[uportal-user] Re: Uportal 5 + clearpass + error 'RSA' KEYFACTORY NOT AVAILABLE

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[uportal-user] Re: Uportal 5 + clearpass + error 'RSA' KEYFACTORY NOT AVAILABLE

franck le calloch
Merci pour ces infos.
j'ai effectivement suivi la documentation.
Le CAS renvoi bien le crédential crypté.

C'est du coté uPortal mon problème.
je ne comprend pas pourquoi il ne lit pas la clef privé :

o.a.p.s.p.c.CasAssertionSecurityContext 2019-05-17 09: 50: 12,006 - Can
not load key from file: /etc/ssl/certs/cas/private.p8
java.security.NoSuchAlgorithmException: 'RSA' KEYFACTORY NOT AVAILABLE

je suis bloqué


Le lundi 20 mai 2019 12:13:30 UTC+2, franck le calloch a écrit :
Hello,

on a test platform I try version 5 of uPortal.

 I wanted to set up 'clearpass' to accept encrypted passwords (via CAS
V5.2).

 In the uPortal logs I block on the following error:

ERROR [ajp-nio-8009-exec-5-guest]
o.a.p.s.p.c.CasAssertionSecurityContext 2019-05-17 09: 50: 12,006 - Can
not load key from file: /etc/ssl/certs/cas/private.p8
java.security.NoSuchAlgorithmException: 'RSA' KEYFACTORY NOT AVAILABLE

I followed the documentation by generating the keys:

 openssl genrsa -out private.key 1024

openssl rsa -pubout -in private.key -out public.key -inform PEM -outform
DER

openssl pkcs8 -topk8 -inform PEM -outform DER -nocrypt -in private.key
-out private.p8

and in uPortal.propertie

 I have:

## Flag to determine if the portal should convert Assertion attributes
to user attributes - defaults to false
org.apereo.portal.security.cas.assertion.copyAttributesToUserAttributes
= true

## Flag to determine if credential attribute from CAS should be
decrypted to password - defaults to false
org.apereo.portal.security.cas.assertion.decryptCredentialToPassword =
true

## Unsigned private key in PKCS8 format for credential decryption (for
decryptCredentialToPassword)
org.apereo.portal.security.cas.assertion.decryptCredentialToPasswordPrivateKey
= /etc/ssl/certs/cas/private.p8

 An idea?

Thank you

-- 

Le Calloch Franck

Ecoles de Saint-Cyr Coëtquidan

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/938b0d8d-e9e0-40ef-a0c8-45a703d596a1%40apereo.org.
Reply | Threaded
Open this post in threaded view
|

Re: [uportal-user] Re: Uportal 5 + clearpass + error 'RSA' KEYFACTORY NOT AVAILABLE

Benito J. Gonzalez-2
Hi folks,

I believe Java Cryptography Extension is required. For installation, see https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/installJCE.html for an example.

Best,
--bjagg


From: "Julien Gribonvald" <[hidden email]>
To: [hidden email]
Sent: Wednesday, May 22, 2019 2:00:33 AM
Subject: Re: [uportal-user] Re: Uportal 5 + clearpass + error 'RSA' KEYFACTORY NOT AVAILABLE

from web search it seems that come from your java install. Which version of java make running your uPortal ? And which accurate uPortal version are you using ?

en cherchant sur le web cela semble venir de java. Quelle version de java fait tourner uPortal ? et quelles version exacte de uPortal utilises tu ?

Julien

Le 22/05/2019 à 09:58, franck le calloch a écrit :
Merci pour ces infos.
j'ai effectivement suivi la documentation.
Le CAS renvoi bien le crédential crypté.

C'est du coté uPortal mon problème.
je ne comprend pas pourquoi il ne lit pas la clef privé :

o.a.p.s.p.c.CasAssertionSecurityContext 2019-05-17 09: 50: 12,006 - Can
not load key from file: /etc/ssl/certs/cas/private.p8
java.security.NoSuchAlgorithmException: 'RSA' KEYFACTORY NOT AVAILABLE

je suis bloqué


Le lundi 20 mai 2019 12:13:30 UTC+2, franck le calloch a écrit :
Hello,

on a test platform I try version 5 of uPortal.

 I wanted to set up 'clearpass' to accept encrypted passwords (via CAS
V5.2).

