cas standalone configuration security

[Kenneth Hopkins]

My end goal is to encrypt the client secret in my service json registry as suggested here: https://apereo.github.io/2019/11/04/cas62x-oauth-jwt-access-token/#bonus

So far it isn't working for me.  In an effort to troubleshoot, I tried starting with trying to just encrypt some configuration properties: https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Security.html#standalone

That also is not working for me.

In an effort to simplify what I was looking at, I started with a clean download of the cas-overlay-template.  I started with the server.ssl.enabled property just for the sake of the test, but other properties seem to have the same problem.  I added an application.yml file to src/main/resources with a single property in it:

server:
  ssl:
    enabled: '{cas-cipher}bRgoFJzNOBogeWGrty800g=='

I got the encrypted value from running the cas commandline shell:

cas>encrypt-value --alg PBEWithMD5AndTripleDES --iterations 1000 --provider SunJCE --password siMdrGQcecY5_orN3Zo_gZN-oAwqWmvOEKpxhp02bGF8VdJ5rdi8IfJ2NklWkqVvK9uMEAGHZwD_Qsd9UUjAbQ --value false
==== Encrypted Value ====
{cas-cipher}bRgoFJzNOBogeWGrty800g==

And I started my cas server like this:

java -jar build/libs/cas.war --cas.standalone.configurationSecurity.alg=PBEWithMD5AndDES --cas.standalone.configurationSecurity.provider=SunJCE --cas.standalone.configurationSecurity.iterations=1000 --cas.standalone.configurationSecurity.psw=siMdrGQcecY5_orN3Zo_gZN-oAwqWmvOEKpxhp02bGF8VdJ5rdi8IfJ2NklWkqVvK9uMEAGHZwD_Qsd9UUjAbQ

The start of the CAS log looks like this:

2020-11-18 11:51:34,719 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt algorithm [PBEWithMD5AndDES]>
2020-11-18 11:51:34,723 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt password>
2020-11-18 11:51:34,723 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt provider>
2020-11-18 11:51:34,725 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt iterations>


     _    ____  _____ ____  _____ ___     ____    _    ____ 
    / \  |  _ \| ____|  _ \| ____/ _ \   / ___|  / \  / ___|
   / _ \ | |_) |  _| | |_) |  _|| | | | | |     / _ \ \___ \
  / ___ \|  __/| |___|  _ <| |__| |_| | | |___ / ___ \ ___) |
 /_/   \_\_|   |_____|_| \_\_____\___/   \____/_/   \_\____/
                                                            

CAS Version: 6.2.5
CAS Branch: 6.2.x
CAS Commit Id: cde05dab3b560a449036d61290ebcb4cf56eb0a2
CAS Build Date/Time: 2020-11-03T03:51:10Z
Spring Boot Version: 2.2.8.RELEASE
Spring Version: 5.2.6.RELEASE
Java Home: /usr/lib/jvm/java-11-openjdk-amd64
Java Vendor: Ubuntu
Java Version: 11.0.9.1
JVM Free Memory: 504 MB
JVM Maximum Memory: 9 GB
JVM Total Memory: 924 MB
JCE Installed: Yes
OS Architecture: amd64
OS Name: Linux
OS Version: 5.4.0-54-generic
OS Date/Time: 2020-11-18T11:51:35.335785
OS Temp Directory: /tmp
------------------------------------------------------------
Apache Tomcat Version: Apache Tomcat/9.0.39
------------------------------------------------------------


