I tracked down a few PEM SSL options here: https://apereo.github.io/cas/7.0.x/installation/Configuring-Servlet-Container-Embedded.html Specifically, "server.ssl.certificate-private-key" and "server.ssl.certificate". I put my self-signed cert and key paths into the respective server.ssl setting but when I run the cas.war file I receive java keystore errors. The last errors relate to bad padding with a "PKCS12KeyStore". Looks like the embedded Tomcat server wants a pkcs12 keystore only. Is there a way to disable the keystore check so the embedded Tomcat will use the cert and key I specified?
The errors: Exception in thread "main" java.lang.reflect.InvocationTargetException at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:118) at java.base/java.lang.reflect.Method.invoke(Method.java:580) at org.springframework.boot.loader.launch.Launcher.launch(Launcher.java:91) at org.springframework.boot.loader.launch.Launcher.launch(Launcher.java:53) at org.springframework.boot.loader.launch.WarLauncher.main(WarLauncher.java:57) Caused by: org.springframework.context.ApplicationContextException: Failed to start bean 'webServerStartStop' at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:287) at org.springframework.context.support.DefaultLifecycleProcessor$LifecycleGroup.start(DefaultLifecycleProcessor.java:467) at java.base/java.lang.Iterable.forEach(Iterable.java:75) at org.springframework.context.support.DefaultLifecycleProcessor.startBeans(DefaultLifecycleProcessor.java:256) at org.springframework.context.support.DefaultLifecycleProcessor.onRefresh(DefaultLifecycleProcessor.java:201) at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:979) at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:628) at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:146) at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:762) at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:464) at org.springframework.boot.SpringApplication.run(SpringApplication.java:334) at org.springframework.boot.builder.SpringApplicationBuilder.run(SpringApplicationBuilder.java:149) at org.apereo.cas.web.CasWebApplication.main(CasWebApplication.java:57) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) ... 4 more Caused by: org.springframework.boot.web.server.WebServerException: Unable to start embedded Tomcat server at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:249) at org.springframework.boot.web.servlet.context.WebServerStartStopLifecycle.start(WebServerStartStopLifecycle.java:44) at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:284) ... 17 more Caused by: java.lang.IllegalArgumentException: standardService.connector.startFailed at org.apache.catalina.core.StandardService.addConnector(StandardService.java:222) at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:306) at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:234) ... 19 more Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed at org.apache.catalina.connector.Connector.startInternal(Connector.java:1047) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:171) at org.apache.catalina.core.StandardService.addConnector(StandardService.java:219) ... 21 more Caused by: java.lang.IllegalArgumentException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:70) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:199) at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1286) at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1372) at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:635) at org.apache.catalina.connector.Connector.startInternal(Connector.java:1044) ... 23 more Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:454) at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:93) at java.base/java.security.KeyStore.getKey(KeyStore.java:1075) at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:393) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:268) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112) ... 29 more Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. at java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:861) at java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:941) at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:734) at java.base/com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:203) at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2244) at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:370) at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:257) at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:361) ... 34 more On Monday, June 17, 2024 at 12:53:41 PM UTC-4 Jeremiah Garmatter wrote: > Has the APR functionality been removed or replaced on CAS 7's embedded > Tomcat server? > I wanted to use PEM encoded SSL certificates instead of the Java keystore. > When I use the APR configurations in cas.properties I receive errors that > the properties failed to bind and they are no longer recognized by CAS > 7.0.4.1. Here are the configurations I tried: > > cas.server.tomcat.apr.enabled=true > > cas.server.tomcat.apr.ssl-certificate-file=/opt/workspace/cas7/my_certs/cert.pem > > cas.server.tomcat.apr.ssl-certificate-key-file=/opt/workspace/cas7/my_certs/key.pem > > This page doesn't mention any configurations for APR: > https://apereo.github.io/cas/7.0.x/installation/Servlet-Container-Embedded-Tomcat-APR.html > > If this feature has been removed, is there another method to use PEM > encoded SSL certs on the embedded Tomcat server? > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8dbc5a15-6255-415e-aa41-5ab8fe9b7f35n%40apereo.org.
