Hello everyone,
Lately we have been working on a locally deployed instance of Apereo CAS, in order to study the product a bit. We have the following doubt regarding how configuration files should be treated when deploying Apereo CAS in a real production environment: In order to keep configuration files safe from being read and/or manipulated by an external attacker, we have basically encrypted every <key:value> pair with a symmetric key, which is shared with Apereo CAS itself. With this solution Apereo CAS can still access the configuration files when it starts, but if someone manages to get into the VM where the product is installed, he won’t be able to do anything with the files because they are encrypted. However, we have decided to take this route just because this particular instance of the product is deployed locally and is used only for learning purposes. I have read online that sometimes when deploying in a real production environment, a good practice is to keep the configuration files in an external encrypted DB. The product can than be configured to gather these files from the external DB when it starts. I was wondering, is this considered a best practice when it comes to Apereo CAS (and most importantly, is this feature supported)? Also, are there any other best practices which you would suggest to use with Apereo CAS when it comes to protecting configuration files in real production environment? Thanks for your help, *Davide Malacrida* IAM Functional Analyst -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/01cc7bcf-aecc-4dc5-9b29-05b493dd24f3n%40apereo.org.
