CAS-Management not starting due to Self Signed Certificate Errors.
Colin Ryan
Folks,
I'm nearly embarrassed having to ask this but I'm having issues starting up the Management Interface in the embedded Tomcat scenario.
The error is technically obvious:
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
Environment is:
CAS Version: 6.1.0-RC4
CAS Commit Id: caabdd579ab6190a896de03ceeeb1b26d0bab81a
CAS Build Date/Time: 2020-08-12T16:06:56.197Z
Spring Boot Version: 2.2.0.M3
Spring Version: 5.2.0.M2
Java Home:
/Library/Java/JavaVirtualMachines/jdk-11.0.7.jdk/Contents/Home
Java Vendor: Oracle Corporation
Java Version: 11.0.7
JVM Free Memory: 240 MB
JVM Maximum Memory: 2 GB
JVM Total Memory: 378 MB
JCE Installed: Yes
OS Architecture: x86_64
OS Name: Mac OS X
OS Version: 10.15.5
Now this isn't my first rodeo ride with certificates so here is what I've done so far trying to solve this.
* Confirmed the the management.properties file being picked up by the run-time is correct (put in incorrect directive and it complained).
* Confirmed Syntax for the Certificate Directives via examples
and the CAS interactive Shell.
management.server.ssl.key-store:
file:/Users/colinr/DevTree/devkeystore.jks
management.server.ssl.key-store-password: <password>
It should be noted that the keystore is of type PKCS12 and it's the exact same keystore as being used by my standalone Tomcat 9.0.26 environment that CAS itself runs on successfully. Said tomcat environment is started by the same users that runs the embedded one.
* I've opened up permissions to the file totally.
* I'm able to "keytool -list" the certificate in this keystore directly via "keytool" and responds properly to the correct and incorrect keystore password.
* I'm able to view details of certificate via keytool
* Certificate alias is tomcat
* Certificate is NOT expired.
* Certificate is loaded in the the Java's truststore via the
InstallCert tool.
* I tried generating a new keystore via "keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -keystore managementkeystore.jks -validity 3650 -storepass testadmin" same result.
* keytool and activated Java environment for the run time is from the same distribution.
* I've run the overlay before like this without issues, however that was 6.0.2-SNAPSHOT on 10.15.4.
Frankly I'm totally stumped but expect the issue to be an embarrassingly obvious one.
Cheers
Colin
Colin Ryan
Folks,
So I've still not managed to move past this. Even even started from scratch.
git clone https://github.com/apereo/cas-management-overlay.git
git checkout 6.0.x
./build.sh clean
./build.sh run - breaks because it can't seem to find some of the required components for the 6.0.x gradle.properties of 6.0.2-SNAPSHOT
So I go fine, old branch, I'll try master.
git checkout master
./build.sh clean
./build.sh run
gives again the whole dialog below. It cannot open my keystore file. But the keystore file is fine. In fact as mentioned below if I change reference to the file it errors out appropriately, indicating it's consuming the correct configuration.
At this point I can't seem to get the Management Interface to function. As you can see also below I even created a new self signed keystore with a basic password thinking that maybe special characters were the issue. Not go, again was working before my development environment blew up. I have a backup of it, but build and run for that can't find components (old branch?).
Any idea what stupidity I'm missing.
Thanks
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/71606001-1c08-d1a9-962d-4f725e8dd42a%40caveo.ca.
Ray Bon
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
Colin Ryan
Ray,
I'll try it but the public key for it already is as it's the same cert. I was using for the /cas deployment itself in an external tomcat deployment. It was complaining about un-trusted certs until I did that.
Coln
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/429341d0d6b1d2f4aad38cc6411e8245df13ab70.camel%40uvic.ca.
Colin Ryan
So as a follow-on Phase 3. I moved this whole thing to a Linux environment in the off chance that macOS's 10.15 funky overlay filesystems were causing me grief.
No joy.
