[cas-user] Configuration Security

22 views

Skip to first unread message

Andrew Tillinghast

unread,

May 8, 2017, 11:07:42 AM5/8/17

to cas-...@apereo.org

I'm working on encrypting passwords before I put our overlay up on github.

I built my keystore as per the spring cloud document: https://cloud.spring.io/spring-cloud-config/spring-cloud-config.html

Added the properties:

spring.cloud.config.server.encrypt.enabled=true

encrypt.keyStore.location=file:///etc/cas/config/casconfigserver.jks

encrypt.keyStore.password=SecretPass

encrypt.keyStore.alias=dakey

encrypt.keyStore.secret=changeme

When I execute the Curl Statement I get a response

$ CURL http://casdev1.conncoll.edu:8080/cas/status/configserver/encrypt --data-urlencode Secret!

AQASDk01S0m3vTjgxpXQBhQC4OOeEmEmBvw9Dgs7DijOM37tJle68IG8c56YGmX8jzHIXIepBdMXTjh6IL8HqijIZgHESRrCiD5IYC2ZKS9h7tKRw1tqWcDfb37cRbgpp2AphFVDQn114PI7bekRBDcBS1Hqd/sdAj6gDalPZ0mTXhqNiRnbognVG/xuWGvn5aFPKTV+OBtKY8eFlsVqkQiF4PgbIjXsbhGnGTTuWtIqojuuHDIzviaJZyUDO7eSPlMno6StXHGYM8IpkTXEzM0zpwbNZGK5GAdcYLwyc5W4iFKG+9RColVzBe2kKwvu1NcaylovTTPsasIUxi0v2Lx1v5MsR+aX4YzSIWZQOOUvtSWddmeBzWkZmr+1WAHgGCM=

I then update properties

cas.authn.ldap[0].bindCredential={cipher}AQASDk01S0m3vTjgxpXQBhQC4OOeEmEmBvw9Dgs7DijOM37tJle68IG8c56YGmX8jzHIXIepBdMXTjh6IL8HqijIZgHESRrCiD5IYC2ZKS9h7tKRw1tqWcDfb37cRbgpp2AphFVDQn114PI7bekRBDcBS1Hqd/sdAj6gDalPZ0mTXhqNiRnbognVG/xuWGvn5aFPKTV+OBtKY8eFlsVqkQiF4PgbIjXsbhGnGTTuWtIqojuuHDIzviaJZyUDO7eSPlMno6StXHGYM8IpkTXEzM0zpwbNZGK5GAdcYLwyc5W4iFKG+9RColVzBe2kKwvu1NcaylovTTPsasIUxi0v2Lx1v5MsR+aX4YzSIWZQOOUvtSWddmeBzWkZmr+1WAHgGCM=

And CAS fails to start with:

May 08, 2017 10:56:24 AM org.apache.catalina.core.ContainerBase addChildInternal

SEVERE: ContainerBase.addChild: start:

org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/cas]]

at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:153)

at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)

at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)

at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)

at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1092)

at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1984)

at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)

at java.util.concurrent.FutureTask.run(FutureTask.java:266)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

at java.lang.Thread.run(Thread.java:745)

Caused by: java.lang.IllegalStateException: Cannot decrypt: key=cas.authn.ldap[0].bindCredential

at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:201)

at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:165)

at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.initialize(EnvironmentDecryptApplicationInitializer.java:95)

at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:635)

at org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:349)

at org.springframework.boot.SpringApplication.run(SpringApplication.java:313)

at org.springframework.boot.web.support.SpringBootServletInitializer.run(SpringBootServletInitializer.java:151)

at org.springframework.boot.web.support.SpringBootServletInitializer.createRootApplicationContext(SpringBootServletInitializer.java:131)

at org.springframework.boot.web.support.SpringBootServletInitializer.onStartup(SpringBootServletInitializer.java:86)

at org.springframework.web.SpringServletContainerInitializer.onStartup(SpringServletContainerInitializer.java:169)

at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5573)

at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)

... 10 more

Caused by: java.lang.UnsupportedOperationException: No decryption for FailsafeTextEncryptor. Did you configure the keystore correctly?

at org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$FailsafeTextEncryptor.decrypt(EncryptionBootstrapConfiguration.java:152)

at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:193)

... 21 more

If the keystore isn't configured correctly how am I getting an encrypt response from the the admin endpoint?

Andrew Tillinghast

Sr. Web Developer

atil...@conncoll.edu

270 Mohegan Avenue

New London, CT 06320-4196

Ph:860 439-5265 Fax: 860 439-2871

P Think before you print
CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the sender and delete this email from your system.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGA6n_kLMYr-8igc5ftWaaSqR_W5hQ%2B6-OQeq1J1GtWZmmU8Tg%40mail.gmail.com.

atilling

unread,

May 19, 2017, 10:24:02 AM5/19/17

to CAS Community

I was able to secure my LDAP connection by following the instructions here: https://apereo.github.io/2017/03/24/cas51-ldapauthnjasypt-tutorial/

However this encryption does not seem to work for "cas.serviceRegistry.jpa.password" when I add the {cipher} value there I get errors in the logs saying CAS can not connect to the database using the correct username and no password.

The Blog states "Note that there is nothing stopping you from encrypting any other setting!" is there any reason why the encryption doesn't work on the JPA password?

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/89159390-2bec-40e8-b60f-3ca050fc28a9%40apereo.org.

Reply all

Reply to author

Forward

0 new messages