My end goal is to encrypt the client secret in my service json registry as
suggested here:
https://apereo.github.io/2019/11/04/cas62x-oauth-jwt-access-token/#bonus
So far it isn't working for me. In an effort to troubleshoot, I tried starting
with trying to just encrypt some configuration properties:
https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Security.html#standalone
That also is not working for me.
In an effort to simplify what I was looking at, I started with a clean download
of the cas-overlay-template. I started with the server.ssl.enabled property
just for the sake of the test, but other properties seem to have the same
problem. I added an application.yml file to src/main/resources with a single
property in it:
server:
ssl:
enabled: '{cas-cipher}bRgoFJzNOBogeWGrty800g=='
I got the encrypted value from running the cas commandline shell:
cas>encrypt-value --alg PBEWithMD5AndTripleDES --iterations 1000 --provider
SunJCE --password
siMdrGQcecY5_orN3Zo_gZN-oAwqWmvOEKpxhp02bGF8VdJ5rdi8IfJ2NklWkqVvK9uMEAGHZwD_Qsd9UUjAbQ
--value false
==== Encrypted Value ====
{cas-cipher}bRgoFJzNOBogeWGrty800g==
And I started my cas server like this:
java -jar build/libs/cas.war
--cas.standalone.configurationSecurity.alg=PBEWithMD5AndDES
--cas.standalone.configurationSecurity.provider=SunJCE
--cas.standalone.configurationSecurity.iterations=1000
--cas.standalone.configurationSecurity.psw=siMdrGQcecY5_orN3Zo_gZN-oAwqWmvOEKpxhp02bGF8VdJ5rdi8IfJ2NklWkqVvK9uMEAGHZwD_Qsd9UUjAbQ
The start of the CAS log looks like this:
2020-11-18 11:51:34,719 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] -
<Configured Jasypt algorithm [PBEWithMD5AndDES]>
2020-11-18 11:51:34,723 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] -
<Configured Jasypt password>
2020-11-18 11:51:34,723 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] -
<Configured Jasypt provider>
2020-11-18 11:51:34,725 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] -
<Configured Jasypt iterations>
_ ____ _____ ____ _____ ___ ____ _ ____
/ \ | _ \| ____| _ \| ____/ _ \ / ___| / \ / ___|
/ _ \ | |_) | _| | |_) | _|| | | | | | / _ \ \___ \
/ ___ \| __/| |___| _ <| |__| |_| | | |___ / ___ \ ___) |
/_/ \_\_| |_____|_| \_\_____\___/ \____/_/ \_\____/
CAS Version: 6.2.5
CAS Branch: 6.2.x
CAS Commit Id: cde05dab3b560a449036d61290ebcb4cf56eb0a2
CAS Build Date/Time: 2020-11-03T03:51:10Z
Spring Boot Version: 2.2.8.RELEASE
Spring Version: 5.2.6.RELEASE
Java Home: /usr/lib/jvm/java-11-openjdk-amd64
Java Vendor: Ubuntu
Java Version: 11.0.9.1
JVM Free Memory: 504 MB
JVM Maximum Memory: 9 GB
JVM Total Memory: 924 MB
JCE Installed: Yes
OS Architecture: amd64
OS Name: Linux
OS Version: 5.4.0-54-generic
OS Date/Time: 2020-11-18T11:51:35.335785
OS Temp Directory: /tmp
------------------------------------------------------------
Apache Tomcat Version: Apache Tomcat/9.0.39
------------------------------------------------------------
2020-11-18 11:51:35,359 DEBUG
[org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] -
<Located CAS standalone configuration directory at [null]>
2020-11-18 11:51:35,360 INFO
[org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] -
<Configuration directory [null] is not a directory or cannot be found at the
specific path>
2020-11-18 11:51:35,367 INFO
[org.apereo.cas.configuration.loader.YamlConfigurationPropertiesLoader] - <Found
settings [[server.ssl.enabled]] in YAML file [class path resource
[application.yml]]>
2020-11-18 11:51:35,369 TRACE [org.apereo.cas.util.crypto.CipherExecutor] -
<Attempting to decode key [server.ssl.enabled]>
2020-11-18 11:51:35,369 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] -
<Initializing Jasypt...>
2020-11-18 11:51:35,382 TRACE [org.apereo.cas.util.crypto.CipherExecutor] -
<Decrypting value [bRgoFJzNOBogeWGrty800g==]...>
2020-11-18 11:51:35,389 ERROR [org.apereo.cas.util.crypto.CipherExecutor] - <Could
not decrypt value [{cas-cipher}bRgoFJzNOBogeWGrty800g==]>
org.jasypt.exceptions.EncryptionOperationNotPossibleException: null
at
org.jasypt.encryption.pbe.StandardPBEByteEncryptor.decrypt(StandardPBEByteEncryptor.java:1169)
~[jasypt-1.9.3.jar!/:?]