 In the uPortal logs I block on the following error:

ERROR [ajp-nio-8009-exec-5-guest]
o.a.p.s.p.c.CasAssertionSecurityContext 2019-05-17 09: 50: 12,006 - Can
not load key from file: /etc/ssl/certs/cas/private.p8
java.security.NoSuchAlgorithmException: 'RSA' KEYFACTORY NOT AVAILABLE

I followed the documentation by generating the keys:

 openssl genrsa -out private.key 1024

openssl rsa -pubout -in private.key -out public.key -inform PEM -outform
DER

openssl pkcs8 -topk8 -inform PEM -outform DER -nocrypt -in private.key
-out private.p8

and in uPortal.propertie

 I have:

## Flag to determine if the portal should convert Assertion attributes
to user attributes - defaults to false
org.apereo.portal.security.cas.assertion.copyAttributesToUserAttributes
= true

## Flag to determine if credential attribute from CAS should be
decrypted to password - defaults to false
org.apereo.portal.security.cas.assertion.decryptCredentialToPassword =
true

## Unsigned private key in PKCS8 format for credential decryption (for
decryptCredentialToPassword)
org.apereo.portal.security.cas.assertion.decryptCredentialToPasswordPrivateKey
= /etc/ssl/certs/cas/private.p8

 An idea?

Thank you

-- 

Le Calloch Franck

Ecoles de Saint-Cyr Coëtquidan
--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/938b0d8d-e9e0-40ef-a0c8-45a703d596a1%40apereo.org.
--
Julien Gribonvald

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/5cf82a4a-2454-8b42-ea44-caed80b74aa8%40recia.fr.

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/1078642386.392144.1558544602695.JavaMail.zimbra%40unicon.net.
Reply | Threaded
Open this post in threaded view
|

Re: [uportal-user] Re: Uportal 5 + clearpass + error 'RSA' KEYFACTORY NOT AVAILABLE

Christian Cousquer
Thanks Benito. 

Franck, tell us if Benito’s solution fixes your issue. We will update the documentation. 

Franck, dis nous si la solution de Benito résout tes soucis. On mettra à jour la documentation. Bon courage à toi. 

Amitiés,
Christian 


Le mer. 22 mai 2019 à 19:03, Benito Gonzalez <[hidden email]> a écrit :
Hi folks,

I believe Java Cryptography Extension is required. For installation, see https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/installJCE.html for an example.

Best,
--bjagg


From: "Julien Gribonvald" <[hidden email]>
To: [hidden email]
Sent: Wednesday, May 22, 2019 2:00:33 AM
Subject: Re: [uportal-user] Re: Uportal 5 + clearpass + error 'RSA' KEYFACTORY NOT AVAILABLE

from web search it seems that come from your java install. Which version of java make running your uPortal ? And which accurate uPortal version are you using ?

en cherchant sur le web cela semble venir de java. Quelle version de java fait tourner uPortal ? et quelles version exacte de uPortal utilises tu ?

Julien

Le 22/05/2019 à 09:58, franck le calloch a écrit :
Merci pour ces infos.
j'ai effectivement suivi la documentation.
Le CAS renvoi bien le crédential crypté.

C'est du coté uPortal mon problème.
je ne comprend pas pourquoi il ne lit pas la clef privé :

o.a.p.s.p.c.CasAssertionSecurityContext 2019-05-17 09: 50: 12,006 - Can
not load key from file: /etc/ssl/certs/cas/private.p8
java.security.NoSuchAlgorithmException: 'RSA' KEYFACTORY NOT AVAILABLE

je suis bloqué


Le lundi 20 mai 2019 12:13:30 UTC+2, franck le calloch a écrit :
Hello,

on a test platform I try version 5 of uPortal.

 I wanted to set up 'clearpass' to accept encrypted passwords (via CAS
V5.2).

 In the uPortal logs I block on the following error:

ERROR [ajp-nio-8009-exec-5-guest]
o.a.p.s.p.c.CasAssertionSecurityContext 2019-05-17 09: 50: 12,006 - Can
not load key from file: /etc/ssl/certs/cas/private.p8
java.security.NoSuchAlgorithmException: 'RSA' KEYFACTORY NOT AVAILABLE

I followed the documentation by generating the keys:

 openssl genrsa -out private.key 1024

openssl rsa -pubout -in private.key -out public.key -inform PEM -outform
DER

openssl pkcs8 -topk8 -inform PEM -outform DER -nocrypt -in private.key
-out private.p8

and in uPortal.propertie

 I have:

## Flag to determine if the portal should convert Assertion attributes
to user attributes - defaults to false
org.apereo.portal.security.cas.assertion.copyAttributesToUserAttributes
= true

## Flag to determine if credential attribute from CAS should be
decrypted to password - defaults to false
org.apereo.portal.security.cas.assertion.decryptCredentialToPassword =
true

## Unsigned private key in PKCS8 format for credential decryption (for
decryptCredentialToPassword)
org.apereo.portal.security.cas.assertion.decryptCredentialToPasswordPrivateKey
= /etc/ssl/certs/cas/private.p8

 An idea?

