encryption and signing key generation

[Curtis Ruck]

So i'm trying to automate the generation and persistence of the cas.tgc.crypto and cas.webflow.crypto encryption and signing keys.

I'm using the jwk-gen.jar, and when i store the key in cas.properties, i end up with "Invalid AES key length: 43 bytes" when trying to access the login page.

If I let CAS generate a key, its the same exact string length (43 bytes). What is different between my key versus cas's generated keys? Then i'm extracting the k value from the json, and inserting it into my cas.properties.

java -jar jwk-gen.jar -t oct 256 -o tgc-enc.jwks

java -jar jwk-gen.jar -t oct 512 -o tgc-sig.jwks

java -jar jwk-gen.jar -t oct 256 -o webflow-enc.jwks

java -jar jwk-gen.jar -t oct 512 -o webflow-sig.jwks

[William E.]

+1

I ended up grabbing values from the cas startup logs and setting in my cas.properties.  Seems to work.

[Curtis Ruck]

The problem is due to the chicken and egg issue.  I need to prepopulate the cas.properties, so the service can start up and work (without human intervention).  I'm trying my best to avoid having to start a service, parse the logs, and modify config, then restart the service.  The documentation seems very light on these keys.

[Doug Campbell]

You might check out the server configuration section of the CAS deployment guide that David Curry has put together https://dacurry-tns.github.io/deploying-apereo-cas/building_server_configure-server-properties.html.  My guess is that there is a slight mistake in what you are currently doing and perhaps if you go through David’s step-by-step it will show you what is off in your current approach.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/16619ee4-f77f-4436-9237-5a0e812bd17f%40apereo.org.

[David Curry]

The encryption key for Spring Webflow (cas.webflow.crypto.encryption.key) is not a JSON Web Key. It's a randomly-generated string of 16 octets, Base64-encoded. You can generate it with OpenSSL:

openssl rand -base64 16 > webflow-enc.txt

Also, I believe you need a '-s' in front of the size argument for the other three:

java -jar jwk-gen.jar -t oct -s 256 -o tgc-enc.jwks

java -jar jwk-gen.jar -t oct -s 512 -o tgc-sig.jwks

java -jar jwk-gen.jar -t oct -s 512 -o webflow-sig.jwks

--Dave

P.S. - I'm guessing on the '-s' issue; I used the web-based version of the key generator rather than the jar file.

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

--

[William E.]

If you enable jwt in cas.properties by defining these two properties:

cas.authn.token.crypto.enabled=true

cas.authn.token.crypto.encryptionEnabled=true

But leave these commented out:

cas.authn.token.crypto.signing.key

cas.authn.token.crypto.encryption.key

Your catalina.out should log the generation of both keys, different each time you start the app of course.  I would just grab the values, then define in your cas.properties, then restart tomcat.

Log lines to look for:

WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for encryption is not defined for [Token/JWT Tickets]; CAS will attempt to auto-generate the encryption key>

WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated encryption key [pzyyqMTLT..................................] of size [256] for [Token/JWT Tickets]. The generated key MUST be added to CAS settings under setting [cas.authn.token.crypto.encryption.key].>

WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for signing is not defined for [Token/JWT Tickets]. CAS will attempt to auto-generate the signing key>

WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated signing key [tR8gQgES...................] of size [512] for [Token/JWT Tickets]. The generated key MUST be added to CAS settings under setting [cas.authn.token.crypto.signing.key].>

-W

[Curtis Ruck]

I believe this is the detail that is missing.  I was following the https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties-Common.html#signing--encryption documentation.  Didn't see the line at webflow about "The encryption key must be randomly-generated string of size f16. The signing key is a JWK of size 512."

openssl rand -base64 16 > webflow-enc.txt

I had the -s, but lost it in the translation to google groups.

[Zach Tackett]

I tried this and it still says

<Secret key for encryption is not defined under [cas.webflow.crypto.encryption.key]. CAS will attempt to auto-generate the encryption key>
<Generated encryption key [QuIZQQ5PQFcLtPPQiiOEGw] of size [16]. The generated key MUST be added to CAS settings under setting [cas.webflow.crypto.encryption.key].>

Any hint as to why?

On Thursday, September 13, 2018 at 10:03:02 AM UTC-4, William E. wrote:

[Curtis Ruck]

typo in the key name.  It worked perfectly for me once i generated the value with openssl instead of jwk-gen.jar

--
Curtis Ruck

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/605dd238-e739-4269-bcc7-4e89b1cdee33%40apereo.org.