Hello,
In case it helps others, to encrypt/sign the "clientSecret" in an OIDC
service, you have to use the following command in the CAS Shell :
cipher-text --value secret --encryption-key <value of
cas.authn.oauth.crypto.encryption.key property> --encryption-key-size
<value of cas.authn.oauth.crypto.encryption.key-size property, default:
256> --signing-key <value of cas.authn.oauth.crypto.signing.key property>
--signing-key-size <value of cas.authn.oauth.crypto.signing.key-size
property, default: 512>
Then you can use the produced "encoded value" prefixed by {cas-cipher}
-Frederic
On Wednesday, November 18, 2020 at 7:21:26 PM UTC+1 Ken Hopkins wrote:
> Thanks Ray.
> The first four lines of the cas log seem to suggest that the configuration
> is being read properly:
> 2020-11-18 11:51:34,719 DEBUG [org.apereo.cas.util.crypto.CipherExecutor]
> - <Configured Jasypt algorithm [PBEWithMD5AndDES]>
> 2020-11-18 11:51:34,723 DEBUG [org.apereo.cas.util.crypto.CipherExecutor]
> - <Configured Jasypt password>
> 2020-11-18 11:51:34,723 DEBUG [org.apereo.cas.util.crypto.CipherExecutor]
> - <Configured Jasypt provider>
> 2020-11-18 11:51:34,725 DEBUG [org.apereo.cas.util.crypto.CipherExecutor]
> - <Configured Jasypt iterations>
>
> However, you may be on to something. I removed the provider and algorithm
> from my start-up command:
> java -jar build/libs/cas.war
> --cas.standalone.configurationSecurity.iterations=1000
> --cas.standalone.configurationSecurity.psw=siMdrGQcecY5_orN3Zo_gZN-oAwqWmvOEKpxhp02bGF8VdJ5rdi8IfJ2NklWkqVvK9uMEAGHZwD_Qsd9UUjAbQ
>
> The start of the log now looks like:
>
>
> *2020-11-18 13:11:25,966 DEBUG [org.apereo.cas.util.crypto.CipherExecutor]
> - <Configured Jasypt algorithm [PBEWithMD5AndTripleDES]>2020-11-18
> 13:11:25,971 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] -
> <Configured Jasypt password>2020-11-18 13:11:25,973 DEBUG
> [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt
> iterations>*
>
>
>
> _ ____ _____ ____ _____ ___ ____ _ ____
> / \ | _ \| ____| _ \| ____/ _ \ / ___| / \ / ___|
> / _ \ | |_) | _| | |_) | _|| | | | | | / _ \ \___ \
> / ___ \| __/| |___| _ <| |__| |_| | | |___ / ___ \ ___) |
> /_/ \_\_| |_____|_| \_\_____\___/ \____/_/ \_\____/
>
>
> CAS Version: 6.2.5
> CAS Branch: 6.2.x
> CAS Commit Id: cde05dab3b560a449036d61290ebcb4cf56eb0a2
> CAS Build Date/Time: 2020-11-03T03:51:10Z
> Spring Boot Version: 2.2.8.RELEASE
> Spring Version: 5.2.6.RELEASE
> Java Home: /usr/lib/jvm/java-11-openjdk-amd64
> Java Vendor: Ubuntu
> Java Version: 11.0.9.1
> JVM Free Memory: 560 MB
>
> JVM Maximum Memory: 9 GB
> JVM Total Memory: 1022 MB
>
> JCE Installed: Yes
> OS Architecture: amd64
> OS Name: Linux
> OS Version: 5.4.0-54-generic
> OS Date/Time: 2020-11-18T13:11:26.595293
>
> OS Temp Directory: /tmp
> ------------------------------------------------------------
> Apache Tomcat Version: Apache Tomcat/9.0.39
> ------------------------------------------------------------
>
>
> 2020-11-18 13:11:26,621 DEBUG
> [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator]
> - <Located CAS standalone configuration directory at [null]>
> 2020-11-18 13:11:26,621 INFO
> [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator]
> - <Configuration directory [null] is not a directory or cannot be found at
> the specific path>
> 2020-11-18 13:11:26,633 INFO
> [org.apereo.cas.configuration.loader.YamlConfigurationPropertiesLoader] -
