Thanks, Misagh! We're getting somewhere. CAS is no longer throwing an error
before the "Log In Successful" page renders, at least. That page now
partially reads "You, nobody, have successfully logged into the Central
Authentication Service." While I am happy to see this page again, I do not
think the ticket is properly being stored/retrieved, and even if everything
is working properly, I do not think CAS calling our users "nobody" would go
over well. ;-)
CAS is throwing an error that may shed some light on what is happening:
ERROR org.jasig.cas.ticket.registry.MemCacheTicketRegistry - Failed adding [
f26dd67a5b1da390c54cb27cabd0d4a8cd4c59e877851e3eafc77289fd8b232e469f170f522b0a6779ac3135d4a157f9ecbf904a484693ac08d0cdc0a820585a
]
java.lang.IllegalArgumentException: Invalid ticket type
at org.jasig.cas.ticket.registry.MemCacheTicketRegistry.getTimeout(
MemCacheTicketRegistry.java:255) ~[cas-server-integration-memcached-4.2.
4.jar:4.2.4]
at org.jasig.cas.ticket.registry.MemCacheTicketRegistry.
addTicket_aroundBody0(MemCacheTicketRegistry.java:131) [cas-server-
integration-memcached-4.2.4.jar:4.2.4]
at org.jasig.cas.ticket.registry.MemCacheTicketRegistry$AjcClosure1.run(
MemCacheTicketRegistry.java:1) [cas-server-integration-memcached-4.2.4.jar:
4.2.4]
What do you think?
Thanks again,
John
On Monday, August 8, 2016 at 12:41:55 PM UTC-4, Misagh Moayyed wrote:
>
> - You should be able to put the alias definition into the
> deployerConfigContext.xml file. I have updated the docs to note this.
> - Your encryption key is of the wrong size. Check with the docs on the key
> length.
> - Also a bug in the docs: remove the seed.
>
> --
> Misagh
>
> From: John Bradley <[email protected]> <javascript:>
> Reply: John Bradley <[email protected]> <javascript:>
> Date: August 8, 2016 at 9:05:04 AM
> To: CAS Community <[email protected]> <javascript:>
> Subject: [cas-user] Ticket encryption using Memcached not working
>
> I am working on a clustered CAS 4.2.4 installation (deployed to two
> Linux-based Tomcat servers) based on the overlay template at
> https://github.com/Jasig/cas-overlay-template.git. I am using two
> Memcached instances for ticket management. These Memcached instances are on
> separate servers in different networks, so encrypting and signing tickets
> would be desirable. I have tried modifying the template following the guide
> at
> https://apereo.github.io/cas/4.2.x/installation/Ticket-Registry-Replication-Encryption.html,
>
> but I have had no luck.
>
> The template itself does not include a ticketRegistry.xml file, but I was
> able to find one from another CAS admin's repository that happened to work.
> Simply following the guide after that produced a WAR file that would
> deploy, start up, and (as far as I can tell) facilitate authentication just
> fine, but the following errors would be thrown around the time when ticket
> storage would occur (I'll keep the stack traces brief):
>
> ERROR org.jasig.cas.util.ShiroCipherExecutor - Unable to init cipher
> instance. org.apache.shiro.crypto.CryptoException: Unable to init cipher
> instance. at org.apache.shiro.crypto.JcaCipherService.init(
> JcaCipherService.java:495) ~[shiro-core-1.2.6.jar:1.2.6]
> ...
> Caused by: java.security.InvalidKeyException: Illegal key size at javax.
> crypto.Cipher.checkCryptoPerm(Cipher.java:1039) ~[?:1.8.0_71]
> ...
> ERROR org.jasig.cas.support.wsfederation.web.flow.WsFederationAction - org
> .apache.shiro.crypto.CryptoException: Unable to init cipher instance. java
> .lang.RuntimeException: org.apache.shiro.crypto.CryptoException: Unable to
> init cipher instance. at org.jasig.cas.util.ShiroCipherExecutor.
> encode_aroundBody0(ShiroCipherExecutor.java:59) ~[cas-server-core-util-4.2
> .4.jar:4.2.4]
> ...
> Caused by: org.apache.shiro.crypto.CryptoException: Unable to init cipher
> instance. at org.apache.shiro.crypto.JcaCipherService.init(
> JcaCipherService.java:495) ~[shiro-core-1.2.6.jar:1.2.6]
> ...
> Caused by: java.security.InvalidKeyException: Illegal key size at javax.
> crypto.Cipher.checkCryptoPerm(Cipher.java:1039) ~[?:1.8.0_71]
>
> Here are the relevant settings in cas.properties:
>
>
> #Ticket Registry
>
> #Secret key to use when encrypting tickets in a distributed ticket
> registry.
> ticket.encryption.secretkey=4nCSlWrHH36AqpM8jcs7gwuGsetXwKpZ
>
> #Seed to use when encrypting tickets in a distributed ticket registry.
> ticket.encryption.seed=QjDk7dFzr7oTPzw9hbLdP6WTg8dnDoAs
>
> #Secret key to use when signing tickets in a distributed ticket registry.
> #By default, must be a octet string of size 512.
> ticket.signing.secretkey=
> fMGDPz1bgNRtIcFFNZWnI1X83wuNpamcnE1vj8_h_uF1DErSZnhfH-vR7e3mt14PgV0f5GHA-k
> -b2_Jr4m67Cg
>
> #Secret key algorithm used
> ticket.secretkey.alg=AES
>
> memcached.servers=first.server.domain:11211,second.server.domain:11211
> memcached.hashAlgorithm=FNV1_64_HASH
> memcached.protocol=BINARY
> memcached.locatorType=ARRAY_MOD
> memcached.failureMode=Redistribute
>
> I have tried adding the Cryptography Extension to the Java (1.8.0_92)
> libraries and changing the keys in cas.properties, with no luck. Before I
> result to tunneling, does anyone have any ideas on how to fix this? Thanks
> in advance!
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected] <javascript:>.
> To post to this group, send email to [email protected] <javascript:>.
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b980942a-e415-46f6-8e00-6bdd4cee9db5%40apereo.org
>
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b980942a-e415-46f6-8e00-6bdd4cee9db5%40apereo.org?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>
>
--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b9ba4e2d-4a05-4d83-8987-d531c0f8bb27%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
