Uportal 5 + clearpass + error 'RSA' KEYFACTORY NOT AVAILABLE

18 views
Skip to first unread message

franck le calloch

unread,
May 20, 2019, 6:13:30 AM5/20/19
to uPortal Community
Hello,

on a test platform I try version 5 of uPortal.

 I wanted to set up 'clearpass' to accept encrypted passwords (via CAS
V5.2).

 In the uPortal logs I block on the following error:

ERROR [ajp-nio-8009-exec-5-guest]
o.a.p.s.p.c.CasAssertionSecurityContext 2019-05-17 09: 50: 12,006 - Can
not load key from file: /etc/ssl/certs/cas/private.p8
java.security.NoSuchAlgorithmException: 'RSA' KEYFACTORY NOT AVAILABLE

I followed the documentation by generating the keys:

 openssl genrsa -out private.key 1024

openssl rsa -pubout -in private.key -out public.key -inform PEM -outform
DER

openssl pkcs8 -topk8 -inform PEM -outform DER -nocrypt -in private.key
-out private.p8

and in uPortal.propertie

 I have:

## Flag to determine if the portal should convert Assertion attributes
to user attributes - defaults to false
org.apereo.portal.security.cas.assertion.copyAttributesToUserAttributes
= true

## Flag to determine if credential attribute from CAS should be
decrypted to password - defaults to false
org.apereo.portal.security.cas.assertion.decryptCredentialToPassword =
true

## Unsigned private key in PKCS8 format for credential decryption (for
decryptCredentialToPassword)
org.apereo.portal.security.cas.assertion.decryptCredentialToPasswordPrivateKey
= /etc/ssl/certs/cas/private.p8

 An idea?

Thank you

-- 

Le Calloch Franck

Ecoles de Saint-Cyr Coëtquidan

Christian Cousquer

unread,
May 20, 2019, 6:32:00 AM5/20/19
to franck le calloch, uPortal Community

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to uportal-user...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/a9b3df5a-7dce-4acc-a672-85546998117c%40apereo.org.

Christian Cousquer

unread,
May 20, 2019, 6:38:02 AM5/20/19
to franck le calloch, uPortal Community
pour la documentation en français pour uPortal :
http://jasig.github.io/uPortal/fr/implementer/authentification/cas.html 
cordialement
Christian 

franck le calloch

unread,
May 22, 2019, 3:58:19 AM5/22/19
to uPortal Community
Merci pour ces infos.
j'ai effectivement suivi la documentation.
Le CAS renvoi bien le crédential crypté.

C'est du coté uPortal mon problème.
je ne comprend pas pourquoi il ne lit pas la clef privé :

o.a.p.s.p.c.CasAssertionSecurityContext 2019-05-17 09: 50: 12,006 - Can
not load key from file: /etc/ssl/certs/cas/private.p8
java.security.NoSuchAlgorithmException: 'RSA' KEYFACTORY NOT AVAILABLE

je suis bloqué

Julien Gribonvald

unread,
May 22, 2019, 5:00:37 AM5/22/19
to uporta...@apereo.org

from web search it seems that come from your java install. Which version of java make running your uPortal ? And which accurate uPortal version are you using ?

en cherchant sur le web cela semble venir de java. Quelle version de java fait tourner uPortal ? et quelles version exacte de uPortal utilises tu ?

Julien

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to uportal-user...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-user/.

Benito Gonzalez

unread,
May 22, 2019, 1:03:26 PM5/22/19
to uporta...@apereo.org
Hi folks,

I believe Java Cryptography Extension is required. For installation, see https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/installJCE.html for an example.

Best,
--bjagg


From: "Julien Gribonvald" <julien.g...@recia.fr>
To: uporta...@apereo.org
Sent: Wednesday, May 22, 2019 2:00:33 AM
Subject: Re: [uportal-user] Re: Uportal 5 + clearpass + error 'RSA' KEYFACTORY NOT AVAILABLE

Christian Cousquer

unread,
May 22, 2019, 3:23:36 PM5/22/19
to Benito Gonzalez, uporta...@apereo.org
Thanks Benito. 

Franck, tell us if Benito’s solution fixes your issue. We will update the documentation. 

