I prefer working with CAS than OpenAM, ADFS, etc... Try automating one of those SSO solutions.
Its also why i preferred Spring XML than this @Configuration stuff. On Tuesday, December 4, 2018 at 12:43:29 PM UTC-5, David Curry wrote: > > 1,000 CAS servers. Ow. :-) > > > -- > > DAVID A. CURRY, CISSP > *DIRECTOR OF INFORMATION SECURITY* > THE NEW SCHOOL • INFORMATION TECHNOLOGY > > 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 > +1 212 229-5300 x4728 • [email protected] <javascript:> > > > On Tue, Dec 4, 2018 at 12:31 PM Curtis Ruck <[email protected] > <javascript:>> wrote: > >> Dave, >> >> Keys generated/signed by CA plus we need 100% automated solution. We >> don't just have 1 CAS server, we have 1,000 or so, and they each need >> unique keys. Our CAS use case is unique, in that we essentially run CAS >> w/applications at the edge of the network, with extremely poor >> communications back up to an centralized enterprise; so we have to automate >> as much as possible. >> >> Ideally, I'd just submit a couple PRs to make the PrivateKeyFactoryBean >> handle multiple outputs from the PEMParser, but i'm working against a tight >> schedule, and can't wait for a CAS release at the moment. >> >> On Tuesday, December 4, 2018 at 12:12:29 PM UTC-5, David Curry wrote: >>> >>> This doesn't really answer your question (I don't know the answer), but >>> can't you just start CAS and let it generate the keys (they end up in >>> /etc/cas/saml), then stop CAS and copy the keys somewhere for >>> safekeeping/redistribution? >>> >>> For our installation with multiple CAS servers behind a load balancer >>> that's what I did, and copied the keys into the Maven overlay's >>> etc/cas/saml directory. Then when I install everything, I end up with the >>> same keys (and metadata) on all the servers. And we've uploaded them to a >>> SAML SP here and there, as well. Seems to work fine, so far. >>> >>> Or do you need to use keys generated/signed by your CA or something? >>> >>> --Dave >>> >>> >>> >>> -- >>> >>> DAVID A. CURRY, CISSP >>> *DIRECTOR OF INFORMATION SECURITY* >>> THE NEW SCHOOL • INFORMATION TECHNOLOGY >>> >>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >>> +1 212 229-5300 x4728 • [email protected] >>> >>> >>> On Tue, Dec 4, 2018 at 11:59 AM Curtis Ruck <[email protected]> wrote: >>> >>>> Does anyone know how to generate the idp-signing.key/crt with openssl? >>>> It seems CAS is hardcoded to expect a PEMKeyPair >>>> <https://github.com/apereo/cas/blob/5.3.x/core/cas-server-core-util-api/src/main/java/org/apereo/cas/util/crypto/PrivateKeyFactoryBean.java#L57> >>>> object >>>> coming out of PEMParser, but I can't figure out how to use OpenSSL to >>>> generate an appropriate key file. >>>> >>>> Yes, CAS generates it fine, using bouncycastle, but I have to generate >>>> these keys/certificates outside of CAS so I can distribute the trust to >>>> the >>>> various SAML 2.0 applications. >>>> >>>> -- >>>> - Website: https://apereo.github.io/cas >>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> - Contributions: https://goo.gl/mh7qDG >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/36a4ed0f-a015-4438-a9a1-501f9fd5eaec%40apereo.org >>>> >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/36a4ed0f-a015-4438-a9a1-501f9fd5eaec%40apereo.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c426ef78-6b75-43d4-9c77-4fe4701e1466%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c426ef78-6b75-43d4-9c77-4fe4701e1466%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/470b4074-9d81-4a39-b519-189d9147c797%40apereo.org.
