CAS 6.5 Migration

Pre-requisites

Before you begin your migration, be sure you meet the following pre-requisites:

  • A working PAM deployment with the Federated Sign-In experience.
  • In order to check the version of CAS you are on, login to PAM and navigate to Management> About and check value under "Authentication" . If you are on CAS 5, the value will be CAS 5.2x.
  • An operational PAM deployment with the latest version. Please update to the latest available version before proceeding.

Considerations

  • The user performing the migration will be required to update files and configurations on the PAM host server. Administrative privileges are required.

  • We highly recommend deploying a test instance of PAM that mirrors your production instance as closely as possible to test the migration (DB type, Federated Sign-In, certificates, MFA/SSO, AD Integration, etc).

  • Once the migration is successful with the test instance you can reproduce the procedure on your production instance.

 

Please read the entire procedure outlined in the article before beginning. If you have any questions, please contact our Support team: https://support.imprivata.com/.

Migration from CAS 5.2x to CAS 6.5

  1. Configure PAM with the Federated Sign-In module and ensure that it is working properly.

  2. Login to PAM host server.

  3. Execute the following command from $PAM_HOME:

    4. For Windows deployments:

    Copy 
    bin\PamDirectory.cmd SwitchCASVersion web 65

    For Unix or Linux deployments:

    Copy 
    bin/PamDirectory.sh SwitchCASVersion web 65

  4. Stop the PamManagement (Windows) or the pammanager (Linux) service. PAM will be offline until this procedure is completed.

  5. Open a prompt and navigate to the $PAM_HOME directory and delete the old version of CAS:

    1. Delete (or move) the file $PAM_HOME/web/webapps/cas.war (move this file outside of $PAM_HOME folder, please do not rename it in the same folder).

    2. Delete (or move) the folder $PAM_HOME/web/webapps/cas (move this file outside of $PAM_HOME folder, please do not rename ti in the same folder).

  6. Download a new CAS 6.5 file https://bin.xtontech.com/product/pam-cas.65.zip and extract the cas.war to $PAM_HOME/web/webapps.

  7. Open the file $PAM_HOME/web/conf/catalina.properties in a text editor. In this file, locate the section that begins with #CAS add the following new parameters:

    1. for AzureAD and ADFS integrations add the following line (with the right index):

      Copy 
      cas.authn.pac4j.saml[0].useNameQualifier=false

    2. for ADFS integrations add the following line (with the right index):

      Copy 
      cas.authn.pac4j.saml[0].sign-service-provider-logout-request=true

    3. for ADFS Relaying party add configuration in ADFS Relaying Party Trusts in the tab Endponts add SAML:

    Copy 
    Endpoint Type: SAML Logout
    Binding: Redirect
    Trusted URL: {managed path}/cas/logout
    Response URL: {managed path}/cas/logout

  8. Save and close the catalina.properties file when you are finished.

  9. Start the PamManagement (Windows) or the pammanager (Linux) service and try your updated authentication login.

Testing CAS 6.5

  1. When the service is fully restarted, open your browser, and navigate to the PAM login page.

  2. Login to PAM.

Rollback from CAS 6.5 to CAS 5.2

  1. Stop the PamManagement (Windows) or the pammanager (Linux) service. PAM will be offline until this procedure is completed.

  2. Open a prompt and navigate to the $PAM_HOME directory and delete the old version of CAS.

    1. Delete (or move) the file $PAM_HOME/web/webapps/cas.war (move this file outside of $PAM_HOME folder, please do not rename it in the same folder).

    2. Delete (or move) the folder $PAM_HOME/web/webapps/cas (move this file outside of $PAM_HOME folder, please do not rename it in the same folder).

  3. Restore the file cas.war for CAS 5.2 to $PAM_HOME/web/webapps from the backup location or download the latest from:

    4. https://bin.xtontech.com/product/pam-cas.zip.

  4. Execute the following command to switch PAM configuration to CAS 5.2:

    5. For Windows deployments:

    Copy 
    bin\PamDirectory.cmd SwitchCASVersion web 52

    For Unix or Linux deployments:

    Copy 
    bin/PamDirectory.sh SwitchCASVersion web 52

  5. Start the PamManagement (Windows) or the pammanager (Linux) service.

CAS 6.5 Troubleshooting

Application not Authorized error message

Aplication-Not-Authorized-Message.png

  1. Open the file $PAM_HOME/web/conf/catalina.properties in a text editor. In this file, locate the section that begins with #CAS and change the following parameter set it to true:

    2. Copy 
    cas.serviceRegistry.initFromJson=true

  2. Restart the PamManagement (Windows) or the pammanager (Linux) service.

  3. Once PAM is working and you can see the usual CAS login page, back to the file $PAM_HOME/web/conf/catalina.properties in a text editor. Find the section that begins with #CAS and change cas.serviceRegistry.initFromJson parameter back to false:

    Copy 
    cas.serviceRegistry.initFromJson=false

  4. Restart the PamManagement (Windows) or the pammanager (Linux) service.