Configuration Security - Vault
You can also store sensitive settings inside Vault. Vault can store your existing secrets, or it can dynamically generate new secrets to control access to third-party resources or provide time-limited credentials for your infrastructure. To learn more about Vault and its installation process, please visit the project website.
Once vault is accessible and configured inside CAS, support is provided via the following dependency:
1
2
3
4
5
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-configuration-cloud-vault</artifactId>
<version>${cas.version}</version>
</dependency>
1
implementation "org.apereo.cas:cas-server-support-configuration-cloud-vault:${project.'cas.version'}"
1
2
3
4
5
6
7
8
9
dependencyManagement {
imports {
mavenBom "org.apereo.cas:cas-server-support-bom:${project.'cas.version'}"
}
}
dependencies {
implementation "org.apereo.cas:cas-server-support-configuration-cloud-vault"
}
1
2
3
4
5
6
7
8
9
10
dependencies {
/*
The following platform references should be included automatically and are listed here for reference only.
implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}")
implementation platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)
*/
implementation "org.apereo.cas:cas-server-support-configuration-cloud-vault"
}
The following settings and properties are available from the CAS configuration catalog:
spring.cloud.vault.app-id.app-id-path=app-id
Mount path of the AppId authentication backend.
|
spring.cloud.vault.app-id.network-interface=
Network interface hint for the "MAC_ADDRESS" UserId mechanism.
|
spring.cloud.vault.app-id.user-id=MAC_ADDRESS
UserId mechanism. Can be either "MAC_ADDRESS", "IP_ADDRESS", a string or a class name.
|
spring.cloud.vault.app-role.app-role-path=approle
Mount path of the AppRole authentication backend.
|
spring.cloud.vault.app-role.role=
Name of the role, optional, used for pull-mode.
|
spring.cloud.vault.app-role.role-id=
The RoleId.
|
spring.cloud.vault.app-role.secret-id=
The SecretId.
|
spring.cloud.vault.application-name=application
Application name for AppId authentication.
|
spring.cloud.vault.authentication=
|
spring.cloud.vault.aws-ec2.aws-ec2-path=aws-ec2
Mount path of the AWS-EC2 authentication backend.
|
spring.cloud.vault.aws-ec2.identity-document=http://169.254.169.254/latest/dynamic/instance-identity/pkcs7
URL of the AWS-EC2 PKCS7 identity document.
|
spring.cloud.vault.aws-ec2.nonce=
Nonce used for AWS-EC2 authentication. An empty nonce defaults to nonce generation.
|
spring.cloud.vault.aws-ec2.role=
Name of the role, optional.
|
spring.cloud.vault.aws-iam.aws-path=aws
Mount path of the AWS authentication backend.
|
spring.cloud.vault.aws-iam.endpoint-uri=
STS server URI. @since 2.2
|
spring.cloud.vault.aws-iam.role=
Name of the role, optional. Defaults to the friendly IAM name if not set.
|
spring.cloud.vault.aws-iam.server-name=
Name of the server used to set
|
spring.cloud.vault.azure-msi.azure-path=azure
Mount path of the Azure MSI authentication backend.
|
spring.cloud.vault.azure-msi.identity-token-service=
Identity token service URI. @since 3.0
|
spring.cloud.vault.azure-msi.metadata-service=
Instance metadata service URI. @since 3.0
|
spring.cloud.vault.azure-msi.role=
Name of the role.
|
spring.cloud.vault.config.lifecycle.enabled=true
Enable lifecycle management.
|
spring.cloud.vault.config.lifecycle.expiry-threshold=
The expiry threshold.
|
spring.cloud.vault.config.lifecycle.lease-endpoints=
Set the
|
spring.cloud.vault.config.lifecycle.min-renewal=
The time period that is at least required before renewing a lease. @since 2.2
|
spring.cloud.vault.config.order=0
Used to set a
Deprecation status is |
spring.cloud.vault.connection-timeout=5000
Connection timeout.
|
spring.cloud.vault.discovery.enabled=false
Flag to indicate that Vault server discovery is enabled (vault server URL will be looked up via discovery).
|
spring.cloud.vault.discovery.service-id=vault
Service id to locate Vault.
|
spring.cloud.vault.enabled=true
Enable Vault config server.
|
spring.cloud.vault.fail-fast=false
Fail fast if data cannot be obtained from Vault.
|
spring.cloud.vault.gcp-gce.gcp-path=gcp
Mount path of the Kubernetes authentication backend.
|
spring.cloud.vault.gcp-gce.role=
Name of the role against which the login is being attempted.
|
spring.cloud.vault.gcp-gce.service-account=
Optional service account id. Using the default id if left unconfigured.
|
spring.cloud.vault.gcp-iam.credentials.encoded-key=
The base64 encoded contents of an OAuth2 account private key in JSON format.
|
spring.cloud.vault.gcp-iam.credentials.location=
Location of the OAuth2 credentials private key. Since this is a Resource, the private key can be in a multitude of locations, such as a local file system, classpath, URL, etc.
|
spring.cloud.vault.gcp-iam.gcp-path=gcp
Mount path of the Kubernetes authentication backend.
|
spring.cloud.vault.gcp-iam.jwt-validity=15m
Validity of the JWT token.
|
spring.cloud.vault.gcp-iam.project-id=
Overrides the GCP project Id.
|
spring.cloud.vault.gcp-iam.role=
Name of the role against which the login is being attempted.
