If you enable jwt in cas.properties by defining these two properties:


But leave these commented out:


Your catalina.out should log the generation of both keys, different each 
time you start the app of course.  I would just grab the values, then 
define in your cas.properties, then restart tomcat.

Log lines to look for:

WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key 
for encryption is not defined for [Token/JWT Tickets]; CAS will attempt to 
auto-generate the encryption key>

WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated 
encryption key [pzyyqMTLT..................................] of size [256] 
for [Token/JWT Tickets]. The generated key MUST be added to CAS settings 
under setting [cas.authn.token.crypto.encryption.key].>

WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key 
for signing is not defined for [Token/JWT Tickets]. CAS will attempt to 
auto-generate the signing key>

WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated 
signing key [tR8gQgES...................] of size [512] for [Token/JWT 
Tickets]. The generated key MUST be added to CAS settings under setting 


On Thursday, September 13, 2018 at 3:01:26 PM UTC-5, Curtis Ruck wrote:
> The problem is due to the chicken and egg issue.  I need to prepopulate 
> the cas.properties, so the service can start up and work (without human 
> intervention).  I'm trying my best to avoid having to start a service, 
> parse the logs, and modify config, then restart the service.  The 
> documentation seems very light on these keys.
> On Thursday, September 13, 2018 at 10:03:02 AM UTC-4, William E. wrote:
>> +1
>> I ended up grabbing values from the cas startup logs and setting in my 
>> cas.properties.  Seems to work.
>> On Wednesday, September 12, 2018 at 3:34:32 PM UTC-5, Curtis Ruck wrote:
>>> So i'm trying to automate the generation and persistence of the 
>>> cas.tgc.crypto and cas.webflow.crypto encryption and signing keys.
>>> I'm using the jwk-gen.jar, and when i store the key in cas.properties, 
>>> i end up with "Invalid AES key length: 43 bytes" when trying to access the 
>>> login page.
>>> If I let CAS generate a key, its the same exact string length (43 
>>> bytes). What is different between my key versus cas's generated keys? Then 
>>> i'm extracting the k value from the json, and inserting it into my 
>>> cas.properties.
>>> java -jar jwk-gen.jar -t oct 256 -o tgc-enc.jwks
>>> java -jar jwk-gen.jar -t oct 512 -o tgc-sig.jwks
>>> java -jar jwk-gen.jar -t oct 256 -o webflow-enc.jwks
>>> java -jar jwk-gen.jar -t oct 512 -o webflow-sig.jwks

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 

Reply via email to