> <Found settings [[server.ssl.enabled]] in YAML file [class path resource
> [application.yml]]>
>
>
>
>
> *2020-11-18 13:11:26,635 TRACE [org.apereo.cas.util.crypto.CipherExecutor]
> - <Attempting to decode key [server.ssl.enabled]>2020-11-18 13:11:26,635
> DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Initializing
> Jasypt...>2020-11-18 13:11:26,647 TRACE
> [org.apereo.cas.util.crypto.CipherExecutor] - <Decrypting value
> [bRgoFJzNOBogeWGrty800g==]...>2020-11-18 13:11:26,655 DEBUG
> [org.apereo.cas.util.crypto.CipherExecutor] - <Decrypted value
> [bRgoFJzNOBogeWGrty800g==] successfully.>2020-11-18 13:11:26,655 TRACE
> [org.apereo.cas.util.crypto.CipherExecutor] - <Decrypted key
> [server.ssl.enabled] successfully>*
> 2020-11-18 13:11:26,672 INFO [org.apereo.cas.web.CasWebApplication] - <The
> following profiles are active: standalone>
> 2020-11-18 13:11:26,870 TRACE
> [org.apereo.cas.web.CasWebApplicationContext] - <Refreshing
> CasWebApplicationContext()>
> 2020-11-18 13:11:29,896 TRACE
> [org.apereo.cas.web.CasWebApplicationContext] - <Using MessageSource
> [org.apereo.cas.web.view.CasReloadableMessageBundle:
> basenames=[classpath:custom_messages, classpath:messages]]>
> 2020-11-18 13:11:29,896 TRACE
> [org.apereo.cas.web.CasWebApplicationContext] - <No
> 'applicationEventMulticaster' bean, using
> [SimpleApplicationEventMulticaster]>
> 2020-11-18 13:11:29,921 ERROR
> [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - <
>
> Failed to bind properties under 'cas' to
> org.apereo.cas.configuration.CasConfigurationProperties
>
> cas.standalone.configurationsecurity.iterations = 1000 (Origin:
> "cas.standalone.configurationSecurity.iterations" from property source
> "commandLineArgs")
>
> Listed settings above are no longer recognized by CAS 6.2.5. They may have
> been renamed, removed, or relocated to a new address in the CAS
> configuration schema. CAS will ignore such settings and will proceed with
> its normal initialization sequence. Please consult the CAS documentation to
> review and adjust each setting to find an alternative or remove the
> definition. Failure to do so puts the stability of the CAS server
> deployment in danger and complicates future upgrades.
> >
>
>
> I've bolded a couple of important things to note. And my server came up.
> Wow, looking back it looks like I was specifying the wrong algorithm when I
> started the server. DES instead of TripleDES. Doh.
>
> Well, that's good. Thanks Ray.
>
> I'll see if this gets me any closer to getting encryption to work in the
> oauth service registry.
> On Wednesday, November 18, 2020 at 12:57:00 PM UTC-5 Ray Bon wrote:
>
>> Kenneth,
>>
>> Perhaps the properties need to be set in the config file (if jasypt is
>> reading directly), maybe the encryption bit size or algorithm.
>>
>> Ray
>>
>> On Wed, 2020-11-18 at 12:22 -0500, Kenneth Hopkins wrote:
>>
>> Notice: This message was sent from outside the University of Victoria
>> email system. Please be cautious with links and sensitive information.
>>
>>
>> My end goal is to encrypt the client secret in my service json registry
>> as suggested here:
>> https://apereo.github.io/2019/11/04/cas62x-oauth-jwt-access-token/#bonus
>>
>> So far it isn't working for me. In an effort to troubleshoot, I tried
>> starting with trying to just encrypt some configuration properties:
>> https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Security.html#standalone
>>
>> That also is not working for me.
