Ticket encryption using Memcached not working
177 views
Skip to first unread message
John Bradley
Aug 8, 2016, 12:04:59 PM8/8/16
to CAS Community
I am working on a clustered CAS 4.2.4 installation (deployed to two Linux-based Tomcat servers) based on the overlay template at https://github.com/Jasig/cas-overlay-template.git. I am using two Memcached instances for ticket management. These Memcached instances are on separate servers in different networks, so encrypting and signing tickets would be desirable. I have tried modifying the template following the guide at https://apereo.github.io/cas/4.2.x/installation/Ticket-Registry-Replication-Encryption.html, but I have had no luck.
The template itself does not include a ticketRegistry.xml file, but I was able to find one from another CAS admin's repository that happened to work. Simply following the guide after that produced a WAR file that would deploy, start up, and (as far as I can tell) facilitate authentication just fine, but the following errors would be thrown around the time when ticket storage would occur (I'll keep the stack traces brief):
Here are the relevant settings in cas.properties:
I have tried adding the Cryptography Extension to the Java (1.8.0_92) libraries and changing the keys in cas.properties, with no luck. Before I result to tunneling, does anyone have any ideas on how to fix this? Thanks in advance!
The template itself does not include a ticketRegistry.xml file, but I was able to find one from another CAS admin's repository that happened to work. Simply following the guide after that produced a WAR file that would deploy, start up, and (as far as I can tell) facilitate authentication just fine, but the following errors would be thrown around the time when ticket storage would occur (I'll keep the stack traces brief):
ERROR org.jasig.cas.util.ShiroCipherExecutor - Unable to init cipher instance. org.apache.shiro.crypto.CryptoException: Unable to init cipher instance. at org.apache.shiro.crypto.JcaCipherService.init(JcaCipherService.java:495) ~[shiro-core-1.2.6.jar:1.2.6]
...
Caused by: java.security.InvalidKeyException: Illegal key size at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1039) ~[?:1.8.0_71]
...
ERROR org.jasig.cas.support.wsfederation.web.flow.WsFederationAction - org.apache.shiro.crypto.CryptoException: Unable to init cipher instance. java.lang.RuntimeException: org.apache.shiro.crypto.CryptoException: Unable to init cipher instance. at org.jasig.cas.util.ShiroCipherExecutor.encode_aroundBody0(ShiroCipherExecutor.java:59) ~[cas-server-core-util-4.2.4.jar:4.2.4]
...
Caused by: org.apache.shiro.crypto.CryptoException: Unable to init cipher instance. at org.apache.shiro.crypto.JcaCipherService.init(JcaCipherService.java:495) ~[shiro-core-1.2.6.jar:1.2.6]
...
Caused by: java.security.InvalidKeyException: Illegal key size at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1039) ~[?:1.8.0_71]Here are the relevant settings in cas.properties:
#Ticket Registry
#Secret key to use when encrypting tickets in a distributed ticket registry.
ticket.encryption.secretkey=4nCSlWrHH36AqpM8jcs7gwuGsetXwKpZ
#Seed to use when encrypting tickets in a distributed ticket registry.
ticket.encryption.seed=QjDk7dFzr7oTPzw9hbLdP6WTg8dnDoAs
#Secret key to use when signing tickets in a distributed ticket registry.
#By default, must be a octet string of size 512.
ticket.signing.secretkey=fMGDPz1bgNRtIcFFNZWnI1X83wuNpamcnE1vj8_h_uF1DErSZnhfH-vR7e3mt14PgV0f5GHA-k-b2_Jr4m67Cg
#Secret key algorithm used
ticket.secretkey.alg=AES
memcached.servers=first.server.domain:11211,second.server.domain:11211
memcached.hashAlgorithm=FNV1_64_HASH
memcached.protocol=BINARY
memcached.locatorType=ARRAY_MOD
memcached.failureMode=RedistributeI have tried adding the Cryptography Extension to the Java (1.8.0_92) libraries and changing the keys in cas.properties, with no luck. Before I result to tunneling, does anyone have any ideas on how to fix this? Thanks in advance!
Misagh Moayyed
Aug 8, 2016, 12:41:55 PM8/8/16
to CAS Community
- You should be able to put the alias definition into the deployerConfigContext.xml file. I have updated the docs to note this.
- Your encryption key is of the wrong size. Check with the docs on the key length.
- Also a bug in the docs: remove the seed.
--
Misagh
Misagh
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b980942a-e415-46f6-8e00-6bdd4cee9db5%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Message has been deleted
John Bradley
Aug 8, 2016, 2:09:26 PM8/8/16
to CAS Community, mmoa...@unicon.net
Thanks, Misagh! We're getting somewhere. CAS is no longer throwing an
error before the "Log In Successful" page renders, at least. That page
now partially reads "You, nobody, have successfully logged into the
Central Authentication Service." While I am happy to see this page
again, I do not think the ticket is properly being stored/retrieved, and
even if everything is working properly, I do not think CAS calling our
users "nobody" would go over well. ;-)
CAS is throwing an error that may shed some light on what is happening:
What do you think?
Thanks again,
John
CAS is throwing an error that may shed some light on what is happening:
ERROR org.jasig.cas.ticket.registry.MemCacheTicketRegistry - Failed adding [f26dd67a5b1da390c54cb27cabd0d4a8cd4c59e877851e3eafc77289fd8b232e469f170f522b0a6779ac3135d4a157f9ecbf904a484693ac08d0cdc0a820585a]
java.lang.IllegalArgumentException: Invalid ticket type
at org.jasig.cas.ticket.registry.MemCacheTicketRegistry.getTimeout(MemCacheTicketRegistry.java:255) ~[cas-server-integration-memcached-4.2.4.jar:4.2.4]
at org.jasig.cas.ticket.registry.MemCacheTicketRegistry.addTicket_aroundBody0(MemCacheTicketRegistry.java:131) [cas-server-integration-memcached-4.2.4.jar:4.2.4]
at org.jasig.cas.ticket.registry.MemCacheTicketRegistry$AjcClosure1.run(MemCacheTicketRegistry.java:1) [cas-server-integration-memcached-4.2.4.jar:4.2.4]
What do you think?
Thanks again,
John
Misagh Moayyed
Aug 8, 2016, 2:16:55 PM8/8/16
to CAS Community
Switch your logs to DEBUG, and possibly, switch to 4.2.4-SNAPSHOT. Paste the logs back please.
--
Misagh
Misagh
From: John Bradley <johnmbradle...@gmail.com>
Reply: John Bradley <johnmbradle...@gmail.com>
Date: August 8, 2016 at 11:09:30 AM
To: CAS Community <cas-...@apereo.org>
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ac6d67ae-e1f8-47b9-9071-c517562f1354%40apereo.org.
Misagh Moayyed
Aug 8, 2016, 2:22:35 PM8/8/16
to CAS Community
Correction: 4.2.5-SNAPSHOT. Sorry.
--
Misagh
Misagh
Misagh Moayyed
Aug 8, 2016, 2:31:57 PM8/8/16
to CAS Community
Never mind. I see the problem. Sorry about the spam. Go ahead and file an issue please.
Message has been deleted
John Bradley
Aug 8, 2016, 3:07:29 PM8/8/16
to CAS Community, mmoa...@unicon.net
Reply all
Reply to author
Forward
0 new messages