How to give encrypted password in cas.properties for redis ticket registry

[Priyambada Madala]

I have following cas.properties for redis registry set up . 

# Redis Ticket Registry properties
cas.ticket.registry.redis.host=localhost
cas.ticket.registry.redis.database=1
cas.ticket.registry.redis.port=6379
cas.ticket.registry.redis.password=redis
cas.ticket.registry.redis.timeout=2000
cas.ticket.registry.redis.useSsl=false
cas.ticket.registry.redis.usePool=true

cas.ticket.registry.redis.pool.max-active=20
cas.ticket.registry.redis.pool.maxIdle=8
cas.ticket.registry.redis.pool.minIdle=0
cas.ticket.registry.redis.pool.maxActive=8
cas.ticket.registry.redis.pool.maxWait=-1
cas.ticket.registry.redis.pool.numTestsPerEvictionRun=0
cas.ticket.registry.redis.pool.softMinEvictableIdleTimeMillis=0
cas.ticket.registry.redis.pool.minEvictableIdleTimeMillis=0
cas.ticket.registry.redis.pool.lifo=true
cas.ticket.registry.redis.pool.fairness=false

cas.ticket.registry.redis.pool.testOnCreate=false
cas.ticket.registry.redis.pool.testOnBorrow=false
cas.ticket.registry.redis.pool.testOnReturn=false
cas.ticket.registry.redis.pool.testWhileIdle=false

I want to provide an encrypted value in "cas.ticket.registry.redis.password". 

Is there a possible bean i can override where i can decrypt the password with proper key ?

[Ray Bon]

Priyambada,

Why do you want an encrypted password in your config?

Ray

On Tue, 2020-09-01 at 02:17 -0700, Priyambada Madala wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Priyambada Madala]

Passwords for your redis cluster should be treated as a sensitive information . 

It would be nice to have the password encrypted with a private key.

[Jérôme LELEU]

Hi,

See: https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Security.html to secure your properties.

Thanks.

Best regards,

Jérôme

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/06d454ad-4144-49f4-ac31-68b30b243858n%40apereo.org.

[Priyambada Madala]

Thank you @leleuj . 

I could solve the issue with providing the following configs . 

bootstrap.properties :

encrypt.key=secretekey

cas.properties :

cas.ticket.registry.redis.password={cipher}520b0bce66df5446f764fcbce5828d18ac5872a67

[Ray Bon]

Priyambada,

Are those spring boot properties?

We add our secrets in as part of the deploy process, they are encrypted in an ansible vault. In some cases entire files are stored. This looks like a better system if only bootstrap.properties needs protection.

Ray

[Priyambada Madala]

Yes they are . The bootstrap.properties enables /encrypt and /decrypt api of spring boot . 

I also found a way to provide custom encryption by providing the following bean override . 

@RefreshScope
@Bean
public RedisConnectionFactory redisConnectionFactory() {
        RedisTicketRegistryProperties redis = this.casProperties.getTicket().getRegistry().getRedis();
        redis.setPassword(encrypter.decrypt(redis.getPassword()));
        RedisObjectFactory obj = new RedisObjectFactory();
       return obj.newRedisConnectionFactory(redis);
}