If you enable jwt in cas.properties by defining these two properties: cas.authn.token.crypto.enabled=true cas.authn.token.crypto.encryptionEnabled=true
But leave these commented out: cas.authn.token.crypto.signing.key cas.authn.token.crypto.encryption.key Your catalina.out should log the generation of both keys, different each time you start the app of course. I would just grab the values, then define in your cas.properties, then restart tomcat. Log lines to look for: WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for encryption is not defined for [Token/JWT Tickets]; CAS will attempt to auto-generate the encryption key> WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated encryption key [pzyyqMTLT..................................] of size [256] for [Token/JWT Tickets]. The generated key MUST be added to CAS settings under setting [cas.authn.token.crypto.encryption.key].> WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for signing is not defined for [Token/JWT Tickets]. CAS will attempt to auto-generate the signing key> WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated signing key [tR8gQgES...................] of size [512] for [Token/JWT Tickets]. The generated key MUST be added to CAS settings under setting [cas.authn.token.crypto.signing.key].> -W On Thursday, September 13, 2018 at 3:01:26 PM UTC-5, Curtis Ruck wrote: > > The problem is due to the chicken and egg issue. I need to prepopulate > the cas.properties, so the service can start up and work (without human > intervention). I'm trying my best to avoid having to start a service, > parse the logs, and modify config, then restart the service. The > documentation seems very light on these keys. > > On Thursday, September 13, 2018 at 10:03:02 AM UTC-4, William E. wrote: >> >> +1 >> >> I ended up grabbing values from the cas startup logs and setting in my >> cas.properties. Seems to work. >> >> >> On Wednesday, September 12, 2018 at 3:34:32 PM UTC-5, Curtis Ruck wrote: >>> >>> So i'm trying to automate the generation and persistence of the >>> cas.tgc.crypto and cas.webflow.crypto encryption and signing keys. >>> >>> I'm using the jwk-gen.jar, and when i store the key in cas.properties, >>> i end up with "Invalid AES key length: 43 bytes" when trying to access the >>> login page. >>> >>> >>> If I let CAS generate a key, its the same exact string length (43 >>> bytes). What is different between my key versus cas's generated keys? Then >>> i'm extracting the k value from the json, and inserting it into my >>> cas.properties. >>> >>> java -jar jwk-gen.jar -t oct 256 -o tgc-enc.jwks >>> java -jar jwk-gen.jar -t oct 512 -o tgc-sig.jwks >>> java -jar jwk-gen.jar -t oct 256 -o webflow-enc.jwks >>> java -jar jwk-gen.jar -t oct 512 -o webflow-sig.jwks >>> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a9e1fc4-7305-4efe-8da8-7d7ccd465206%40apereo.org.