2020-11-18 11:51:35,359 DEBUG [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] - <Located CAS standalone configuration directory at [null]>
2020-11-18 11:51:35,360 INFO [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] - <Configuration directory [null] is not a directory or cannot be found at the specific path>
2020-11-18 11:51:35,367 INFO [org.apereo.cas.configuration.loader.YamlConfigurationPropertiesLoader] - <Found settings [[server.ssl.enabled]] in YAML file [class path resource [application.yml]]>
2020-11-18 11:51:35,369 TRACE [org.apereo.cas.util.crypto.CipherExecutor] - <Attempting to decode key [server.ssl.enabled]>
2020-11-18 11:51:35,369 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Initializing Jasypt...>
2020-11-18 11:51:35,382 TRACE [org.apereo.cas.util.crypto.CipherExecutor] - <Decrypting value [bRgoFJzNOBogeWGrty800g==]...>
2020-11-18 11:51:35,389 ERROR [org.apereo.cas.util.crypto.CipherExecutor] - <Could not decrypt value [{cas-cipher}bRgoFJzNOBogeWGrty800g==]>
org.jasypt.exceptions.EncryptionOperationNotPossibleException: null
    at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.decrypt(StandardPBEByteEncryptor.java:1169) ~[jasypt-1.9.3.jar!/:?]
    at org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:738) ~[jasypt-1.9.3.jar!/:?]
    at org.apereo.cas.configuration.support.CasConfigurationJasyptCipherExecutor.decryptValuePropagateExceptions(CasConfigurationJasyptCipherExecutor.java:215) ~[cas-server-core-api-configuration-model-6.2.5.jar!/:6.2.5]
    at org.apereo.cas.configuration.support.CasConfigurationJasyptCipherExecutor.decryptValue(CasConfigurationJasyptCipherExecutor.java:196) ~[cas-server-core-api-configuration-model-6.2.5.jar!/:6.2.5]
    at org.apereo.cas.configuration.support.CasConfigurationJasyptCipherExecutor.decode(CasConfigurationJasyptCipherExecutor.java:154) ~[cas-server-core-api-configuration-model-6.2.5.jar!/:6.2.5]
    at org.apereo.cas.configuration.support.CasConfigurationJasyptCipherExecutor.decode(CasConfigurationJasyptCipherExecutor.java:22) ~[cas-server-core-api-configuration-model-6.2.5.jar!/:6.2.5]
    at org.apereo.cas.util.crypto.CipherExecutor.lambda$decode$0(CipherExecutor.java:120) ~[cas-server-core-api-util-6.2.5.jar!/:6.2.5]
    at java.util.concurrent.ConcurrentHashMap.forEach(ConcurrentHashMap.java:1603) ~[?:?]
    at java.util.Properties.forEach(Properties.java:1443) ~[?:?]
    at org.apereo.cas.util.crypto.CipherExecutor.decode(CipherExecutor.java:117) ~[cas-server-core-api-util-6.2.5.jar!/:6.2.5]
    at org.apereo.cas.configuration.loader.BaseConfigurationPropertiesLoader.decryptProperties(BaseConfigurationPropertiesLoader.java:46) ~[cas-server-core-configuration-api-6.2.5.jar!/:6.2.5]
    at org.apereo.cas.configuration.loader.YamlConfigurationPropertiesLoader.load(YamlConfigurationPropertiesLoader.java:36) ~[cas-server-core-configuration-api-6.2.5.jar!/:6.2.5]
    at org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator.loadEmbeddedYamlOverriddenProperties(DefaultCasConfigurationPropertiesSourceLocator.java:153) ~[cas-server-core-configuration-api-6.2.5.jar!/:6.2.5]
    at org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator.locate(DefaultCasConfigurationPropertiesSourceLocator.java:71) ~[cas-server-core-configuration-api-6.2.5.jar!/:6.2.5]
    at org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration.locate(CasCoreBootstrapStandaloneConfiguration.java:52) ~[cas-server-core-configuration-6.2.5.jar!/:6.2.5]
    at org.springframework.cloud.bootstrap.config.PropertySourceLocator.locateCollection(PropertySourceLocator.java:52) ~[spring-cloud-context-2.2.2.RELEASE.jar!/:2.2.2.RELEASE]
    at org.springframework.cloud.bootstrap.config.PropertySourceLocator.locateCollection(PropertySourceLocator.java:47) ~[spring-cloud-context-2.2.2.RELEASE.jar!/:2.2.2.RELEASE]
    at org.springframework.cloud.bootstrap.config.PropertySourceBootstrapConfiguration.initialize(PropertySourceBootstrapConfiguration.java:97) ~[spring-cloud-context-2.2.2.RELEASE.jar!/:2.2.2.RELEASE]
    at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:626) ~[spring-boot-2.2.8.RELEASE.jar!/:2.2.8.RELEASE]
    at org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:370) ~[spring-boot-2.2.8.RELEASE.jar!/:2.2.8.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:314) ~[spring-boot-2.2.8.RELEASE.jar!/:2.2.8.RELEASE]
    at org.springframework.boot.builder.SpringApplicationBuilder.run(SpringApplicationBuilder.java:140) ~[spring-boot-2.2.8.RELEASE.jar!/:2.2.8.RELEASE]
    at org.apereo.cas.web.CasWebApplication.main(CasWebApplication.java:80) ~[cas-server-webapp-init-6.2.5.jar!/:6.2.5]
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
    at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
    at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48) ~[cas.war:?]
    at org.springframework.boot.loader.Launcher.launch(Launcher.java:87) ~[cas.war:?]
    at org.springframework.boot.loader.Launcher.launch(Launcher.java:51) ~[cas.war:?]
    at org.springframework.boot.loader.WarLauncher.main(WarLauncher.java:58) ~[cas.war:?]
2020-11-18 11:51:35,405 INFO [org.apereo.cas.web.CasWebApplication] - <The following profiles are active: standalone>
2020-11-18 11:51:35,613 TRACE [org.apereo.cas.web.CasWebApplicationContext] - <Refreshing CasWebApplicationContext()>
2020-11-18 11:51:38,897 TRACE [org.apereo.cas.web.CasWebApplicationContext] - <Using MessageSource [org.apereo.cas.web.view.CasReloadableMessageBundle: basenames=[classpath:custom_messages, classpath:messages]]>
2020-11-18 11:51:38,897 TRACE [org.apereo.cas.web.CasWebApplicationContext] - <No 'applicationEventMulticaster' bean, using [SimpleApplicationEventMulticaster]>
2020-11-18 11:51:38,925 ERROR [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - <
Failed to bind properties under 'cas' to org.apereo.cas.configuration.CasConfigurationProperties

