Java key stores, SSL and CAS

Question

I overheard a conversation where 2 developers were talking about an authentication system they were building and they were talking about a Java "key store" and also mentioned a "CAS server" as well as SSL. I went to the JASIG CAS website and it seems that its used for authentication systems where you want to control user logins and sessions. It seems that the Java keystore is a file (an embedded DB perhaps?) that stores encrypted CA certificates.

I'm trying to figure out how these 3 technologies could be used together to create a secure, Java-based authentication system.

So would a web app use the CAS client (in my case Java) to communicate with a running instance of the CAS server? If so, where and how do the keystore and SSL cert snap into the architecture? Does CAS store the SSL cert in the keystore, and then use it with the backend directory (ActiveDirectory, etc.) somehow? Can someone just give me a high-level overview of how this would all come together?

Answer 1

CAS central authentication is largely orthogonal to SSL and its keystores and certificating authorities. CAS is a way to allow multiple services to share one authentication server, so users can sign on only once at a central authentication server. Connections to the services and the central authentication server can of course be encrypted using SSL, just like other network connections. Using SSL necessitates the use of keystores and trust stores to store the keys and trust certificates, including CA - certificating authority - certificates.