Just an FYI, in case someone else run's into this.
The solutions was simply to remove the management. prefix from the
server.ssl directives ala.
server.ssl.key-store: file:<path>
server.ssl.key-store-password: <pass>
server.ssl.key-password: <pass>
I'm certain management.server was what I used for 6.0.2 and it's still
in the documentation.
I tried it on a whim upon inspecting the applications.properties file in
the source code.
Colin
On 9/21/20 12:14 PM, Colin Ryan wrote:
I give up.
I've tried everything. I have no clue. Even again did fresh git clone
and immediate build.sh run with the following world readable
management.properties
cas.server.name=*Total Mail Defense warning: numerical links are often malicious:*
https://xx.xxx.xxx
cas.server.prefix=${cas.server.name}/cas
mgmt.userPropertiesFile=file:/etc/cas/config/users.json
management.server.ssl.key-store:file:/Users/colinr/DevTree/devkey.jks (also
tried /etc/cas/thekeystore)
management.server.ssl.key-store-password: <confirmed password>
management.server.ssl.key-password: <confirmed password>
server.servlet.context-path:/cas-management
server.port:8443
(CAS Management)
CAS Version: 6.2.1
CAS Branch: 6.2.x
CAS Commit Id: dc90995b8911bd36c7aebc39588c9d6e3baee1a1
CAS Build Date/Time: 2020-07-24T07:57:14Z
Spring Boot Version: 2.2.8.RELEASE
Spring Version: 5.2.7.RELEASE
Java Home: /Library/Java/JavaVirtualMachines/jdk-11.0.8.jdk/Contents/Home
Java Vendor: Oracle Corporation
Java Version: 11.0.8
JVM Free Memory: 206 MB
JVM Maximum Memory: 4 GB
JVM Total Memory: 444 MB
JCE Installed: Yes
OS Architecture: x86_64
OS Name: Mac OS X
OS Version: 10.15.6
OS Date/Time: 2020-09-21T11:35:42.696857
OS Temp Directory: /var/folders/3z/nw6030cx27vdg7r5ws1p02vr0000gn/T/
Still will not open the darn keystore.
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe
contents entry: javax.crypto.BadPaddingException: Given final block not
properly padded. Such issues can arise if a bad key is used during decryption.
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2117)
~[?:?]
at
sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:243)
~[?:?]
at java.security.KeyStore.load(KeyStore.java:1479) ~[?:?]
I don't get it. This was trivial with managment-overlay build around
6.0.2 before my dev environment blew up.
Keystore is fine.
JAVA_HOME is set etc etc.
keytool -list -keystore ../../devkeystore.jks -v
Enter keystore password: <as in above config file>
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: tomcat
Creation date: Oct 16, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: yadda yadda
Issuer: yadda yadda
Serial number: 6982c398
Valid from: Wed Oct 16 12:16:43 EDT 2019 until: Fri Dec 24 11:16:43 EST 2021
Certificate fingerprints:
SHA1: 9B:59:35:7A:40:A4:7C:00:08:B8:2D:6B:0F:D0:27:8B:D5:DE:C6:11
SHA256:
41:CC:1D:4B:EF:68:09:EB:72:63:2C:4C:90:F6:8C:EB:2A:CB:53:D4:00:23:11:69:A4:1A:92:7D:C0:CC:E9:7E
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
I'm dead in the water. I have idea what the h**ll is the problem.
On 8/12/20 12:43 PM, Colin Ryan wrote:
Folks,
I'm nearly embarrassed having to ask this but I'm having issues
starting up the Management Interface in the embedded Tomcat scenario.
The error is technically obvious:
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe
contents entry: javax.crypto.BadPaddingException: Given final block not
properly padded. Such issues can arise if a bad key is used during decryption.
Environment is:
CAS Version: 6.1.0-RC4
CAS Commit Id: caabdd579ab6190a896de03ceeeb1b26d0bab81a
CAS Build Date/Time: 2020-08-12T16:06:56.197Z
Spring Boot Version: 2.2.0.M3
Spring Version: 5.2.0.M2
Java Home: /Library/Java/JavaVirtualMachines/jdk-11.0.7.jdk/Contents/Home
Java Vendor: Oracle Corporation
Java Version: 11.0.7
JVM Free Memory: 240 MB
JVM Maximum Memory: 2 GB
JVM Total Memory: 378 MB
JCE Installed: Yes
OS Architecture: x86_64
OS Name: Mac OS X
OS Version: 10.15.5
Now this isn't my first rodeo ride with certificates so here is what
I've done so far trying to solve this.
* Confirmed the the management.properties file being picked up by the
run-time is correct (put in incorrect directive and it complained).
* Confirmed Syntax for the Certificate Directives via examples and
the CAS interactive Shell.
management.server.ssl.key-store:
file:/Users/colinr/DevTree/devkeystore.jks
management.server.ssl.key-store-password: <password>
It should be noted that the keystore is of type PKCS12 and it's the
exact same keystore as being used by my standalone Tomcat 9.0.26
environment that CAS itself runs on successfully. Said tomcat
environment is started by the same users that runs the embedded one.
* I've opened up permissions to the file totally.
* I'm able to "keytool -list" the certificate in this keystore
directly via "keytool" and responds properly to the correct and
incorrect keystore password.
* I'm able to view details of certificate via keytool
* Certificate alias is tomcat
* Certificate is NOT expired.
* Certificate is loaded in the the Java's truststore via the
InstallCert tool.
* I tried generating a new keystore via "keytool -genkeypair -alias
tomcat -keyalg RSA -keysize 2048 -keystore managementkeystore.jks
-validity 3650 -storepass testadmin" same result.
* keytool and activated Java environment for the run time is from the
same distribution.
* I've run the overlay before like this without issues, however that
was 6.0.2-SNAPSHOT on 10.15.4.
Frankly I'm totally stumped but expect the issue to be an
embarrassingly obvious one.
Cheers
Colin
--
- Website: https://apereo.github.io/cas <https://apereo.github.io/cas>
- Gitter Chatroom: https://gitter.im/apereo/cas
<https://gitter.im/apereo/cas>
- List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
- Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/71606001-1c08-d1a9-962d-4f725e8dd42a%40caveo.ca
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/71606001-1c08-d1a9-962d-4f725e8dd42a%40caveo.ca?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas <https://apereo.github.io/cas>
- Gitter Chatroom: https://gitter.im/apereo/cas
<https://gitter.im/apereo/cas>
- List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
- Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to cas-user+unsubscr...@apereo.org
<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f5d52a2b-b51b-0ea3-2ee7-d355b30bc574%40caveo.ca
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/f5d52a2b-b51b-0ea3-2ee7-d355b30bc574%40caveo.ca?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/613b0e33-5a24-ab93-952b-ae4e102d93fc%40caveo.ca.