If you enable jwt in cas.properties by defining these two properties: cas.authn.token.crypto.enabled=true cas.authn.token.crypto.encryptionEnabled=true
But leave these commented out: cas.authn.token.crypto.signing.key cas.authn.token.crypto.encryption.key Your catalina.out should log the generation of both keys, different each time you start the app of course. I would just grab the values, then define in your cas.properties, then restart tomcat. Log lines to look for: WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for encryption is not defined for [Token/JWT Tickets]; CAS will attempt to auto-generate the encryption key> WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated encryption key [pzyyqMTLT..................................] of size [256] for [Token/JWT Tickets]. The generated key MUST be added to CAS settings under setting [cas.authn.token.crypto.encryption.key].> WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Secret key for signing is not defined for [Token/JWT Tickets]. CAS will attempt to auto-generate the signing key> WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Generated signing key [tR8gQgES...................] of size [512] for [Token/JWT Tickets]. The generated key MUST be added to CAS settings under setting [cas.authn.token.crypto.signing.key].> -W On Thursday, September 13, 2018 at 3:01:26 PM UTC-5, Curtis Ruck wrote: > > The problem is due to the chicken and egg issue. I need to prepopulate > the cas.properties, so the service can start up and work (without human > intervention). I'm trying my best to avoid having to start a service, > parse the logs, and modify config, then restart the service. The > documentation seems very light on these keys. > > On Thursday, September 13, 2018 at 10:03:02 AM UTC-4, William E. wrote: >> >> +1 >> >> I ended up grabbing values from the cas startup logs and setting in my >> cas.properties. Seems to work. >> >> >> On Wednesday, September 12, 2018 at 3:34:32 PM UTC-5, Curtis Ruck wrote: >>> >>> So i'm trying to automate the generation and persistence of the >>> cas.tgc.crypto and cas.webflow.crypto encryption and signing keys. >>> >>> I'm using the jwk-gen.jar, and when i store the key in cas.properties, >>> i end up with "Invalid AES key length: 43 bytes" when trying to access the >>> login page. >>> >>> >>> If I let CAS generate a key, its the same exact string length (43 >>> bytes). What is different between my key versus cas's generated keys? Then >>> i'm extracting the k value from the json, and inserting it into my >>> cas.properties. >>> >>> java -jar jwk-gen.jar -t oct 256 -o tgc-enc.jwks >>> java -jar jwk-gen.jar -t oct 512 -o tgc-sig.jwks >>> java -jar jwk-gen.jar -t oct 256 -o webflow-enc.jwks >>> java -jar jwk-gen.jar -t oct 512 -o webflow-sig.jwks >>> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a9e1fc4-7305-4efe-8da8-7d7ccd465206%40apereo.org.
