Kenneth, Perhaps the properties need to be set in the config file (if jasypt is reading directly), maybe the encryption bit size or algorithm.
Ray On Wed, 2020-11-18 at 12:22 -0500, Kenneth Hopkins wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. My end goal is to encrypt the client secret in my service json registry as suggested here: https://apereo.github.io/2019/11/04/cas62x-oauth-jwt-access-token/#bonus So far it isn't working for me. In an effort to troubleshoot, I tried starting with trying to just encrypt some configuration properties: https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Security.html#standalone That also is not working for me. In an effort to simplify what I was looking at, I started with a clean download of the cas-overlay-template. I started with the server.ssl.enabled property just for the sake of the test, but other properties seem to have the same problem. I added an application.yml file to src/main/resources with a single property in it: server: ssl: enabled: '{cas-cipher}bRgoFJzNOBogeWGrty800g==' I got the encrypted value from running the cas commandline shell: cas>encrypt-value --alg PBEWithMD5AndTripleDES --iterations 1000 --provider SunJCE --password siMdrGQcecY5_orN3Zo_gZN-oAwqWmvOEKpxhp02bGF8VdJ5rdi8IfJ2NklWkqVvK9uMEAGHZwD_Qsd9UUjAbQ --value false ==== Encrypted Value ==== {cas-cipher}bRgoFJzNOBogeWGrty800g== And I started my cas server like this: java -jar build/libs/cas.war --cas.standalone.configurationSecurity.alg=PBEWithMD5AndDES --cas.standalone.configurationSecurity.provider=SunJCE --cas.standalone.configurationSecurity.iterations=1000 --cas.standalone.configurationSecurity.psw=siMdrGQcecY5_orN3Zo_gZN-oAwqWmvOEKpxhp02bGF8VdJ5rdi8IfJ2NklWkqVvK9uMEAGHZwD_Qsd9UUjAbQ The start of the CAS log looks like this: 2020-11-18 11:51:34,719 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt algorithm [PBEWithMD5AndDES]> 2020-11-18 11:51:34,723 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt password> 2020-11-18 11:51:34,723 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt provider> 2020-11-18 11:51:34,725 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt iterations> _ ____ _____ ____ _____ ___ ____ _ ____ / \ | _ \| ____| _ \| ____/ _ \ / ___| / \ / ___| / _ \ | |_) | _| | |_) | _|| | | | | | / _ \ \___ \ / ___ \| __/| |___| _ <| |__| |_| | | |___ / ___ \ ___) | /_/ \_\_| |_____|_| \_\_____\___/ \____/_/ \_\____/ CAS Version: 6.2.5 CAS Branch: 6.2.x CAS Commit Id: cde05dab3b560a449036d61290ebcb4cf56eb0a2 CAS Build Date/Time: 2020-11-03T03:51:10Z Spring Boot Version: 2.2.8.RELEASE Spring Version: 5.2.6.RELEASE Java Home: /usr/lib/jvm/java-11-openjdk-amd64 Java Vendor: Ubuntu Java Version: 11.0.9.1 JVM Free Memory: 504 MB JVM Maximum Memory: 9 GB JVM Total Memory: 924 MB JCE Installed: Yes OS Architecture: amd64 OS Name: Linux OS Version: 5.4.0-54-generic OS Date/Time: 2020-11-18T11:51:35.335785 OS Temp Directory: /tmp ------------------------------------------------------------ Apache Tomcat Version: Apache Tomcat/9.0.39 ------------------------------------------------------------ 2020-11-18 11:51:35,359 DEBUG [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] - <Located CAS standalone configuration directory at [null]> 2020-11-18 11:51:35,360 INFO [org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] - <Configuration directory [null] is not a directory or cannot be found at the specific path> 2020-11-18 11:51:35,367 INFO [org.apereo.cas.configuration.loader.YamlConfigurationPropertiesLoader] - <Found settings [[server.ssl.enabled]] in YAML file [class path resource [application.yml]]> 2020-11-18 11:51:35,369 TRACE [org.apereo.cas.util.crypto.CipherExecutor] - <Attempting to decode key [server.ssl.enabled]> 2020-11-18 11:51:35,369 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Initializing Jasypt...