Can someone do me a favour and just confirm that the cas-management-overlay out of the box build will work with a self signed certificate that has been generated with:
keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -keystore managementkeystore.jks -validity 9650 -storepass testadmin
As previously discussed, not matter what I do with the keystore file it throws this:
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
CAS Commit Id: caabdd579ab6190a896de03ceeeb1b26d0bab81a
Spring Boot Version: 2.2.0.M3
Spring Version: 5.2.0.M2
Java Vendor: Oracle Corporation
Java Version: 11.0.8
JVM Free Memory: 152 MB
JVM Maximum Memory: 4 GB
JVM Total Memory: 370 MB
JCE Installed: Yes
OS Architecture: x86_64
OS Name: Mac OS X
OS Version: 10.15.5
OS Temp Directory: /var/folders/3z/nw6030cx27vdg7r5ws1p02vr0000gn/T/
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7b750507-24d3-c8c0-bf3a-46edc537ab4e%40caveo.ca.
Ray Bon
Ray Bon
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
Ray,
I have but it looked like the tomcat libraries in the war were getting in the way of the tomcat native ones. i.e. I tried build.sh package then exploded the war into the same Tomcat that I have cas itself running in and seemed to jam up.
Were you running in the same Tomcat as Cas itself or another standalone.
Thanks
Colin
Colin Ryan
I give up.
I've tried everything. I have no clue. Even again did fresh git clone and immediate build.sh run with the following world readable management.properties
cas.server.name=https://xx.xxx.xxx cas.server.prefix=${cas.server.name}/cas mgmt.userPropertiesFile=file:/etc/cas/config/users.json management.server.ssl.key-store: file:/Users/colinr/DevTree/devkey.jks (also tried /etc/cas/thekeystore) management.server.ssl.key-store-password: <confirmed password> management.server.ssl.key-password: <confirmed password> server.servlet.context-path:/cas-management server.port:8443 (CAS Management) CAS Version: 6.2.1 CAS Branch: 6.2.x CAS Commit Id: dc90995b8911bd36c7aebc39588c9d6e3baee1a1 CAS Build Date/Time: 2020-07-24T07:57:14Z Spring Boot Version: 2.2.8.RELEASE Spring Version: 5.2.7.RELEASE Java Home: /Library/Java/JavaVirtualMachines/jdk-11.0.8.jdk/Contents/Home Java Vendor: Oracle Corporation Java Version: 11.0.8 JVM Free Memory: 206 MB JVM Maximum Memory: 4 GB JVM Total Memory: 444 MB JCE Installed: Yes OS Architecture: x86_64 OS Name: Mac OS X OS Version: 10.15.6 OS Date/Time: 2020-09-21T11:35:42.696857 OS Temp Directory: /var/folders/3z/nw6030cx27vdg7r5ws1p02vr0000gn/T/
Still will not open the darn keystore.
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2117) ~[?:?] at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:243) ~[?:?] at java.security.KeyStore.load(KeyStore.java:1479) ~[?:?]
I don't get it. This was trivial with managment-overlay build around 6.0.2 before my dev environment blew up.
Keystore is fine.
JAVA_HOME is set etc etc.
keytool -list -keystore ../../devkeystore.jks -v
Enter keystore password: <as in above config file>
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: tomcat
Creation date: Oct 16, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: yadda yadda
Issuer: yadda yadda
Serial number: 6982c398
Valid from: Wed Oct 16 12:16:43 EDT 2019 until: Fri Dec 24 11:16:43 EST 2021
Certificate fingerprints:
SHA1: 9B:59:35:7A:40:A4:7C:00:08:B8:2D:6B:0F:D0:27:8B:D5:DE:C6:11
SHA256: 41:CC:1D:4B:EF:68:09:EB:72:63:2C:4C:90:F6:8C:EB:2A:CB:53:D4:00:23:11:69:A4:1A:92:7D:C0:CC:E9:7E
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
I'm dead in the water. I have idea what the h**ll is the problem.
Colin Ryan
Just an FYI, in case someone else run's into this.
The solutions was simply to remove the management. prefix from the server.ssl directives ala.
server.ssl.key-store: file:<path>
server.ssl.key-store-password: <pass>
server.ssl.key-password: <pass>
I'm certain management.server was what I used for 6.0.2 and it's still in the documentation.
I tried it on a whim upon inspecting the applications.properties file in the source code.
Colin
I give up.
I've tried everything. I have no clue. Even again did fresh git clone and immediate build.sh run with the following world readable management.properties
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f5d52a2b-b51b-0ea3-2ee7-d355b30bc574%40caveo.ca.