at
org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:738)
~[jasypt-1.9.3.jar!/:?]
at
org.apereo.cas.configuration.support.CasConfigurationJasyptCipherExecutor.decryptValuePropagateExceptions(CasConfigurationJasyptCipherExecutor.java:215)
~[cas-server-core-api-configuration-model-6.2.5.jar!/:6.2.5]
at
org.apereo.cas.configuration.support.CasConfigurationJasyptCipherExecutor.decryptValue(CasConfigurationJasyptCipherExecutor.java:196)
~[cas-server-core-api-configuration-model-6.2.5.jar!/:6.2.5]
at
org.apereo.cas.configuration.support.CasConfigurationJasyptCipherExecutor.decode(CasConfigurationJasyptCipherExecutor.java:154)
~[cas-server-core-api-configuration-model-6.2.5.jar!/:6.2.5]
at
org.apereo.cas.configuration.support.CasConfigurationJasyptCipherExecutor.decode(CasConfigurationJasyptCipherExecutor.java:22)
~[cas-server-core-api-configuration-model-6.2.5.jar!/:6.2.5]
at
org.apereo.cas.util.crypto.CipherExecutor.lambda$decode$0(CipherExecutor.java:120)
~[cas-server-core-api-util-6.2.5.jar!/:6.2.5]
at
java.util.concurrent.ConcurrentHashMap.forEach(ConcurrentHashMap.java:1603)
~[?:?]
at java.util.Properties.forEach(Properties.java:1443) ~[?:?]
at org.apereo.cas.util.crypto.CipherExecutor.decode(CipherExecutor.java:117)
~[cas-server-core-api-util-6.2.5.jar!/:6.2.5]
at
org.apereo.cas.configuration.loader.BaseConfigurationPropertiesLoader.decryptProperties(BaseConfigurationPropertiesLoader.java:46)
~[cas-server-core-configuration-api-6.2.5.jar!/:6.2.5]
at
org.apereo.cas.configuration.loader.YamlConfigurationPropertiesLoader.load(YamlConfigurationPropertiesLoader.java:36)
~[cas-server-core-configuration-api-6.2.5.jar!/:6.2.5]
at
org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator.loadEmbeddedYamlOverriddenProperties(DefaultCasConfigurationPropertiesSourceLocator.java:153)
~[cas-server-core-configuration-api-6.2.5.jar!/:6.2.5]
at
org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator.locate(DefaultCasConfigurationPropertiesSourceLocator.java:71)
~[cas-server-core-configuration-api-6.2.5.jar!/:6.2.5]
at
org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration.locate(CasCoreBootstrapStandaloneConfiguration.java:52)
~[cas-server-core-configuration-6.2.5.jar!/:6.2.5]
at
org.springframework.cloud.bootstrap.config.PropertySourceLocator.locateCollection(PropertySourceLocator.java:52)
~[spring-cloud-context-2.2.2.RELEASE.jar!/:2.2.2.RELEASE]
at
org.springframework.cloud.bootstrap.config.PropertySourceLocator.locateCollection(PropertySourceLocator.java:47)
~[spring-cloud-context-2.2.2.RELEASE.jar!/:2.2.2.RELEASE]
at
org.springframework.cloud.bootstrap.config.PropertySourceBootstrapConfiguration.initialize(PropertySourceBootstrapConfiguration.java:97)
~[spring-cloud-context-2.2.2.RELEASE.jar!/:2.2.2.RELEASE]
at
org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:626)
~[spring-boot-2.2.8.RELEASE.jar!/:2.2.8.RELEASE]
at
org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:370)
~[spring-boot-2.2.8.RELEASE.jar!/:2.2.8.RELEASE]
at
org.springframework.boot.SpringApplication.run(SpringApplication.java:314)
~[spring-boot-2.2.8.RELEASE.jar!/:2.2.8.RELEASE]
at
org.springframework.boot.builder.SpringApplicationBuilder.run(SpringApplicationBuilder.java:140)
~[spring-boot-2.2.8.RELEASE.jar!/:2.2.8.RELEASE]
at org.apereo.cas.web.CasWebApplication.main(CasWebApplication.java:80)
~[cas-server-webapp-init-6.2.5.jar!/:6.2.5]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
~[?:?]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at
org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48)
~[cas.war:?]
