- You should be able to put the alias definition into the deployerConfigContext.xml file. I have updated the docs to note this. - Your encryption key is of the wrong size. Check with the docs on the key length. - Also a bug in the docs: remove the seed.
-- Misagh From: John Bradley <[email protected]> Reply: John Bradley <[email protected]> Date: August 8, 2016 at 9:05:04 AM To: CAS Community <[email protected]> Subject: [cas-user] Ticket encryption using Memcached not working I am working on a clustered CAS 4.2.4 installation (deployed to two Linux-based Tomcat servers) based on the overlay template at https://github.com/Jasig/cas-overlay-template.git. I am using two Memcached instances for ticket management. These Memcached instances are on separate servers in different networks, so encrypting and signing tickets would be desirable. I have tried modifying the template following the guide at https://apereo.github.io/cas/4.2.x/installation/Ticket-Registry-Replication-Encryption.html, but I have had no luck. The template itself does not include a ticketRegistry.xml file, but I was able to find one from another CAS admin's repository that happened to work. Simply following the guide after that produced a WAR file that would deploy, start up, and (as far as I can tell) facilitate authentication just fine, but the following errors would be thrown around the time when ticket storage would occur (I'll keep the stack traces brief): ERROR org.jasig.cas.util.ShiroCipherExecutor - Unable to init cipher instance. org.apache.shiro.crypto.CryptoException: Unable to init cipher instance. at org.apache.shiro.crypto.JcaCipherService.init(JcaCipherService.java:495) ~[shiro-core-1.2.6.jar:1.2.6] ... Caused by: java.security.InvalidKeyException: Illegal key size at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1039) ~[?:1.8.0_71] ... ERROR org.jasig.cas.support.wsfederation.web.flow.WsFederationAction - org.apache.shiro.crypto.CryptoException: Unable to init cipher instance. java.lang.RuntimeException: org.apache.shiro.crypto.CryptoException: Unable to init cipher instance. at org.jasig.cas.util.ShiroCipherExecutor.encode_aroundBody0(ShiroCipherExecutor.java:59) ~[cas-server-core-util-4.2.4.jar:4.2.4] ... Caused by: org.apache.shiro.crypto.CryptoException: Unable to init cipher instance. at org.apache.shiro.crypto.JcaCipherService.init(JcaCipherService.java:495) ~[shiro-core-1.2.6.jar:1.2.6] ... Caused by: java.security.InvalidKeyException: Illegal key size at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1039) ~[?:1.8.0_71] Here are the relevant settings in cas.properties: #Ticket Registry #Secret key to use when encrypting tickets in a distributed ticket registry. ticket.encryption.secretkey=4nCSlWrHH36AqpM8jcs7gwuGsetXwKpZ #Seed to use when encrypting tickets in a distributed ticket registry. ticket.encryption.seed=QjDk7dFzr7oTPzw9hbLdP6WTg8dnDoAs #Secret key to use when signing tickets in a distributed ticket registry. #By default, must be a octet string of size 512. ticket.signing.secretkey=fMGDPz1bgNRtIcFFNZWnI1X83wuNpamcnE1vj8_h_uF1DErSZnhfH-vR7e3mt14PgV0f5GHA-k-b2_Jr4m67Cg #Secret key algorithm used ticket.secretkey.alg=AES memcached.servers=first.server.domain:11211,second.server.domain:11211 memcached.hashAlgorithm=FNV1_64_HASH memcached.protocol=BINARY memcached.locatorType=ARRAY_MOD memcached.failureMode=Redistribute I have tried adding the Cryptography Extension to the Java (1.8.0_92) libraries and changing the keys in cas.properties, with no luck. Before I result to tunneling, does anyone have any ideas on how to fix this? Thanks in advance! -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b980942a-e415-46f6-8e00-6bdd4cee9db5%40apereo.org. For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57a8b644.585aa4.2c03%40unicon.net. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