Thank you

-- 

Le Calloch Franck

Ecoles de Saint-Cyr Coëtquidan
--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/938b0d8d-e9e0-40ef-a0c8-45a703d596a1%40apereo.org.
--
Julien Gribonvald

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/5cf82a4a-2454-8b42-ea44-caed80b74aa8%40recia.fr.

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/1078642386.392144.1558544602695.JavaMail.zimbra%40unicon.net.

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/CABXcw2UuXZvfBru_8O1LcFxtVTngKNU7Xdi9%2BW3Y1GtkjyvC6w%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: [uportal-user] Re: Uportal 5 + clearpass + error 'RSA' KEYFACTORY NOT AVAILABLE

Julien Gribonvald
In reply to this post by franck le calloch

Hi,

I'm not sure that's linked to clearpass, jasypt is used to encrypt all properties to avoid to have a plain text password into configuration files, and this part is only to secure some credential datas shared with CAS and so only known from theses two parts.

On the web I've seen that some peoples needed to register the good provider, and other succeed with a DSA key format. So I would say to test in a first step with a DSA or any other available algorithm (EC or DH/DiffieHelman).

After I think that you will need to make a remote debug with a step by step mode and looking at the java.security.KeyFactory.java from where this error come.

Thanks,

Julien


Le 24/05/2019 à 10:36, Christian Cousquer a écrit :
Hi Franck,

From a quick google search: this may perhaps help you. You need perhaps to use Jasypt CLI Tools.

See as an example:
https://github.com/Jasig/CalendarPortlet/blob/master/README.md#using-encrypted-property-values 

Best regards,
- Christian

Le ven. 24 mai 2019 à 10:23, franck le calloch <[hidden email]> a écrit :
Thank you for your help
Java version is : openjdk version "1.8.0_181"
the SE is: Debian 9
and uPortal is: Uportal-Start version 5 update via git

JCE is installed, , but a have always the error.

Perhaps a another detail, i have in the log this :

Jasypt support for encrypted property values DISABLED;  specify environment variable UP_JASYPT_KEY

A another idea ?
thanks

Le lundi 20 mai 2019 12:13:30 UTC+2, franck le calloch a écrit :
Hello,

on a test platform I try version 5 of uPortal.

 I wanted to set up 'clearpass' to accept encrypted passwords (via CAS
V5.2).

 In the uPortal logs I block on the following error:

ERROR [ajp-nio-8009-exec-5-guest]
o.a.p.s.p.c.CasAssertionSecurityContext 2019-05-17 09: 50: 12,006 - Can
not load key from file: /etc/ssl/certs/cas/private.p8
java.security.NoSuchAlgorithmException: 'RSA' KEYFACTORY NOT AVAILABLE

I followed the documentation by generating the keys:

 openssl genrsa -out private.key 1024

openssl rsa -pubout -in private.key -out public.key -inform PEM -outform
DER

openssl pkcs8 -topk8 -inform PEM -outform DER -nocrypt -in private.key
-out private.p8

and in uPortal.propertie

 I have:

## Flag to determine if the portal should convert Assertion attributes
to user attributes - defaults to false
org.apereo.portal.security.cas.assertion.copyAttributesToUserAttributes
= true

## Flag to determine if credential attribute from CAS should be
decrypted to password - defaults to false
org.apereo.portal.security.cas.assertion.decryptCredentialToPassword =
true

## Unsigned private key in PKCS8 format for credential decryption (for
decryptCredentialToPassword)
org.apereo.portal.security.cas.assertion.decryptCredentialToPasswordPrivateKey
= /etc/ssl/certs/cas/private.p8

 An idea?

Thank you

-- 

Le Calloch Franck

Ecoles de Saint-Cyr Coëtquidan
--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/4cfc3d6e-38c3-4b79-98ff-dfcdb51b4300%40apereo.org.
--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/CABXcw2W8RzqZ8mcpKX2B%2B0ePnPaVrf1KDwWvAxYH2q1rWQvULA%40mail.gmail.com.
--
Julien Gribonvald

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Visit this group at https://groups.google.com/a/apereo.org/group/uportal-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/4f365da5-8db7-b496-5df5-a25eac19a3de%40recia.fr.