    cas.standalone.configurationsecurity.iterations = 1000 (Origin: "cas.standalone.configurationSecurity.iterations" from property source "commandLineArgs")

Listed settings above are no longer recognized by CAS 6.2.5. They may have been renamed, removed, or relocated to a new address in the CAS configuration schema. CAS will ignore such settings and will proceed with its normal initialization sequence. Please consult the CAS documentation to review and adjust each setting to find an alternative or remove the definition. Failure to do so puts the stability of the CAS server deployment in danger and complicates future upgrades.

Unfortunately, for security reasons, jasypt gives no details as to why the decryption failed.  I've tried several different things, but haven't gotten the decryption working.  The above error isn't the only one I've seen, but it seems to be the exception I'm seeing when I think that my steps should be correct.

I do see the error from org.apereo.cas.configuration.CasConfigurationPropertiesValidator at the end of the log, and that seems to be a discrepancy between the code, the documentation, and the configuration-model.  However, I don't think it is relevant to this problem because the CasConfigurationJasyptCipherExecutor seems to load the configuration directly from the property names, instead of using the configuration model.

Figuring out how to encrypt properties would be nice, but my ultimate goal is trying to encrypt the clientSecret in the service json file for an oauth service.  That isn't working for me either.  https://apereo.github.io/2019/11/04/cas62x-oauth-jwt-access-token/#bonus  If it isn't worth trying to figure out configuration encryption, then I can provide more details about the problems I'm having trying to configure an encrypted clientSecret.

Thanks for any insights.

This e-mail contains information from eOriginal, Inc. that may be proprietary, confidential and/or subject to a nondisclosure agreement. If you are not an intended recipient, please notify the sender immediately and delete this e-mail from your computer. To the extent required under any applicable nondisclosure agreement, the information contained in this e-mail is marked CONFIDENTIAL.

[Ray Bon]

Kenneth,

Perhaps the properties need to be set in the config file (if jasypt is reading directly), maybe the encryption bit size or algorithm.

Ray

On Wed, 2020-11-18 at 12:22 -0500, Kenneth Hopkins wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Ken Hopkins]

Thanks Ray.

The first four lines of the cas log seem to suggest that the configuration is being read properly:

2020-11-18 11:51:34,719 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt algorithm [PBEWithMD5AndDES]>
2020-11-18 11:51:34,723 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt password>
2020-11-18 11:51:34,723 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt provider>
2020-11-18 11:51:34,725 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt iterations>

However, you may be on to something.  I removed the provider and algorithm from my start-up command:

java -jar build/libs/cas.war --cas.standalone.configurationSecurity.iterations=1000 --cas.standalone.configurationSecurity.psw=siMdrGQcecY5_orN3Zo_gZN-oAwqWmvOEKpxhp02bGF8VdJ5rdi8IfJ2NklWkqVvK9uMEAGHZwD_Qsd9UUjAbQ

The start of the log now looks like:

2020-11-18 13:11:25,966 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt algorithm [PBEWithMD5AndTripleDES]>
2020-11-18 13:11:25,971 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt password>
2020-11-18 13:11:25,973 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt iterations>

     _    ____  _____ ____  _____ ___     ____    _    ____  
    / \  |  _ \| ____|  _ \| ____/ _ \   / ___|  / \  / ___|
   / _ \ | |_) |  _| | |_) |  _|| | | | | |     / _ \ \___ \
  / ___ \|  __/| |___|  _ <| |__| |_| | | |___ / ___ \ ___) |
 /_/   \_\_|   |_____|_| \_\_____\___/   \____/_/   \_\____/
                                                             