> 2020-11-18 11:51:35,382 TRACE [org.apereo.cas.util.crypto.CipherExecutor] - <Decrypting value [bRgoFJzNOBogeWGrty800g==]...> 2020-11-18 11:51:35,389 ERROR [org.apereo.cas.util.crypto.CipherExecutor] - <Could not decrypt value [{cas-cipher}bRgoFJzNOBogeWGrty800g==]> org.jasypt.exceptions.EncryptionOperationNotPossibleException: null at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.decrypt(StandardPBEByteEncryptor.java:1169) ~[jasypt-1.9.3.jar!/:?] at org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:738) ~[jasypt-1.9.3.jar!/:?] at org.apereo.cas.configuration.support.CasConfigurationJasyptCipherExecutor.decryptValuePropagateExceptions(CasConfigurationJasyptCipherExecutor.java:215) ~[cas-server-core-api-configuration-model-6.2.5.jar!/:6.2.5] at org.apereo.cas.configuration.support.CasConfigurationJasyptCipherExecutor.decryptValue(CasConfigurationJasyptCipherExecutor.java:196) ~[cas-server-core-api-configuration-model-6.2.5.jar!/:6.2.5] at org.apereo.cas.configuration.support.CasConfigurationJasyptCipherExecutor.decode(CasConfigurationJasyptCipherExecutor.java:154) ~[cas-server-core-api-configuration-model-6.2.5.jar!/:6.2.5] at org.apereo.cas.configuration.support.CasConfigurationJasyptCipherExecutor.decode(CasConfigurationJasyptCipherExecutor.java:22) ~[cas-server-core-api-configuration-model-6.2.5.jar!/:6.2.5] at org.apereo.cas.util.crypto.CipherExecutor.lambda$decode$0(CipherExecutor.java:120) ~[cas-server-core-api-util-6.2.5.jar!/:6.2.5] at java.util.concurrent.ConcurrentHashMap.forEach(ConcurrentHashMap.java:1603) ~[?:?] at java.util.Properties.forEach(Properties.java:1443) ~[?:?] at org.apereo.cas.util.crypto.CipherExecutor.decode(CipherExecutor.java:117) ~[cas-server-core-api-util-6.2.5.jar!/:6.2.5] at org.apereo.cas.configuration.loader.BaseConfigurationPropertiesLoader.decryptProperties(BaseConfigurationPropertiesLoader.java:46) ~[cas-server-core-configuration-api-6.2.5.jar!/:6.2.5] at org.apereo.cas.configuration.loader.YamlConfigurationPropertiesLoader.load(YamlConfigurationPropertiesLoader.java:36) ~[cas-server-core-configuration-api-6.2.5.jar!/:6.2.5] at org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator.loadEmbeddedYamlOverriddenProperties(DefaultCasConfigurationPropertiesSourceLocator.java:153) ~[cas-server-core-configuration-api-6.2.5.jar!/:6.2.5] at org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator.locate(DefaultCasConfigurationPropertiesSourceLocator.java:71) ~[cas-server-core-configuration-api-6.2.5.jar!/:6.2.5] at org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration.locate(CasCoreBootstrapStandaloneConfiguration.java:52) ~[cas-server-core-configuration-6.2.5.jar!/:6.2.5] at org.springframework.cloud.bootstrap.config.PropertySourceLocator.locateCollection(PropertySourceLocator.java:52) ~[spring-cloud-context-2.2.2.RELEASE.jar!/:2.2.2.RELEASE] at org.springframework.cloud.bootstrap.config.PropertySourceLocator.locateCollection(PropertySourceLocator.java:47) ~[spring-cloud-context-2.2.2.RELEASE.jar!/:2.2.2.RELEASE] at org.springframework.cloud.bootstrap.config.PropertySourceBootstrapConfiguration.initialize(PropertySourceBootstrapConfiguration.java:97) ~[spring-cloud-context-2.2.2.RELEASE.jar!/:2.2.2.RELEASE] at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:626) ~[spring-boot-2.2.8.RELEASE.jar!/:2.2.8.RELEASE] at org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:370) ~[spring-boot-2.2.8.RELEASE.jar!/:2.2.8.RELEASE] at org.springframework.boot.SpringApplication.run(SpringApplication.java:314) ~[spring-boot-2.2.8.RELEASE.jar!/:2.2.8.RELEASE] at org.springframework.boot.builder.SpringApplicationBuilder.run(SpringApplicationBuilder.java:140) ~[spring-boot-2.2.8.RELEASE.jar!