>>
>> In an effort to simplify what I was looking at, I started with a clean
>> download of the cas-overlay-template. I started with the
>> server.ssl.enabled property just for the sake of the test, but other
>> properties seem to have the same problem. I added an *application.yml*
>> file to *src/main/resources* with a single property in it:
>>
>>
>>
>> *server: ssl: enabled: '{cas-cipher}bRgoFJzNOBogeWGrty800g=='*
>>
>> I got the encrypted value from running the cas commandline shell:
>>
>> cas>encrypt-value --alg PBEWithMD5AndTripleDES --iterations 1000
>> --provider SunJCE --password
>> siMdrGQcecY5_orN3Zo_gZN-oAwqWmvOEKpxhp02bGF8VdJ5rdi8IfJ2NklWkqVvK9uMEAGHZwD_Qsd9UUjAbQ
>>
>> --value false
>> ==== Encrypted Value ====
>> {cas-cipher}bRgoFJzNOBogeWGrty800g==
>>
>> And I started my cas server like this:
>>
>> java -jar build/libs/cas.war
>> --cas.standalone.configurationSecurity.alg=PBEWithMD5AndDES
>> --cas.standalone.configurationSecurity.provider=SunJCE
>> --cas.standalone.configurationSecurity.iterations=1000
>> --cas.standalone.configurationSecurity.psw=siMdrGQcecY5_orN3Zo_gZN-oAwqWmvOEKpxhp02bGF8VdJ5rdi8IfJ2NklWkqVvK9uMEAGHZwD_Qsd9UUjAbQ
>>
>> The start of the CAS log looks like this:
>>
>> 2020-11-18 11:51:34,719 DEBUG [org.apereo.cas.util.crypto.CipherExecutor]
>> - <Configured Jasypt algorithm [PBEWithMD5AndDES]>
>> 2020-11-18 11:51:34,723 DEBUG [org.apereo.cas.util.crypto.CipherExecutor]
>> - <Configured Jasypt password>
>> 2020-11-18 11:51:34,723 DEBUG [org.apereo.cas.util.crypto.CipherExecutor]
>> - <Configured Jasypt provider>
>> 2020-11-18 11:51:34,725 DEBUG [org.apereo.cas.util.crypto.CipherExecutor]
>> - <Configured Jasypt iterations>
>>
>>
>> _ ____ _____ ____ _____ ___ ____ _ ____
>> / \ | _ \| ____| _ \| ____/ _ \ / ___| / \ / ___|
>> / _ \ | |_) | _| | |_) | _|| | | | | | / _ \ \___ \
>> / ___ \| __/| |___| _ <| |__| |_| | | |___ / ___ \ ___) |
>> /_/ \_\_| |_____|_| \_\_____\___/ \____/_/ \_\____/
>>
>>
>> CAS Version: 6.2.5
>> CAS Branch: 6.2.x
>> CAS Commit Id: cde05dab3b560a449036d61290ebcb4cf56eb0a2
>> CAS Build Date/Time: 2020-11-03T03:51:10Z
>> Spring Boot Version: 2.2.8.RELEASE
>> Spring Version: 5.2.6.RELEASE
>> Java Home: /usr/lib/jvm/java-11-openjdk-amd64
>> Java Vendor: Ubuntu
>> Java Version: 11.0.9.1
>> JVM Free Memory: 504 MB
>> JVM Maximum Memory: 9 GB
>> JVM Total Memory: 924 MB
>> JCE Installed: Yes
>> OS Architecture: amd64
>> OS Name: Linux
>> OS Version: 5.4.0-54-generic
>> OS Date/Time: 2020-11-18T11:51:35.335785
>> OS Temp Directory: /tmp
>> ------------------------------------------------------------
>> Apache Tomcat Version: Apache Tomcat/9.0.39
>> ------------------------------------------------------------
>>
>>
>> 2020-11-18 11:51:35,359 DEBUG
>> [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator]
>>
>> - <Located CAS standalone configuration directory at [null]>
>> 2020-11-18 11:51:35,360 INFO
>> [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator]
>>
>> - <Configuration directory [null] is not a directory or cannot be found at
>> the specific path>
>> 2020-11-18 11:51:35,367 INFO
>> [org.apereo.cas.configuration.loader.YamlConfigurationPropertiesLoader] -
>> <Found settings [[server.ssl.enabled]] in YAML file [class path resource
>> [application.yml]]>
>> 2020-11-18 11:51:35,369 TRACE [org.apereo.cas.util.crypto.CipherExecutor]
>> - <Attempting to decode key [server.ssl.enabled]>
>> 2020-11-18 11:51:35,369 DEBUG [org.apereo.cas.util.crypto.CipherExecutor]
>> - <Initializing Jasypt...>
>> 2020-11-18 11:51:35,382 TRACE [org.apereo.cas.util.crypto.CipherExecutor]
>> - <Decrypting value [bRgoFJzNOBogeWGrty800g==]...>
>> 2020-11-18 11:51:35,389 ERROR [org.apereo.cas.util.crypto.CipherExecutor]
>> - <Could not decrypt value [{cas-cipher}bRgoFJzNOBogeWGrty800g==]>
>> org.jasypt.exceptions.EncryptionOperationNotPossibleException: null
>> at
>> org.jasypt.encryption.pbe.StandardPBEByteEncryptor.decrypt(StandardPBEByteEncryptor.java:1169)
>>
>> ~[jasypt-1.9.3.jar!/:?]