Franck, dis nous si la solution de Benito résout tes soucis. On mettra à jour la documentation. Bon courage à toi. 

Amitiés,
Christian 


franck le calloch

unread,
May 24, 2019, 4:23:03 AM5/24/19
to uPortal Community
Thank you for your help
Java version is : openjdk version "1.8.0_181"
the SE is: Debian 9
and uPortal is: Uportal-Start version 5 update via git

JCE is installed, , but a have always the error.

Perhaps a another detail, i have in the log this :

Jasypt support for encrypted property values DISABLED;  specify environment variable UP_JASYPT_KEY

A another idea ?
thanks

Le lundi 20 mai 2019 12:13:30 UTC+2, franck le calloch a écrit :

Christian Cousquer

unread,
May 24, 2019, 4:36:23 AM5/24/19
to franck le calloch, uPortal Community
Hi Franck,

From a quick google search: this may perhaps help you. You need perhaps to use Jasypt CLI Tools.

See as an example:
https://github.com/Jasig/CalendarPortlet/blob/master/README.md#using-encrypted-property-values 

Best regards,
- Christian

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to uportal-user...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-user/.

Julien Gribonvald

unread,
May 24, 2019, 5:00:33 AM5/24/19
to uporta...@apereo.org

Hi,

I'm not sure that's linked to clearpass, jasypt is used to encrypt all properties to avoid to have a plain text password into configuration files, and this part is only to secure some credential datas shared with CAS and so only known from theses two parts.

On the web I've seen that some peoples needed to register the good provider, and other succeed with a DSA key format. So I would say to test in a first step with a DSA or any other available algorithm (EC or DH/DiffieHelman).

After I think that you will need to make a remote debug with a step by step mode and looking at the java.security.KeyFactory.java from where this error come.

Thanks,

Julien

franck le calloch

unread,
May 27, 2019, 4:00:44 PM5/27/19
to uPortal Community
to make some test and debug, i would modify the file : 

uPortal/uPortal-security/uPortal-security-authn/src/main/java/org/apereo/portal/security/provider/cas/CasAssertionSecurityContext.java


But i use Uportal-start.

Can i use the overlay Uportal to put the new file java source? 
How i compile and deploy Uportal with the new file CasAssertionSecurityContext.java ?
Thank

Le lundi 20 mai 2019 12:13:30 UTC+2, franck le calloch a écrit :

Benito J. Gonzalez

unread,
May 28, 2019, 12:02:45 PM5/28/19
to franck le calloch, uPortal Community
Here’s my suggestion:

1. Make a directories custom/my-security
2. Create a build.gradle file in that directory, like
description = “My Custom Components for uPortal Security"

apply plugin: 'java'
apply plugin: 'eclipse'


repositories {
    mavenLocal()
    mavenCentral()
}

dependencies {
    compile "org.jasig.portal:uPortal-core:${uPortalVersion}"
    compile "org.jasig.portal:uPortal-security-core:${uPortalVersion}"
    compile "org.jasig.portal:uPortal-events:${uPortalVersion}"
    compile "org.slf4j:log4j-over-slf4j:${slf4jVersion}"
    compile "org.slf4j:jcl-over-slf4j:${slf4jVersion}"
    compile "org.slf4j:slf4j-api:${slf4jVersion}"
    compileOnly 'org.projectlombok:lombok:1.18.6'
    annotationProcessor 'org.projectlombok:lombok:1.18.6'
    compileOnly "${portletApiDependency}"
    compileOnly "${servletApiDependency}"
}
3. Edit dependencies as needed for your class(es)
4. Make directories custom/my-security/src/main/java/… (package of classes)
5. Copy custom class to appropriate directory
6. add `include ‘custom:my-security’` to settings.gradle
7. add `compile project(‘:custom:my-security’)` to dependencies section of overlays/uPortal/build.gradle

Sorry these are not the clearest instructions. Feel free to ask me to elaborate on any of these steps.

Best,
—bjagg

Benito J. Gonzalez
Software Developer
Unicon, Inc.
Voice:  480.558.2360
 Text:  209.777.2754
GitHub:  bjagg
BitBucket:  bjagg



--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to uportal-user...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-user/.
Reply all
Reply to author
Forward
0 new messages