Yan, That sounds right. It has been a while since I used those versions of cas. I know that with cas 6 there are properties for ticket encryption, and they have to be set.
What is preventing you from upgrading? Is cas 5 still supported? What about the java versions and host OS, are they supported? This older software is the type of place where unauthorized users can gain access. If your management insists that data be encrypted, they should provide you with the resources to keep this software current. Upgrade and you will be able to meet the security policy requirements. Remember, cas is THE point of security to all your apps. Ray On Fri, 2020-11-20 at 12:24 -0800, Yan Zhou wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi Ray, Thanks for the info., We use both CAS4/CAS5 in production. Due to our security policy, we need to encrypt anything having user info. (even in the backend), this means we need to encrypt TGT in the ticket storage. Otherwise, someone on our network can intercept the traffic between CAS and hazelcast registry and misuse the TGT coming across the wire. As I understand, CAS4 does NOT support encrypting TGT, that capability is new in CAS5. For both CAS4/CAS5, what has been encrypted and secured is the TGC (the thing that is sent to browser). But our security policy requires even the backend be encrypted, as long as it has user info. With CAS5, we can do that, but with CAS4, that is not possible (the only alternative it to use secure channel to store/read TGT). Sounds right? Yan On Thursday, November 19, 2020 at 5:22:04 PM UTC-5 Ray Bon wrote: Yan, The TGT stays on the cas server and the ticket storage system. It stores the user session details. The TGC is sent to the browser. It is just an identifier for cas to find a TGT. The ST is just an identifier and stores no info. See https://apereo.github.io/cas/6.2.x/planning/Security-Guide.html#protocol-ticket-encryption, for encryption options. Ray On Thu, 2020-11-19 at 14:07 -0800, Yan Zhou wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hello, is there any user info. being stored in TGT and ST? I would think so, I see Authentication being part of TGT. Due to some security policy, we are asked whether we need to encrypt TGT and ST, because there is User Auth info., it sounds like we should encrypt it. Does that sound right? Thanks, Yan -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831<tel:(250)%20721-8831> | CLE 019 | rb...@uvic.ca I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b3e8914ea825aa67d55df1ecf7147e4a68f27a8c.camel%40uvic.ca.
