I was able to secure my LDAP connection by following the instructions here:
https://apereo.github.io/2017/03/24/cas51-ldapauthnjasypt-tutorial/
However this encryption does not seem to work for "
cas.serviceRegistry.jpa.password" when I add the {cipher} value there I get
errors in the logs saying CAS can not connect to the database using the
correct username and no password.
The Blog states "Note that there is nothing stopping you from encrypting
any other setting!" is there any reason why the encryption doesn't work on
the JPA password?
On Monday, May 8, 2017 at 11:07:43 AM UTC-4, atilling wrote:
>
>
> I'm working on encrypting passwords before I put our overlay up on github.
>
> I built my keystore as per the spring cloud document:
> https://cloud.spring.io/spring-cloud-config/spring-cloud-config.html
>
> Added the properties:
>
> spring.cloud.config.server.encrypt.enabled=true
>
> encrypt.keyStore.location=file:///etc/cas/config/casconfigserver.jks
>
> encrypt.keyStore.password=SecretPass
>
> encrypt.keyStore.alias=dakey
>
> encrypt.keyStore.secret=changeme
>
>
> When I execute the Curl Statement I get a response
>
> $ CURL http://casdev1.conncoll.edu:8080/cas/status/configserver/encrypt
> --data-urlencode Secret!
>
>
> AQASDk01S0m3vTjgxpXQBhQC4OOeEmEmBvw9Dgs7DijOM37tJle68IG8c56YGmX8jzHIXIepBdMXTjh6IL8HqijIZgHESRrCiD5IYC2ZKS9h7tKRw1tqWcDfb37cRbgpp2AphFVDQn114PI7bekRBDcBS1Hqd/sdAj6gDalPZ0mTXhqNiRnbognVG/xuWGvn5aFPKTV+OBtKY8eFlsVqkQiF4PgbIjXsbhGnGTTuWtIqojuuHDIzviaJZyUDO7eSPlMno6StXHGYM8IpkTXEzM0zpwbNZGK5GAdcYLwyc5W4iFKG+9RColVzBe2kKwvu1NcaylovTTPsasIUxi0v2Lx1v5MsR+aX4YzSIWZQOOUvtSWddmeBzWkZmr+1WAHgGCM=
> I then update properties
>
> cas.authn.ldap[0].bindCredential=
> {cipher}AQASDk01S0m3vTjgxpXQBhQC4OOeEmEmBvw9Dgs7DijOM37tJle68IG8c56YGmX8jzHIXIepBdMXTjh6IL8HqijIZgHESRrCiD5IYC2ZKS9h7tKRw1tqWcDfb37cRbgpp2AphFVDQn114PI7bekRBDcBS1Hqd/sdAj6gDalPZ0mTXhqNiRnbognVG/xuWGvn5aFPKTV+OBtKY8eFlsVqkQiF4PgbIjXsbhGnGTTuWtIqojuuHDIzviaJZyUDO7eSPlMno6StXHGYM8IpkTXEzM0zpwbNZGK5GAdcYLwyc5W4iFKG+9RColVzBe2kKwvu1NcaylovTTPsasIUxi0v2Lx1v5MsR+aX4YzSIWZQOOUvtSWddmeBzWkZmr+1WAHgGCM=
>
>
> And CAS fails to start with:
>
> May 08, 2017 10:56:24 AM org.apache.catalina.core.ContainerBase
> addChildInternal
>
> SEVERE: ContainerBase.addChild: start:
>
> org.apache.catalina.LifecycleException: Failed to start component
> [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/cas]]
>
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:153)
>
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899)
>
> at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
>
> at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652)
>
> at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1092)
>
> at
> org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1984)
>
> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>
> at java.lang.Thread.run(Thread.java:745)
>
> Caused by: java.lang.IllegalStateException: Cannot decrypt:
> key=cas.authn.ldap[0].bindCredential
>
> at
> org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:201)
>
> at
> org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:165)
>
> at
> org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.initialize(EnvironmentDecryptApplicationInitializer.java:95)
>
> at
> org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:635)
>
> at
> org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:349)
>
> at
> org.springframework.boot.SpringApplication.run(SpringApplication.java:313)
>
> at
> org.springframework.boot.web.support.SpringBootServletInitializer.run(SpringBootServletInitializer.java:151)
>
> at
> org.springframework.boot.web.support.SpringBootServletInitializer.createRootApplicationContext(SpringBootServletInitializer.java:131)
>
> at
> org.springframework.boot.web.support.SpringBootServletInitializer.onStartup(SpringBootServletInitializer.java:86)
>
> at
> org.springframework.web.SpringServletContainerInitializer.onStartup(SpringServletContainerInitializer.java:169)
>
> at
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5573)
>
> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
>
> ... 10 more
>
> Caused by: java.lang.UnsupportedOperationException: No decryption for
> FailsafeTextEncryptor. Did you configure the keystore correctly?
>
> at
> org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$FailsafeTextEncryptor.decrypt(EncryptionBootstrapConfiguration.java:152)
>
> at
> org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:193)
>
> ... 21 more
>
>
> If the keystore isn't configured correctly how am I getting an encrypt
> response from the the admin endpoint?
>
>
> --
> Andrew Tillinghast
> Sr. Web Developer
> atill...@conncoll.edu
> 270 Mohegan Avenue
> New London, CT 06320-4196
> Ph:860 439-5265 Fax: 860 439-2871
> P
> *Think before you print*CONFIDENTIALITY: This email (including any
> attachments) may contain confidential, proprietary and privileged
> information, and unauthorized disclosure or use is prohibited. If you
> received this email in error, please notify the sender and delete this
> email from your system.
>
>
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/89159390-2bec-40e8-b60f-3ca050fc28a9%40apereo.org.