CAS Version: 6.2.5
CAS Branch: 6.2.x
CAS Commit Id: cde05dab3b560a449036d61290ebcb4cf56eb0a2
CAS Build Date/Time: 2020-11-03T03:51:10Z
Spring Boot Version: 2.2.8.RELEASE
Spring Version: 5.2.6.RELEASE
Java Home: /usr/lib/jvm/java-11-openjdk-amd64
Java Vendor: Ubuntu
Java Version: 11.0.9.1

JVM Free Memory: 560 MB

JVM Maximum Memory: 9 GB

JVM Total Memory: 1022 MB

JCE Installed: Yes
OS Architecture: amd64
OS Name: Linux
OS Version: 5.4.0-54-generic

OS Date/Time: 2020-11-18T13:11:26.595293

OS Temp Directory: /tmp
------------------------------------------------------------
Apache Tomcat Version: Apache Tomcat/9.0.39
------------------------------------------------------------

2020-11-18 13:11:26,621 DEBUG [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] - <Located CAS standalone configuration directory at [null]>
2020-11-18 13:11:26,621 INFO [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] - <Configuration directory [null] is not a directory or cannot be found at the specific path>
2020-11-18 13:11:26,633 INFO [org.apereo.cas.configuration.loader.YamlConfigurationPropertiesLoader] - <Found settings [[server.ssl.enabled]] in YAML file [class path resource [application.yml]]>
2020-11-18 13:11:26,635 TRACE [org.apereo.cas.util.crypto.CipherExecutor] - <Attempting to decode key [server.ssl.enabled]>
2020-11-18 13:11:26,635 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Initializing Jasypt...>
2020-11-18 13:11:26,647 TRACE [org.apereo.cas.util.crypto.CipherExecutor] - <Decrypting value [bRgoFJzNOBogeWGrty800g==]...>
2020-11-18 13:11:26,655 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Decrypted value [bRgoFJzNOBogeWGrty800g==] successfully.>
2020-11-18 13:11:26,655 TRACE [org.apereo.cas.util.crypto.CipherExecutor] - <Decrypted key [server.ssl.enabled] successfully>
2020-11-18 13:11:26,672 INFO [org.apereo.cas.web.CasWebApplication] - <The following profiles are active: standalone>
2020-11-18 13:11:26,870 TRACE [org.apereo.cas.web.CasWebApplicationContext] - <Refreshing CasWebApplicationContext()>
2020-11-18 13:11:29,896 TRACE [org.apereo.cas.web.CasWebApplicationContext] - <Using MessageSource [org.apereo.cas.web.view.CasReloadableMessageBundle: basenames=[classpath:custom_messages, classpath:messages]]>
2020-11-18 13:11:29,896 TRACE [org.apereo.cas.web.CasWebApplicationContext] - <No 'applicationEventMulticaster' bean, using [SimpleApplicationEventMulticaster]>
2020-11-18 13:11:29,921 ERROR [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - <

Failed to bind properties under 'cas' to org.apereo.cas.configuration.CasConfigurationProperties

    cas.standalone.configurationsecurity.iterations = 1000 (Origin: "cas.standalone.configurationSecurity.iterations" from property source "commandLineArgs")

Listed settings above are no longer recognized by CAS 6.2.5. They may have been renamed, removed, or relocated to a new address in the CAS configuration schema. CAS will ignore such settings and will proceed with its normal initialization sequence. Please consult the CAS documentation to review and adjust each setting to find an alternative or remove the definition. Failure to do so puts the stability of the CAS server deployment in danger and complicates future upgrades.
>

I've bolded a couple of important things to note.  And my server came up.  Wow, looking back it looks like I was specifying the wrong algorithm when I started the server.  DES instead of TripleDES.  Doh.

Well, that's good.  Thanks Ray.

I'll see if this gets me any closer to getting encryption to work in the oauth service registry.

[Frédéric Lohier]

Hello,

In case it helps others, to encrypt/sign the "clientSecret" in an OIDC service, you have to use the following command in the CAS Shell :

cipher-text --value secret --encryption-key <value of cas.authn.oauth.crypto.encryption.key property> --encryption-key-size <value of cas.authn.oauth.crypto.encryption.key-size property, default: 256> --signing-key <value of cas.authn.oauth.crypto.signing.key property> --signing-key-size <value of cas.authn.oauth.crypto.signing.key-size property, default: 512>

Then you can use the produced "encoded value" prefixed by {cas-cipher}

-Frederic