/:2.2.8.RELEASE] at org.apereo.cas.web.CasWebApplication.main(CasWebApplication.java:80) ~[cas-server-webapp-init-6.2.5.jar!/:6.2.5] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?] at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?] at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?] at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?] at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48) ~[cas.war:?] at org.springframework.boot.loader.Launcher.launch(Launcher.java:87) ~[cas.war:?] at org.springframework.boot.loader.Launcher.launch(Launcher.java:51) ~[cas.war:?] at org.springframework.boot.loader.WarLauncher.main(WarLauncher.java:58) ~[cas.war:?] 2020-11-18 11:51:35,405 INFO [org.apereo.cas.web.CasWebApplication] - <The following profiles are active: standalone> 2020-11-18 11:51:35,613 TRACE [org.apereo.cas.web.CasWebApplicationContext] - <Refreshing CasWebApplicationContext()> 2020-11-18 11:51:38,897 TRACE [org.apereo.cas.web.CasWebApplicationContext] - <Using MessageSource [org.apereo.cas.web.view.CasReloadableMessageBundle: basenames=[classpath:custom_messages, classpath:messages]]> 2020-11-18 11:51:38,897 TRACE [org.apereo.cas.web.CasWebApplicationContext] - <No 'applicationEventMulticaster' bean, using [SimpleApplicationEventMulticaster]> 2020-11-18 11:51:38,925 ERROR [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - < Failed to bind properties under 'cas' to org.apereo.cas.configuration.CasConfigurationProperties cas.standalone.configurationsecurity.iterations = 1000 (Origin: "cas.standalone.configurationSecurity.iterations" from property source "commandLineArgs") Listed settings above are no longer recognized by CAS 6.2.5. They may have been renamed, removed, or relocated to a new address in the CAS configuration schema. CAS will ignore such settings and will proceed with its normal initialization sequence. Please consult the CAS documentation to review and adjust each setting to find an alternative or remove the definition. Failure to do so puts the stability of the CAS server deployment in danger and complicates future upgrades. Unfortunately, for security reasons, jasypt gives no details as to why the decryption failed. I've tried several different things, but haven't gotten the decryption working. The above error isn't the only one I've seen, but it seems to be the exception I'm seeing when I think that my steps should be correct. I do see the error from org.apereo.cas.configuration.CasConfigurationPropertiesValidator at the end of the log, and that seems to be a discrepancy between the code, the documentation, and the configuration-model. However, I don't think it is relevant to this problem because the CasConfigurationJasyptCipherExecutor seems to load the configuration directly from the property names, instead of using the configuration model. Figuring out how to encrypt properties would be nice, but my ultimate goal is trying to encrypt the clientSecret in the service json file for an oauth service. That isn't working for me either. https://apereo.github.io/2019/11/04/cas62x-oauth-jwt-access-token/#bonus If it isn't worth trying to figure out configuration encryption, then I can provide more details about the problems I'm having trying to configure an encrypted clientSecret. Thanks for any insights. This e-mail contains information from eOriginal, Inc. that may be proprietary, confidential and/or subject to a nondisclosure agreement. If you are not an intended recipient, please notify the sender immediately and delete this e-mail from your computer. To the extent required under any applicable nondisclosure agreement, the information contained in this e-mail is marked CONFIDENTIAL. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4ec9f005024932a01eeae61c4edb7f7e4024054.camel%40uvic.ca.