at org.springframework.boot.loader.Launcher.launch(Launcher.java:87)
~[cas.war:?]
at org.springframework.boot.loader.Launcher.launch(Launcher.java:51)
~[cas.war:?]
at org.springframework.boot.loader.WarLauncher.main(WarLauncher.java:58)
~[cas.war:?]
2020-11-18 11:51:35,405 INFO [org.apereo.cas.web.CasWebApplication] - <The
following profiles are active: standalone>
2020-11-18 11:51:35,613 TRACE [org.apereo.cas.web.CasWebApplicationContext] -
<Refreshing CasWebApplicationContext()>
2020-11-18 11:51:38,897 TRACE [org.apereo.cas.web.CasWebApplicationContext] -
<Using MessageSource [org.apereo.cas.web.view.CasReloadableMessageBundle:
basenames=[classpath:custom_messages, classpath:messages]]>
2020-11-18 11:51:38,897 TRACE [org.apereo.cas.web.CasWebApplicationContext] - <No
'applicationEventMulticaster' bean, using [SimpleApplicationEventMulticaster]>
2020-11-18 11:51:38,925 ERROR
[org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - <
Failed to bind properties under 'cas' to
org.apereo.cas.configuration.CasConfigurationProperties
cas.standalone.configurationsecurity.iterations = 1000 (Origin:
"cas.standalone.configurationSecurity.iterations" from property source
"commandLineArgs")
Listed settings above are no longer recognized by CAS 6.2.5. They may have been
renamed, removed, or relocated to a new address in the CAS configuration
schema. CAS will ignore such settings and will proceed with its normal
initialization sequence. Please consult the CAS documentation to review and
adjust each setting to find an alternative or remove the definition. Failure to
do so puts the stability of the CAS server deployment in danger and complicates
future upgrades.
Unfortunately, for security reasons, jasypt gives no details as to why the
decryption failed. I've tried several different things, but haven't gotten the
decryption working. The above error isn't the only one I've seen, but it seems
to be the exception I'm seeing when I think that my steps should be correct.
I do see the error from
org.apereo.cas.configuration.CasConfigurationPropertiesValidator at the end of
the log, and that seems to be a discrepancy between the code, the
documentation, and the configuration-model. However, I don't think it is
relevant to this problem because the CasConfigurationJasyptCipherExecutor seems
to load the configuration directly from the property names, instead of using
the configuration model.
Figuring out how to encrypt properties would be nice, but my ultimate goal is
trying to encrypt the clientSecret in the service json file for an oauth
service. That isn't working for me either.
https://apereo.github.io/2019/11/04/cas62x-oauth-jwt-access-token/#bonus If it
isn't worth trying to figure out configuration encryption, then I can provide
more details about the problems I'm having trying to configure an encrypted
clientSecret.
Thanks for any insights.
This e-mail contains information from eOriginal, Inc. that may be proprietary,
confidential and/or subject to a nondisclosure agreement. If you are not an
intended recipient, please notify the sender immediately and delete this e-mail
from your computer. To the extent required under any applicable nondisclosure
agreement, the information contained in this e-mail is marked CONFIDENTIAL.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/665046e6-7f63-0d36-1568-24926a270c2c%40eoriginal.com.
