So as a follow-on Phase 3. I moved this whole thing to a Linux
environment in the off chance that macOS's 10.15 funky overlay
filesystems were causing me grief.
No joy.
Can someone do me a favour and just confirm that the
cas-management-overlay out of the box build will work with a self signed
certificate that has been generated with:
keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -keystore
managementkeystore.jks -validity 9650 -storepass testadmin
As previously discussed, not matter what I do with the keystore file it
throws this:
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe
contents entry: javax.crypto.BadPaddingException: Given final block not
properly padded. Such issues can arise if a bad key is used during decryption.
But I can open, list and verify the keystore with the same keytool of
the VM running the Spring Container, I've moved, it chmod'ed it wide
open, tried a simple no special character password, created a new one,
put the public key in the cacerts keystore.
I'm totally out of ideas.
CAS Version: 6.1.0-RC4
CAS Commit Id: caabdd579ab6190a896de03ceeeb1b26d0bab81a
CAS Build Date/Time: 2020-09-02T16:29:58.419Z
Spring Boot Version: 2.2.0.M3
Spring Version: 5.2.0.M2
Java Home: /Library/Java/JavaVirtualMachines/jdk-11.0.8.jdk/Contents/Home
Java Vendor: Oracle Corporation
Java Version: 11.0.8
JVM Free Memory: 152 MB
JVM Maximum Memory: 4 GB
JVM Total Memory: 370 MB
JCE Installed: Yes
OS Architecture: x86_64
OS Name: Mac OS X
OS Version: 10.15.5
OS Date/Time: 2020-09-02T12:30:12.658905
OS Temp Directory: /var/folders/3z/nw6030cx27vdg7r5ws1p02vr0000gn/T/
Cheers
Colin
On 8/24/20 3:25 PM, Colin Ryan wrote:
Folks,
So I've still not managed to move past this. Even even started from
scratch.
git clone https://github.com/apereo/cas-management-overlay.git
git checkout 6.0.x
./build.sh clean
./build.sh run - breaks because it can't seem to find some of the
required components for the 6.0.x gradle.properties of 6.0.2-SNAPSHOT
So I go fine, old branch, I'll try master.
git checkout master
./build.sh clean
./build.sh run
gives again the whole dialog below. It cannot open my keystore file.
But the keystore file is fine. In fact as mentioned below if I change
reference to the file it errors out appropriately, indicating it's
consuming the correct configuration.
At this point I can't seem to get the Management Interface to
function. As you can see also below I even created a new self signed
keystore with a basic password thinking that maybe special characters
were the issue. Not go, again was working before my development
environment blew up. I have a backup of it, but build and run for that
can't find components (old branch?).
Any idea what stupidity I'm missing.
Thanks
On 8/12/20 12:43 PM, Colin Ryan wrote:
Folks,
I'm nearly embarrassed having to ask this but I'm having issues
starting up the Management Interface in the embedded Tomcat scenario.
The error is technically obvious:
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe
contents entry: javax.crypto.BadPaddingException: Given final block not
properly padded. Such issues can arise if a bad key is used during decryption.
Environment is:
CAS Version: 6.1.0-RC4
CAS Commit Id: caabdd579ab6190a896de03ceeeb1b26d0bab81a
CAS Build Date/Time: 2020-08-12T16:06:56.197Z
Spring Boot Version: 2.2.0.M3
Spring Version: 5.2.0.M2
Java Home: /Library/Java/JavaVirtualMachines/jdk-11.0.7.jdk/Contents/Home
Java Vendor: Oracle Corporation
Java Version: 11.0.7
JVM Free Memory: 240 MB
JVM Maximum Memory: 2 GB
JVM Total Memory: 378 MB
JCE Installed: Yes
OS Architecture: x86_64
OS Name: Mac OS X
OS Version: 10.15.5
Now this isn't my first rodeo ride with certificates so here is what
I've done so far trying to solve this.
* Confirmed the the management.properties file being picked up by the
run-time is correct (put in incorrect directive and it complained).
* Confirmed Syntax for the Certificate Directives via examples and
the CAS interactive Shell.
management.server.ssl.key-store:
file:/Users/colinr/DevTree/devkeystore.jks
management.server.ssl.key-store-password: <password>
It should be noted that the keystore is of type PKCS12 and it's the
exact same keystore as being used by my standalone Tomcat 9.0.26
environment that CAS itself runs on successfully. Said tomcat
environment is started by the same users that runs the embedded one.
* I've opened up permissions to the file totally.
* I'm able to "keytool -list" the certificate in this keystore
directly via "keytool" and responds properly to the correct and
incorrect keystore password.
* I'm able to view details of certificate via keytool
* Certificate alias is tomcat
* Certificate is NOT expired.
* Certificate is loaded in the the Java's truststore via the
InstallCert tool.
* I tried generating a new keystore via "keytool -genkeypair -alias
tomcat -keyalg RSA -keysize 2048 -keystore managementkeystore.jks
-validity 3650 -storepass testadmin" same result.
* keytool and activated Java environment for the run time is from the
same distribution.
* I've run the overlay before like this without issues, however that
was 6.0.2-SNAPSHOT on 10.15.4.
Frankly I'm totally stumped but expect the issue to be an
embarrassingly obvious one.
Cheers
Colin
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/71606001-1c08-d1a9-962d-4f725e8dd42a%40caveo.ca
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/71606001-1c08-d1a9-962d-4f725e8dd42a%40caveo.ca?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7b750507-24d3-c8c0-bf3a-46edc537ab4e%40caveo.ca
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/7b750507-24d3-c8c0-bf3a-46edc537ab4e%40caveo.ca?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bf8a07c4-3986-8f96-000e-9890d039c436%40caveo.ca.
