thanks a lot for reply. We have customized CAS flow and added additional flows. So, upgrading means to move all this over, we are actually upgrading to CAS5 already.
CAS5 does support encryption. I do not see we need to move to CAS6 to satisfy security requirements. CAS4 does not support encryption, so we have to use secure channel to protect communication (since we cannot encrypt data). Please correct me If I missed anything. Thanks, Yan On Friday, November 20, 2020 at 3:47:14 PM UTC-5 Ray Bon wrote: > Yan, > > That sounds right. It has been a while since I used those versions of cas. > I know that with cas 6 there are properties for ticket encryption, and > they have to be set. > > What is preventing you from upgrading? > Is cas 5 still supported? What about the java versions and host OS, are > they supported? > > This older software is the type of place where unauthorized users can gain > access. > > If your management insists that data be encrypted, they should provide you > with the resources to keep this software current. > Upgrade and you will be able to meet the security policy requirements. > > Remember, cas is THE point of security to all your apps. > > Ray > > On Fri, 2020-11-20 at 12:24 -0800, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hi Ray, > > Thanks for the info., We use both CAS4/CAS5 in production. > > Due to our security policy, we need to encrypt anything having user info. > (even in the backend), this means we need to encrypt TGT in the ticket > storage. Otherwise, someone on our network can intercept the traffic > between CAS and hazelcast registry and misuse the TGT coming across the > wire. As I understand, CAS4 does NOT support encrypting TGT, that > capability is new in CAS5. > > For both CAS4/CAS5, what has been encrypted and secured is the TGC (the > thing that is sent to browser). But our security policy requires even the > backend be encrypted, as long as it has user info. > > With CAS5, we can do that, but with CAS4, that is not possible (the only > alternative it to use secure channel to store/read TGT). > > Sounds right? > Yan > > On Thursday, November 19, 2020 at 5:22:04 PM UTC-5 Ray Bon wrote: > > Yan, > > The TGT stays on the cas server and the ticket storage system. It stores > the user session details. The TGC is sent to the browser. It is just an > identifier for cas to find a TGT. > The ST is just an identifier and stores no info. > > See > https://apereo.github.io/cas/6.2.x/planning/Security-Guide.html#protocol-ticket-encryption, > > for encryption options. > > Ray > > On Thu, 2020-11-19 at 14:07 -0800, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > Hello, > > is there any user info. being stored in TGT and ST? I would think so, I > see Authentication being part of TGT. > > Due to some security policy, we are asked whether we need to encrypt TGT > and ST, because there is User Auth info., it sounds like we should encrypt > it. > > Does that sound right? Thanks, > Yan > > -- > > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | rb...@uvic.ca > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/77880734-9252-4c0f-8870-8a83016a031an%40apereo.org.
