[cas-dev] SAML/Google Apps and key format

Patrick Berry pberry at gmail.com
Thu Jun 19 13:59:03 EDT 2008 

Indeed.  That helped tremendously.  One other small change, you need to
reference private.p8 and not private.key in the privateKeyFactoryBean
configuration.
The wiki page has been updated to reflect this.

Oh, and I've totally got it working now.  Thanks Scott!

Pat

On Thu, Jun 19, 2008 at 10:30 AM, Scott Battaglia <scott.battaglia at gmail.com>
wrote:

> You're telling it you generated DSA keys.  The doc I believe says to change
> that to RSA if you are using RSA keys  Of course it may still fail after
> that :-)
>
> Two different people wrote two parts of the documentation.  When I did it I
> used DSA keys.  The person who wrote the OpenSSL part used RSA apparently.
>
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
> On Thu, Jun 19, 2008 at 1:27 PM, Patrick Berry <pberry at gmail.com> wrote:
>
>> There are 4 files generated in the openssl process:
>> private.key
>> private.p8
>> public.key
>> x509.pem
>>
>> The docs state that the x509.pem goes to Google (and it uploaded just fine
>> -- and yes Google does check the format on upload)
>>
>> Here is the relevant section from my spring config:
>>
>>         <bean
>>                 id="casArgumentExtractor"
>>                 class="org.jasig.cas.web.support.CasArgumentExtractor" />
>>
>>         <bean id="samlArgumentExtractor"
>> class="org.jasig.cas.web.support.SamlArgumentExtractor" />
>>         <bean
>>                 id="privateKeyFactoryBean"
>>                 class="org.jasig.cas.util.PrivateKeyFactoryBean"
>>                 p:location="classpath:private.key"
>>                 p:algorithm="DSA" />
>>
>>         <bean
>>                 id="publicKeyFactoryBean"
>>                 class="org.jasig.cas.util.PublicKeyFactoryBean"
>>                 p:location="classpath:public.key"
>>                 p:algorithm="DSA" />
>>
>>         <bean
>>                 name="googleAccountsArgumentExtractor"
>>
>>  class="org.jasig.cas.web.support.GoogleAccountsArgumentExtractor"
>>                 p:privateKey-ref="privateKeyFactoryBean"
>>                 p:publicKey-ref="publicKeyFactoryBean" />
>>
>>         <util:list id="argumentExtractors">
>>                 <ref bean="casArgumentExtractor" />
>>                 <ref bean="samlArgumentExtractor" />
>>                 <ref bean="googleAccountsArgumentExtractor" />
>>         </util:list>
>>
>> per the wiki docs.
>>
>> On Thu, Jun 19, 2008 at 10:16 AM, Scott Battaglia <
>> scott.battaglia at gmail.com> wrote:
>>
>>> Pat,
>>>
>>> The public key needs to be given to Google while the private key stays
>>> with you (you=CAS).  The CAS application needs access to both though.
>>>
>>> As for the OpenSSL generation, I don't use OpenSSL so I'm going to guess
>>> that works.  Did you tell CAS you were using RSA and not DSA though?
>>>
>>> -Scott
>>>
>>> -Scott Battaglia
>>> PGP Public Key Id: 0x383733AA
>>> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>>>
>>> On Thu, Jun 19, 2008 at 1:10 PM, Patrick Berry <pberry at gmail.com> wrote:
>>>
>>>>  Hi all,
>>>> Just about to try out SAML + CAS + Google Apps and I'm going through the
>>>> docs in the wiki (http://www.ja-sig.org/wiki/x/fIVc) and something just
>>>> isn't working, or I'm doing it wrong (insert LOLPAT picture here).
>>>>
>>>> Here is the first error:
>>>> ERROR [org.springframework.web.context.ContextLoader] - <Context
>>>> initialization failed>
>>>> org.springframework.beans.factory.BeanCreationException: Error creating
>>>> bean with name 'privateKeyFactoryBean' defined in ServletContext resource
>>>> [/WEB-INF/spring-configuration/argumentExtractorsConfiguration.xml]:
>>>> Invocation of init method failed; nested exception is
>>>> java.security.spec.InvalidKeySpecException: Inappropriate key specification:
>>>> invalid key format
>>>>
>>>> (I had tried specifying a file location first, that didn't work so I
>>>> went with the class path, and now I get invalid key format instead of
>>>> fileNotFound, so you know, progress!)
>>>>
>>>> I followed the openssl docs copy and paste style from the wiki page:
>>>>
>>>> openssl genrsa -out private.key 1024
>>>> openssl rsa -pubout -in private.key -out public.key -inform PEM -outform DER
>>>> openssl pkcs8 -topk8 -inform PER -outform DER -nocrypt -in private.key -out private.p8
>>>> openssl req -new -x509 -key private.key -out x509.pem -days 365
>>>>
>>>>
>>>> Now, the part that gets me is that in the
>>>> WEB-INF/spring-configuration/argumentExtractorsConfiguration.xml I
>>>> specify my public and private key, but the docs mention that I only need the
>>>> public key and the public.p8 in the classpath...but I never reference the
>>>> private.p8 in the configuration.  Am I wrong?  Are the docs wrong?  Am I not
>>>> reading the docs correctly?
>>>>
>>>> Thanks,
>>>> Pat
>>>>
>>>> _______________________________________________
>>>> cas-dev mailing list
>>>> cas-dev at tp.its.yale.edu
>>>> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>>>>
>>>>
>>>
>>> _______________________________________________
>>> cas-dev mailing list
>>> cas-dev at tp.its.yale.edu
>>> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>>>
>>>
>>
>> _______________________________________________
>> cas-dev mailing list
>> cas-dev at tp.its.yale.edu
>> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>>
>>
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20080619/71ff25c8/attachment.html

More information about the cas-dev mailing list