[cas-dev] SAML/Google Apps and key format
Patrick Berry
pberry at gmail.com
Thu Jun 19 13:27:01 EDT 2008
There are 4 files generated in the openssl process:
private.key
private.p8
public.key
x509.pem
The docs state that the x509.pem goes to Google (and it uploaded just fine
-- and yes Google does check the format on upload)
Here is the relevant section from my spring config:
<bean
id="casArgumentExtractor"
class="org.jasig.cas.web.support.CasArgumentExtractor" />
<bean id="samlArgumentExtractor"
class="org.jasig.cas.web.support.SamlArgumentExtractor" />
<bean
id="privateKeyFactoryBean"
class="org.jasig.cas.util.PrivateKeyFactoryBean"
p:location="classpath:private.key"
p:algorithm="DSA" />
<bean
id="publicKeyFactoryBean"
class="org.jasig.cas.util.PublicKeyFactoryBean"
p:location="classpath:public.key"
p:algorithm="DSA" />
<bean
name="googleAccountsArgumentExtractor"
class="org.jasig.cas.web.support.GoogleAccountsArgumentExtractor"
p:privateKey-ref="privateKeyFactoryBean"
p:publicKey-ref="publicKeyFactoryBean" />
<util:list id="argumentExtractors">
<ref bean="casArgumentExtractor" />
<ref bean="samlArgumentExtractor" />
<ref bean="googleAccountsArgumentExtractor" />
</util:list>
per the wiki docs.
On Thu, Jun 19, 2008 at 10:16 AM, Scott Battaglia <scott.battaglia at gmail.com>
wrote:
> Pat,
>
> The public key needs to be given to Google while the private key stays with
> you (you=CAS). The CAS application needs access to both though.
>
> As for the OpenSSL generation, I don't use OpenSSL so I'm going to guess
> that works. Did you tell CAS you were using RSA and not DSA though?
>
> -Scott
>
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
> On Thu, Jun 19, 2008 at 1:10 PM, Patrick Berry <pberry at gmail.com> wrote:
>
>> Hi all,
>> Just about to try out SAML + CAS + Google Apps and I'm going through the
>> docs in the wiki (http://www.ja-sig.org/wiki/x/fIVc) and something just
>> isn't working, or I'm doing it wrong (insert LOLPAT picture here).
>>
>> Here is the first error:
>> ERROR [org.springframework.web.context.ContextLoader] - <Context
>> initialization failed>
>> org.springframework.beans.factory.BeanCreationException: Error creating
>> bean with name 'privateKeyFactoryBean' defined in ServletContext resource
>> [/WEB-INF/spring-configuration/argumentExtractorsConfiguration.xml]:
>> Invocation of init method failed; nested exception is
>> java.security.spec.InvalidKeySpecException: Inappropriate key specification:
>> invalid key format
>>
>> (I had tried specifying a file location first, that didn't work so I went
>> with the class path, and now I get invalid key format instead of
>> fileNotFound, so you know, progress!)
>>
>> I followed the openssl docs copy and paste style from the wiki page:
>>
>> openssl genrsa -out private.key 1024
>> openssl rsa -pubout -in private.key -out public.key -inform PEM -outform DER
>> openssl pkcs8 -topk8 -inform PER -outform DER -nocrypt -in private.key -out private.p8
>> openssl req -new -x509 -key private.key -out x509.pem -days 365
>>
>>
>> Now, the part that gets me is that in the
>> WEB-INF/spring-configuration/argumentExtractorsConfiguration.xml I
>> specify my public and private key, but the docs mention that I only need the
>> public key and the public.p8 in the classpath...but I never reference the
>> private.p8 in the configuration. Am I wrong? Are the docs wrong? Am I not
>> reading the docs correctly?
>>
>> Thanks,
>> Pat
>>
>> _______________________________________________
>> cas-dev mailing list
>> cas-dev at tp.its.yale.edu
>> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>>
>>
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20080619/e681d72f/attachment.html
More information about the cas-dev
mailing list