Encrypting Properties of Federated Sign-In Module

In some cases, it is required to encrypt sensitive properties of Federated Sign-In module in $XTAM/web/conf/catalina.properties file (properties started with cas. prefix).

An example of such properties includes Radius Server Secret or password for SAML IdP integrations.

To do that open the command line prompt on the computer where XTAM is installed, change the directory to $XTAM_HOME folder and execute the following command:

 

Windows:

Copy
bin\PamDirectory.cmd GenerateCASCipher web -

 

Unix:

Copy
bin/PamDirectory.sh GenerateCASCipher web -

 

It is also possible to type the actual password to encrypt instead of the dash at the end (escape special characters in the command line as required) or use dash so this command will prompt for the password to encrypt.

After that, the command will print the encrypted password to the screen.

Use this output for the password parameter prefixed with the {cipher} like in the example below:

 

cas.authn.radius.client.sharedSecret={cipher}ENCRYPTED

 

There is one more step to make this all work.

Federated Sign-In Moule (CAS) does not decrypt properties defined in the catalina.properties file.

All properties that have to be decrypted should be moved out to the external file that CAS will process through its loading mechanism.

To do that, create a file $XTAM_HOME/web/conf/cas.properties and move there all encrypted properties.

Note that this cas.properties file might contain both encrypted and plain text properties.

For the reasons of consistency, the related properties could be grouped together in this file.

Remove or comment on these properties in catalina.properties file so that they would not duplicate.

After that, make a reference to this place by adding the following property into catalina.properties file:

cas.standalone.config=${catalina.base}/conf

Restart PamManagement (Linux: pammanager) service for this configuration to reload.