libraries (OpenSSL, NSS, Java, etc.) and all related security libraries (e.g. Perl modules for TLS/SSL, etc.) to their latest vendor release to make sure they are using more secure and modern cryptography routines, and (2) making sure that your security configuration does not allow the use of deprecated protocols (e.g. SSLv3) or weak ciphers (e.g. RC4-MD5).
• No proxy authentication by default
  Note that by default, proxy authentication is disallowed for all CAS applications. Please test and let us know if this needs to be enabled for your application URL.

We welcome reports of any new issues and workarounds.

Contact us

General discussion of CAS client application issues happens on the calnet-developers campus email list/group so all can benefit. The CAS project also has community and developer discussion lists. Send other questions and requests for testing and migration of your individual CASified application to the address found in the Help menu under CalNet Developer Support.