>> at
>> org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:738)
>>
>> ~[jasypt-1.9.3.jar!/:?]
>> at
>> org.apereo.cas.configuration.support.CasConfigurationJasyptCipherExecutor.decryptValuePropagateExceptions(CasConfigurationJasyptCipherExecutor.java:215)
>>
>> ~[cas-server-core-api-configuration-model-6.2.5.jar!/:6.2.5]
>> at
>> org.apereo.cas.configuration.support.CasConfigurationJasyptCipherExecutor.decryptValue(CasConfigurationJasyptCipherExecutor.java:196)
>>
>> ~[cas-server-core-api-configuration-model-6.2.5.jar!/:6.2.5]
>> at
>> org.apereo.cas.configuration.support.CasConfigurationJasyptCipherExecutor.decode(CasConfigurationJasyptCipherExecutor.java:154)
>>
>> ~[cas-server-core-api-configuration-model-6.2.5.jar!/:6.2.5]
>> at
>> org.apereo.cas.configuration.support.CasConfigurationJasyptCipherExecutor.decode(CasConfigurationJasyptCipherExecutor.java:22)
>>
>> ~[cas-server-core-api-configuration-model-6.2.5.jar!/:6.2.5]
>> at
>> org.apereo.cas.util.crypto.CipherExecutor.lambda$decode$0(CipherExecutor.java:120)
>>
>> ~[cas-server-core-api-util-6.2.5.jar!/:6.2.5]
>> at
>> java.util.concurrent.ConcurrentHashMap.forEach(ConcurrentHashMap.java:1603)
>> ~[?:?]
>> at java.util.Properties.forEach(Properties.java:1443) ~[?:?]
>> at
>> org.apereo.cas.util.crypto.CipherExecutor.decode(CipherExecutor.java:117)
>> ~[cas-server-core-api-util-6.2.5.jar!/:6.2.5]
>> at
>> org.apereo.cas.configuration.loader.BaseConfigurationPropertiesLoader.decryptProperties(BaseConfigurationPropertiesLoader.java:46)
>>
>> ~[cas-server-core-configuration-api-6.2.5.jar!/:6.2.5]
>> at
>> org.apereo.cas.configuration.loader.YamlConfigurationPropertiesLoader.load(YamlConfigurationPropertiesLoader.java:36)
>>
>> ~[cas-server-core-configuration-api-6.2.5.jar!/:6.2.5]
>> at
>> org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator.loadEmbeddedYamlOverriddenProperties(DefaultCasConfigurationPropertiesSourceLocator.java:153)
>>
>> ~[cas-server-core-configuration-api-6.2.5.jar!/:6.2.5]
>> at
>> org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator.locate(DefaultCasConfigurationPropertiesSourceLocator.java:71)
>>
>> ~[cas-server-core-configuration-api-6.2.5.jar!/:6.2.5]
>> at
>> org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration.locate(CasCoreBootstrapStandaloneConfiguration.java:52)
>>
>> ~[cas-server-core-configuration-6.2.5.jar!/:6.2.5]
>> at
>> org.springframework.cloud.bootstrap.config.PropertySourceLocator.locateCollection(PropertySourceLocator.java:52)
>>
>> ~[spring-cloud-context-2.2.2.RELEASE.jar!/:2.2.2.RELEASE]
>> at
>> org.springframework.cloud.bootstrap.config.PropertySourceLocator.locateCollection(PropertySourceLocator.java:47)
>>
>> ~[spring-cloud-context-2.2.2.RELEASE.jar!/:2.2.2.RELEASE]
>> at
>> org.springframework.cloud.bootstrap.config.PropertySourceBootstrapConfiguration.initialize(PropertySourceBootstrapConfiguration.java:97)
>>
>> ~[spring-cloud-context-2.2.2.RELEASE.jar!/:2.2.2.RELEASE]
>> at
>> org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:626)
>>
>> ~[spring-boot-2.2.8.RELEASE.jar!/:2.2.8.RELEASE]
>> at
>> org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:370)
>>
>> ~[spring-boot-2.2.8.RELEASE.jar!/:2.2.8.RELEASE]
>> at
>> org.springframework.boot.SpringApplication.run(SpringApplication.java:314)
>> ~[spring-boot-2.2.8.RELEASE.jar!/:2.2.8.RELEASE]
>> at
>> org.springframework.boot.builder.SpringApplicationBuilder.run(SpringApplicationBuilder.java:140)
>>
>> ~[spring-boot-2.2.8.RELEASE.jar!/:2.2.8.RELEASE]
>> at
>> org.apereo.cas.web.CasWebApplication.main(CasWebApplication.java:80)
>> ~[cas-server-webapp-init-6.2.5.jar!/:6.2.5]
>> at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
>> Method) ~[?:?]
