Why generate x509.pem for ClearPass?

[Jonathan Labin]

I'm attempting to enable credential release using ClearPass configuration as described in the documentation.

The Create Keys section of this page results in the creation of 4 files:

• private.key
• public.key
• private.p8
• x509.pem

How is the x509.pem file expected to be used in this process?

I suspect that the certificate request is intended to be sent to a CA for signing but once that happens, how would the resulting certificate be used?

I was able to configure my application to successfully receive the user credential attribute by providing public.key to the CAS server.  I'm guessing that this is what is meant by the reference to "classpath:RSA1024Public.key" in the Register Service section.

I was also able to decrypt the encrypted credential attribute by loading the private.p8 file with an instance of PKCS8EncodedKeySpec to generate the private key from it.

With this functioning correctly, I am puzzled by the purpose of the x509.pem file.  Is there some way to configure the service to read the public key from a signed unexpired certificate file?

[Misagh Moayyed]

How is the x509.pem file expected to be used in this process?

 

It’s not. It likely should be removed from the docs.

 

I suspect that the certificate request is intended to be sent to a CA for signing but once that happens, how would the resulting certificate be used?

 

It’s not. You only care about the key duo.

 

I was able to configure my application to successfully receive the user credential attribute by providing public.key to the CAS server.  I'm guessing that this is what is meant by the reference to "classpath:RSA1024Public.key" in the Register Service section.

I was also able to decrypt the encrypted credential attribute by loading the private.p8 file with an instance of PKCS8EncodedKeySpec to generate the private key from it.

 

With this functioning correctly, I am puzzled by the purpose of the x509.pem file.  Is there some way to configure the service to read the public key from a signed unexpired certificate file?

 

No. Ignore, and if you prefer submit a PR that removes that step from the docs. This probably is leftover from somewhere else when it was copied.

 

[Tim McLaughlin]

I was going to ask a related question, searched first, and found this.  Hopefully you'll forgive me for latching onto this thread.

 

Once the keypair is in place (and it's good to know the pem file is unnecessary), are the user's credentials stored in an encrypted form in memory on the CAS server, or is that keypair only used to encrypt the credential when the service gets the attribute passed to it?

 

There is some interest in temporarily making use of the "new" ClearPass (we're coming from 3.4.x) while a better solution is worked up, but if there is cleartext involved in the object storage, I want to remove ClearPass from the possible options.

 

Thank you,

Tim

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/00d101d24caa%24343f9860%249cbec920%24%40unicon.net.