|
spring.cloud.vault.gcp-iam.service-account-id=
Overrides the GCP service account Id.
|
spring.cloud.vault.host=localhost
Vault server host.
|
spring.cloud.vault.kubernetes.kubernetes-path=kubernetes
Mount path of the Kubernetes authentication backend.
|
spring.cloud.vault.kubernetes.role=
Name of the role against which the login is being attempted.
|
spring.cloud.vault.kubernetes.service-account-token-file=/var/run/secrets/kubernetes.io/serviceaccount/token
Path to the service account token file.
|
spring.cloud.vault.kv.application-name=application
Application name to be used for the context.
|
spring.cloud.vault.kv.backend=secret
Name of the default backend.
|
spring.cloud.vault.kv.backend-version=2
Key-Value backend version. Currently supported versions are:
Deprecation status is |
spring.cloud.vault.kv.default-context=application
Name of the default context.
|
spring.cloud.vault.kv.enabled=true
Enable the kev-value backend.
|
spring.cloud.vault.kv.profile-separator=/
Profile-separator to combine application name and profile.
|
spring.cloud.vault.kv.profiles=
List of active profiles. @since 3.0
|
spring.cloud.vault.namespace=
Vault namespace (requires Vault Enterprise).
|
spring.cloud.vault.pcf.instance-certificate=
Path to the instance certificate (PEM). Defaults to
|
spring.cloud.vault.pcf.instance-key=
Path to the instance key (PEM). Defaults to
|
spring.cloud.vault.pcf.pcf-path=pcf
Mount path of the Kubernetes authentication backend.
|
spring.cloud.vault.pcf.role=
Name of the role against which the login is being attempted.
|
spring.cloud.vault.port=8200
Vault server port.
|
spring.cloud.vault.reactive.enabled=true
Flag to indicate that reactive discovery is enabled
|
spring.cloud.vault.read-timeout=15000
Read timeout.
|
spring.cloud.vault.scheme=https
Protocol scheme. Can be either "http" or "https".
|
spring.cloud.vault.session.lifecycle.enabled=true
Enable session lifecycle management.
|
spring.cloud.vault.session.lifecycle.expiry-threshold=7s
The expiry threshold for a
|
spring.cloud.vault.session.lifecycle.refresh-before-expiry=5s
The time period that is at least required before renewing the
|
spring.cloud.vault.ssl.cert-auth-path=cert
Mount path of the TLS cert authentication backend.
|
spring.cloud.vault.ssl.enabled-cipher-suites=
List of enabled SSL/TLS cipher suites. @since 3.0.2
|
spring.cloud.vault.ssl.enabled-protocols=
List of enabled SSL/TLS protocol. @since 3.0.2
|
spring.cloud.vault.ssl.key-store=
Trust store that holds certificates and private keys.
|
spring.cloud.vault.ssl.key-store-password=
Password used to access the key store.
|
spring.cloud.vault.ssl.key-store-type=
Type of the key store. @since 3.0
|
spring.cloud.vault.ssl.trust-store=
Trust store that holds SSL certificates.
|
spring.cloud.vault.ssl.trust-store-password=
Password used to access the trust store.
|
spring.cloud.vault.ssl.trust-store-type=
Type of the trust store. @since 3.0
|
spring.cloud.vault.token=
Static vault token. Required if
|
spring.cloud.vault.uri=
Vault URI. Can be set with scheme, host and port.
|
Configuration Metadata
The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.
Be Selective
This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.
YAGNI
Note that for nearly ALL use cases, declaring and configuring properties listed here is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.
Naming Convention
Property names can be specified in very relaxed terms. For instance cas.someProperty
, cas.some-property
, cas.some_property
are all valid names. While all
forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where
this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those
that might be presented to the system via an external library or framework such as Spring Boot, etc.
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
Settings and properties that are controlled by the CAS platform directly always begin with the prefix cas
. All other settings are controlled and provided
to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with
the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition
or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the
way you intend.
Validation
Configuration properties are automatically validated on CAS startup to report issues with configuration binding, specially if defined CAS settings cannot be
recognized or validated by the configuration schema. The validation process is on by default and can be skipped on startup using a special system
property SKIP_CONFIG_VALIDATION
that should be set to true
. Additional validation processes are also handled
via Configuration Metadata and property migrations applied automatically on
startup by Spring Boot and family.
Indexed Settings
CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value
. The index [0]
is meant to be
incremented by the adopter to allow for distinct multiple configuration blocks.
With CAS, secrets are picked up at startup of the application server. CAS uses the data and settings
from the application name (i.e. cas
) and active profiles to determine contexts paths in
which secrets should be stored and later fetched.
These context paths typically are:
1
2
/secret/{application}/{profile}
/secret/{application}
As an example, you may write the following CAS setting to Vault:
1
vault write secret/cas/native <setting-name>=<value>
CAS will execute the equivalent of the following command to read settings later when needed:
1
vault read secret/cas/native
All settings and secrets that are stored inside Vault may be reloaded at any given time. To learn more about how CAS allows you to reload configuration changes, please review this guide. To learn more about how configuration is managed and profiled by CAS, please review this guide.
Troubleshooting
To enable additional logging, modify the logging configuration file to add the following:
1
2
3
4
<Logger name="org.springframework.cloud.vault" level="debug" additivity="false">
<AppenderRef ref="console"/>
<AppenderRef ref="file"/>
</Logger>