>> at
>> jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>
>> ~[?:?]
>> at
>> jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>
>> ~[?:?]
>> at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
>> at
>> org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48)
>>
>> ~[cas.war:?]
>> at org.springframework.boot.loader.Launcher.launch(Launcher.java:87)
>> ~[cas.war:?]
>> at org.springframework.boot.loader.Launcher.launch(Launcher.java:51)
>> ~[cas.war:?]
>> at
>> org.springframework.boot.loader.WarLauncher.main(WarLauncher.java:58)
>> ~[cas.war:?]
>> 2020-11-18 11:51:35,405 INFO [org.apereo.cas.web.CasWebApplication] -
>> <The following profiles are active: standalone>
>> 2020-11-18 11:51:35,613 TRACE
>> [org.apereo.cas.web.CasWebApplicationContext] - <Refreshing
>> CasWebApplicationContext()>
>> 2020-11-18 11:51:38,897 TRACE
>> [org.apereo.cas.web.CasWebApplicationContext] - <Using MessageSource
>> [org.apereo.cas.web.view.CasReloadableMessageBundle:
>> basenames=[classpath:custom_messages, classpath:messages]]>
>> 2020-11-18 11:51:38,897 TRACE
>> [org.apereo.cas.web.CasWebApplicationContext] - <No
>> 'applicationEventMulticaster' bean, using
>> [SimpleApplicationEventMulticaster]>
>> 2020-11-18 11:51:38,925 ERROR
>> [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - <
>> Failed to bind properties under 'cas' to
>> org.apereo.cas.configuration.CasConfigurationProperties
>>
>> cas.standalone.configurationsecurity.iterations = 1000 (Origin:
>> "cas.standalone.configurationSecurity.iterations" from property source
>> "commandLineArgs")
>>
>> Listed settings above are no longer recognized by CAS 6.2.5. They may
>> have been renamed, removed, or relocated to a new address in the CAS
>> configuration schema. CAS will ignore such settings and will proceed with
>> its normal initialization sequence. Please consult the CAS documentation to
>> review and adjust each setting to find an alternative or remove the
>> definition. Failure to do so puts the stability of the CAS server
>> deployment in danger and complicates future upgrades.
>>
>> Unfortunately, for security reasons, jasypt gives no details as to why
>> the decryption failed. I've tried several different things, but haven't
>> gotten the decryption working. The above error isn't the only one I've
>> seen, but it seems to be the exception I'm seeing when I think that my
>> steps should be correct.
>>
>> I do see the error from
>> org.apereo.cas.configuration.CasConfigurationPropertiesValidator at the
>> end of the log, and that seems to be a discrepancy between the code, the
>> documentation, and the configuration-model. However, I don't think it is
>> relevant to this problem because the CasConfigurationJasyptCipherExecutor
>> seems to load the configuration directly from the property names, instead
>> of using the configuration model.
>>
>> Figuring out how to encrypt properties would be nice, but my ultimate
>> goal is trying to encrypt the clientSecret in the service json file for an
>> oauth service. That isn't working for me either.
>> https://apereo.github.io/2019/11/04/cas62x-oauth-jwt-access-token/#bonus
>> If it isn't worth trying to figure out configuration encryption, then I can
>> provide more details about the problems I'm having trying to configure an
>> encrypted clientSecret.
>>
>> Thanks for any insights.
>>
>>
>> This e-mail contains information from eOriginal, Inc. that may be
>> proprietary, confidential and/or subject to a nondisclosure agreement. If
>> you are not an intended recipient, please notify the sender immediately and
>> delete this e-mail from your computer. To the extent required under any
>> applicable nondisclosure agreement, the information contained in this
>> e-mail is marked CONFIDENTIAL.
>>
>> --
>>
>> Ray Bon
>> Programmer Analyst
>> Development Services, University Systems
>> 2507218831 <(250)%20721-8831> | CLE 019 | [email protected]
>>
>> I respectfully acknowledge that my place of work is located within the
>> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
>> WSÁNEĆ Nations.
>>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/abebb433-1200-43e4-bd00-abcbcd66abccn%40apereo.org.
