Updating mod_auth_cas for SHA-2 Certificate Replacement

Due to the fact that older releases of mod_auth_cas (pre-1.0.9.1) cannot properly validate certificate chains, we are recommending that anyone using mod_auth_cas update to 1.0.9.1. Below you will find instructions for upgrading on both Debian and Red Hat operating systems. If you are unable to update, there is also a workaround, which can be used as a last resort.

Red Hat

Before proceeding, determine which version of mod_auth_cas is installed.

rpm -qa | grep mod_auth_cas

If the installed version is not mod_auth_cas-1.0.9.1-1.el6.x86_64, you will have to update.

      1. Install the EPEL6 repository
        rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

        If you are running RHEL 5, you will have to install a different version of EPEL. Commands to install EPEL 5 as well as further documentation can be found at: https://fedoraproject.org/wiki/EPEL/FAQ#How_can_I_install_the_packages_from_the_EPEL_software_repository.3F

      2. Now you will need to perform an update via yum on mod_auth_cas
        yum update mod_auth_cas

        You will be prompted to install the package, select yes. You also may receive a warning regarding the importation of the EPEL GPG-KEY (similar to the one found below). Select yes when prompted.

        warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
        Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
        Importing GPG key 0x0608B895:
         Userid : EPEL (6) <epel@fedoraproject.org>
         Package: epel-release-6-8.noarch (installed)
         From   : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
        Is this ok [y/N]:
      3. You will now need to update your mod_auth_cas configuration in Apache. The usual location for this file is /etc/httpd/conf.d/cas.conf, although it does not necessarily need to be found there.
        If you are having trouble locating this file, you can run the grep command below to help locate it.

        grep -ir "CASCertificatePath" /etc/httpd

        Once you have located the file, make sure that CASCertificatePath specifies the default CA Bundle: /etc/pki/tls/certs/ca-bundle.crt

        CASCertificatePath /etc/pki/tls/certs/ca-bundle.crt
      4. Apache will now have to be restarted for the changes to take effect.
        service httpd restart

Debian

Before proceeding with the update, check which version of mod_auth_cas you are running.

dpkg -l | grep libapache2-mod-auth-cas

If you are not running version 1.0.9.1 you will need to update. Wheezy should be running the proper version, only Squeeze should be affected.

    1. Install prerequisite packages
      apt-get install apache2-dev libcurl4-openssl-dev dh-autoreconf
    2. Obtain the 1.0.9.1 release from Github via the link below. Transfer the compressed (.zip/tar.gz) to your server.
      https://github.com/Jasig/mod_auth_cas/releases/tag/v1.0.9.1
    3. Create a working directory, and unpack the zip
    4. Remove the previous installation of mod_auth_cas
      apt-get remove libapache2-mod-auth-cas
    5. Compile and install
      autoreconf -iv 
      ./configure --with-apxs=/usr/bin/apxs2 
      make  
      make install
    6. Create a directory to be used as a cache
      mkdir /var/cache/apache2/mod_auth_cas; chown www-data:www-data /var/cache/apache2/mod_auth_cas/
    7. Create/edit the CAS configuration file (add the configuration below) in /etc/apache2/mods-available/auth_cas.conf
      <IfModule !mod_auth_cas.c>
          LoadModule          auth_cas_module /usr/lib/apache2/modules/mod_auth_cas.so
      </IfModule>
      CASCookiePath       /var/cache/apache2/mod_auth_cas/
      CASLoginURL         https://login.uconn.edu/cas/login
      CASValidateURL      https://login.uconn.edu/cas/serviceValidate
      CASProxyValidateURL https://login.uconn.edu/cas/proxyValidate
      CASCertificatePath  /etc/ssl/certs
      CASIdleTimeout 14400
      CASTimeout 14400
      
    8. Apache will now have to be restarted for the changes to take effect.
      service apache2 restart
    9. Clean up any source files. You can safely delete the directory with the mod_auth_cas source if you desire

Certificate Chain Workaround

If you are unable to update your version of mod_auth_cas, you can specify the certificate chain manually. This workaround may break CAS in a future certificate upgrade. Updating the mod_auth_cas version and using a CA root bundle is preferred. The bundle linked below will work for both the current CAS certificate, and the new InCommon SHA-2 certificate.

  1. Download the certificate bundle from the link below, and upload it to your server.
    http://iam.uconn.edu/uconn-cas-workaround-2014.crt
  2. Place the certificate bundle in a location which Apache will be able to access them (/etc/ssl/certs or /etc/pki/tls/certs/)
  3. Locate the CAS configuration file. If you are having trouble locating this file, you can run the grep command below to help locate it.
    grep -ir "CASCertificatePath" /etc/httpd #RHEL
    grep -ir "CASCertificatePath" /etc/apache2 #Debian
  4. Update the CASCertificatePath with the location of the uconn-cas-workaround-2014.crt. Make sure you specify the path to the file not just the directory uconn-cas-workaround-2014.crt is contained in (see example below).
    CASCertificatePath  /etc/ssl/certs/uconn-cas-workaround-2014.crt
  5. Apache will now have to be restarted for the changes to take effect.
    service apache2 restart #Debian
    service httpd restart #RHEL